Defense

Defending Against Direct Authentication Attacks in Microsoft Office 365

Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)

Read more “Defending Against Direct Authentication Attacks in Microsoft Office 365”
Leadership

The Cyber Acid Test

I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios.  The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.

Conversely there are a range of common challenges I find in almost every org:

Read more “The Cyber Acid Test”
Defence

Planning to defend and respond to cyber threats

Everyone has a plan until they are cyber punched in the face! Or something like that!

People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.

Let’s be real here, you really don’t. But what you do need is a few things:

  1. Authorisation
  2. Time
  3. Some ideas for cyber incidents to plan for
Read more “Planning to defend and respond to cyber threats”
Leadership

What is a “Winning Cyber Security Strategy”?

A winning cyber security strategy should have several key components.

First, it should involve a thorough assessment of your organization’s current security posture, including identifying any potential vulnerabilities or weaknesses. This assessment should be ongoing, with regular updates to ensure that your security measures are keeping pace with the evolving threat landscape.

Read more “What is a “Winning Cyber Security Strategy”?”
Leadership

UK laws and cyber security considerations for business

I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:

Read more: UK laws and cyber security considerations for business
  • Data Protection Act 2018
  • Freedom of Information Act
  • Communications Act
  • Computer Misuse Act 1990
  • Investigatory Power Act 2016 (IPA)
  • Theft Act 1990
  • Terrorism Act 2000
  • The General Data Protection Regulation (GDPR)
  • The Privacy and Electronic Communications Regulations 2003 (PECR)
  • The Regulation of Investigatory privacy Act 2000 (RIPA)
  • Official Secrets Act 1989 (OSA)
  • Companies Act 2006
  • Copyright and Design patents Act 198
  • Trademarks Act 1994
  • The Malicious Communication Act 1988
  • Forgery and Counterfeiting Act 1981
  • Police and Criminal Evidence Act 1984
  • Contracts (Rights of Third Parties) Act 1999
  • Fraud Act 2006
  • Network and Information Systems Regulations 2018 (NIS)
  • Telecommunications (Security) Act 2021
  • The Bribery Act 2010
  • Freedom of Information Act 2000
  • Defence of the Realm Act 1914

can you think of any others that I should add?

Thanks Gary and Kevin and the other AVIS I can’t name for inputting!

Education

Information Security Risk Management 

I wrote this in 2018 and don’t believe it ever made it to the interwebs, so I’m basically posting as is with an extra section for some useful links! Hopefully it still stands the test of time!

Risk Management doesn’t have to be risky! 

Risk assessments are complex, they require cross domain knowledge and generally do not deal in absolutes. Threats, vulnerabilities and asset intelligence is combined, weighed and assessed, leading to the construct of a risk assessment document. It can be easy to overcomplicate this process, which in turn (in my experience) often leads to far wider reaching consequences (the business starts to bypass security management or take short cuts), so I thought I would write a short post to clarify what I’ve seen work out in the field. So, to start with let’s try and align on what exactly a risk is. 

Read more “Information Security Risk Management “
Leadership

Organisational Approach to Technology and Security

How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.

When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:

Read more Organisational Approach to Technology and Security”
Vulnerabilities

Exchange Emergency Mitigation (EM) service

Yesterday I created a honeypot running Exchange 2019 in the lab. I configured very little and setup a test rule as per the MS blog to stop the SSRF from the “Autodiscover” endpoint to the Powershell function call. I put a custom response with some humour (coz why not!) but I disabled the rule:

This rule was placed in the Autodiscover virtual directory which in Exchange by default is here:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config

My custom rule:

Read more: Exchange Emergency Mitigation (EM) service

<rewrite>

<rules>

<rule name=”RequestBlockingRule1″ enabled=”false” patternSyntax=”Wildcard” stopProcessing=”true”>

<match url=”*” />

<conditions>

<add input=”{REQUEST_URI}” pattern=”.*autodiscover\.json.*\@.*Powershell.*” />

</conditions>

<action type=”CustomResponse” statusCode=”403″ statusReason=”No Hacks for You” statusDescription=”Say no to exploits!” />

</rule>

</rules>

</rewrite>

This morning I checked the Honeypot, and I found the following:

Graphical user interface, text, application, email

Description automatically generated

This rule is hosted in:

C:\inetpub\wwwroot\web.config

<rewrite>

<rules>

<rule name=”EEMS M1.1 PowerShell – inbound” stopProcessing=”true”>

<match url=”.*” />

<conditions>

<add input=”{REQUEST_URI}” pattern=”.*autodiscover\.json.*\@.*Powershell.*” />

</conditions>

<action type=”AbortRequest” />

</rule>

</rules>

</rewrite>

As you can see this was modified at 03:21 01/10/2022

Graphical user interface, text, application

Description automatically generated

This comes from:

Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn

“Exchange Emergency Mitigation (EM) service”

Text

Description automatically generated

You can check if this is enabled by running the following PowerShell:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; 

Get-OrganizationConfig | Select-Object MitigationsEnabled

So here we can see that with this enabled, the Exchange server will download and deploy the HTTP re-write rules automatically (if the server has the required version/config etc.)

You can enable or disable it with the following:

Set-OrganizationConfig -MitigationsEnabled $true
Set-OrganizationConfig -MitigationsEnabled $false

You can check this feature works using the following (modify path as required for relevent exchange version)

. "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Test-MitigationServiceConnectivity.ps1"

Check the MS docs and check your Exchange Server version to see if you have this feature etc.

GCM exsetup |%{$_.Fileversioninfo}

You learn something new everyday!