Security professionals around the world are investing a large amount of time and effort in order to improve their security posture. Regardless of the size or complexity of the organization, the resources that are poured into security controls, monitoring, and investigating are huge.
Defenders and architects are tasked with consistently reviewing, structuring, and creating secure solutions for the different projects and services within their organization. The tasks are done in accordance with the indicated best practices and overall security proposals to best secure their organization.
The attackers, meanwhile, are on the flip side of this coin. Coming with the aim of breaching the organization in any way possible, all they need is one misconfiguration, one control that is not well placed, or just one blind spot that was left open by the different defense stakeholders in order to gain momentum.
The problem for the attackers is a lack of knowledge on how the attacked network works. A big part in the attack process is that the attackers are trying to understand where they “landed” and where to continue from there. After “landing,” they are then tasked with assessing what they should target and how they can stay under the radar. To stay under the radar, attackers must adjust their attacking tools and methods to the environment they find themselves in, and to the security controls they are facing in the specific attack.
In some cases, red teamers enjoy both worlds. They are internal attackers who are familiar with both the network as well as some of its weaknesses. But an internal, dedicated, and well-trained red team is not common in many organizations. Investment in training an attacker, while still having a lot of defensive work to do, is not an easy task.
This fundamentally begs the question, what exactly is the best solution to this common problem?
After trying many different methods, the best answer—at least from my perspective—is that the defender should put on different glasses. Look at the other side of the coin and leverage the excessive internal knowledge in your possession.
Using attacking tools that are available to everyone as an opensource and which are used by many attackers around the world can ultimately provide you with priceless information on your network, security controls, and general security posture. This will allow you to benefit from both the attackers and the defenders’ worlds, identify the gaps, understand the root causes, and mitigate the issues. A real all-in-one superhuman!
Let’s cover the big and main benefits you can receive, using the best-known tools:
Bloodhound — the Silent Misconfiguration Killer
Active directory and Azure active directory are widely used as organizations’ identity management platform, and usually hold the key to all the technical assets within the organization. Taking control over the AD/AAD usually means “game over” for the attacker.
The biggest benefit of Bloodhound lies in the complexity of Microsoft’s features in their identity management environments. There is so much room for error that even the most well-trained and most intellectual team won’t be able to cover every aspect of it when they are planning and maintaining it. Bloodhound takes advantage of this, looking for routes and misconfigurations in the environment to lead attackers from different perspectives (starting points) to the end goal.
The added value a defender has over an attacker using this specific tool is the familiarity with the network and its functionality. Defenders will know their assets, mark them to protect them, and eliminate the routes leading to them. In addition, as an “internal” to the organization, there will be more context behind the results they find—context which the attacker won’t have. This provides a lot of added value about the different assets within the organization, as it may assist in prioritizing the results discovered.
Bloodhound may overwhelm the “regular user” with information. The advantage, therefore, rests with the defender, who has prior knowledge of their network and can therefore navigate through it a lot more easily, greatly benefiting from its information.
Nmap/NetScan — as Simple as That
Aside from identity driven attacks, another major focus for an attacker is network access. Attackers will try understanding “where they landed” in the network and what they can reach next to damage the targeted organization or achieve their goal. To do this, attackers will map the reachable assets, services, and other components in the network to laterally move.
In many cases, monitoring controls may notify an organization when a network scan is conducted, but a patient attacker will scan very slowly or use special methods in order to avoid detection. Mimicking regular communication behavior will also allow the attacker to avoid detection.
At this point, the defenders come in. As an insider to the organization, on a day-to-day basis, they have a slight disadvantage. While they may know and understand how the architecture looks and can look at the firewall rules, the Vlans, and more, they do not see all the holes, misconfigurations, or blind spots. It’s a misconception of the defender—thinking they know how their network is built and all the intricacies within. Meanwhile, the outsider (attacker) specifically knows, and is specifically honed, to look for these holes. Looking for the blind spots and the misconfigurations, in contrast to the planned communication matrixes, and the regular shifting of a “living” network, is crucial for the security of the network.
Using a simple tool such as Nmap and NetScan, defenders should look at their network from different perspectives and identify where they went wrong. The understanding that anyone makes mistakes, that anyone can miss a hole is crucial. After you understand that (and the fact that the attacker is counting on it), you can start with proactively securing your network.
ShareFinder — You Don’t Have to Attack in Order to Create Damage
Attackers have a goal. No one attacks for nothing.
To achieve their goals, attackers do not have to work hard. Nor do they have to fully compromise the attacked network. Something as simple as a folder with sensitive files in it can provide the attackers with the opportunity to have an enormous impact on the organization. Personal information, credit cards, client information, and company secrets are all examples of information that is held within the organization and may be a potential target for the attackers. Policies for information protection are written and deployed around the world, requested by different auditors for different compliance all the time.
We all know that the reality is different. Even with policies and controls, it is very hard to “force” and enforce it on our users. Most people just want to do their jobs and don’t think about security too much in their day-to-day work. In many cases, attackers look for data in file servers, different storage, network shares and more. We want to find it before them.
The attacking tool PowerSploit offers the ability to do just that. The module ShareFinder, offered as part of PowerView, is used by many attackers to map and find sensitive files in network shares, files shares and more. In addition to this, PowerSploit offers share finders the ability to look for those open shares in the network. The tool allows you to look for a short set of key words that are “out of the box” these words include — “password,” “secret,” etc.
The benefit a defender will have over an attacker here would be knowing the sensitive data to look for. Attackers will most likely not know what is supposed to be in a share or files server that they found or what to look for. Looking for the right keywords, in the right places, is the key for success (or failure, if an attacker does it before you…)
To wrap all of this up, it is highly recommended for defenders to utilize attacking tools and attack their own network. Seeing the results that a potential attacker will see, in addition to the prior knowledge the defenders have over their own networks, will grant great visibility over the actual status of the network and its assets. Looking from different perspectives can teach you a lot. All you have to do is try.