We move around in many places, we sit in plain sight, you might know we are there, or you might not. We work in the shadows, yet we shine a light. You see we’ve been inside your networks; we’ve sat in your cabs, we’ve worked with your teams. We have read you annual reports and we’ve mapped your company; we do this in a way that often you can’t even see.Read more “Confessions of a white hat hacker”
In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement”
Defending the Realm
We keep seeing organization get hit, in some kind of a sick way I think me and some of my friends in the industry are bored with the over dramatic responses of “sophisticated” “advanced” and “unpreventable” because most times the kill chains simply are not like this. But still the onslaught keeps coming. Well I know this much, whilst I would love to deploy with the team and harden everyone’s networks that simply isn’t possible. So what we thought we would do is write something to try and spread the knowledge a bit further and hopefully have some positive impact.
It’s not just that your data will be encrypted, it will likely be exfiltrated and sold. You will likely have access sold, data sold and be extorted. The Ransomware business model is adapting to defender responses. Even if you can restore from backup they will likely try and attempt to extort. This brings a key point in this equation, the best position is to NOT get pwn3d to start with. Ok that might sound silly to say but when we look at these kill chains you might start to see the world from my perspective a little. Read more “Ransomware Defence Checklist – Part 1 : Initial Access”
Ok so you might think I’m mad with the title but bear with me!
So, the world is in an interesting place, we’ve got a pandemic, we’ve got prolific cyber crime and we have all kinds of different views on how we should tackle this problem.
Now I love a framework and there’s ton’s of them. But the truth is they are complex, detailed, nuanced and generally require a level of nerd that a lot of organistaions do not have.
In 2020 during the pandemic I decided to try and write something to simplify this position, whilst I didn’t want to be too narrow, I wanted to try and capture the breadth of cyber security that is relevent to the general purpose organistaion. I came up with a set of 140 questions which I believe are a good take on things to consider and ask when conducting a security review at a high level. (yes 140 questions is a high level view, this stuff is complex as hell at the detailed end of things, and the devil is in the detail).Read more “Cyber Security Assesments for Normal People”
Washington Police Department Pwn3d by Ransomware Group Babuk
So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.
The still of cyberspace
The alert queue is empty, the estate is patched, the whirr of fans hums in the background. In marketing everyone wants to be excited and to talk about the next big thing. Whilst the physical and digital worlds move at breakneck speed, there’s sometimes the opportunity to be still, to have no incidents to respond to, to have no major changes. These times can be rare, but they are also needed.
Often when I look at and use cyber maturity frameworks there is a lot of focus on cyber capabilities rather than business capabilities that are cyber enabled. What do I mean by cyber enabled? Well, you see, the way I view this game is that much like the roads serve no purpose if they are not travelled, cyber security capabilities are similar. What organisations should be looking for in my view is cyber enablement of the business rather than security as a separate domain. Integrating customer experiences with technology in a secure manner and adding value are often areas I see people not focus on. It’s a similar story with service management, the focus can be on the activity rather than the business outcomes that are enabled by digital services.Read more “A Small Measure of Cyber Peace”
The truth shall set you free
I’ve worked in technology a long time now (relatively for me). It’s now over 20 years professionally and when I was a kid, I used to remove malware from small business’s etc. I’ve travelled to some funky places and done some cool things, but I learn new things every day. I do however come across some repeating patterns in my adventures as a consultant. There is a hidden truth that many are scared to admit…
Most organisations are not very good at service design, let alone secure service design!
Ok so there it is, I hope that this blog doesn’t age very well, but I’m 20 years in and I chat with my dad about his past life in the corporate world and we both see the same things being repeated. So, what can we do about it? Well sharing is caring, so here’s some things to think about when planning and designing a new service. I’m going to focus on the technology and security aspects, clearly, I am not saying ignore the business and value alignment but for the purposes of this post I’m assuming that the functional service capabilities and alignment are in effect. I’m also assuming that business case is solid because you know, without £ it’s a bit hard to create an operate a service (that’s a whole new post!). Read more “Secure Service Design: Practical Solution Architecture”
If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:
Here is a check list of common things to check:
- Can you enumerate the server version?
- Can you enumerate shares?
- What versions of the protocol are enabled?
- Can you connect using anon bind?
- Are there any known vulnerabilities?
- Can you enumerate usernames?
- Is SMB signing enabled?
- Are there other hosts in the subnet that can be used?
I rarely get a chance to play HTB these days 🙁 but today I thought i’d get back on it.. then I had a three hour battle with a graphics driver and Vmware Workstation so that basically ruined that idea…. but I thouht I’d try and remember how to CTF again.. and boy do you get slow fast! Well to try and help people and myself I’ve started to write down some notes to get my mind back into the CTF world of HTB!
Setup & Scope
Ok this is the setup phase. Let’s grab the details
- Take note of the machine name
- Remember most boxes are called .htb or .htb.local
- There’s not an “internet” dns inside the arena so you need to update hosts files
- Take note of the box author
- This is useful for OSINT
- Take note of the IP
- This is your scope
- Take note of the OS version
- Get you digital notebook ready