NHS 111 Supply Chain Cyber Attack Summary – events…

NHS Supplier Cyber Incident 4^th August 2022

Cyber incidents are never nice, I wasn’t exactly overcome with joy when I say there was a cyber attack on an NHS supplier on the 4^{th of} August 2022. There’s still lots of unknowns with the scenario, it’s impacts and how this will play out. I’m always cautious to speculate too much however cyber incidents aren’t magic, they are usually bound to certain patterns. A week ago this was reported as likely being restored by Tueday, since then there’s been another press release and now even more articles in the maintream media. I am however not convinced with the press release contents, I’m also unsure as to why there isn’t a more concise view… something doesn’t seem to add up, my spider sense is tingling. So, here’s my star gazing (experienced based) view so far.

Leadership

Supplier Assurance Tools

Do they replace the need for OSINT and Supplier engagement?

I’ve been conducting sales and assurance-based activities for some while (I’m not counting it will make me feel old!) and I have started looked at a range of supplier management tools which leverage tool-based OSINT, attack surface mapping and manual data inputs and I have to say this:

Read more “Supplier Assurance Tools” →

Leadership

Cyber Insurance: How would I decide to buy it…

Is Cyber Insurance right for you?

Wow a big question, right? I can’t answer this for you, obviously I’d recommend that you consider cyber insurance, however I’d also recommend that you:

Understand your business and it’s supply chain with regards to financials and linkages to cyber risk
Understand your current cyber asset, threat, vulnerability and therefore risk landscape
Ensure you have a good understanding to make informed decisions

I’m not going to write lots this evening on the subject, but I was reviewing a report and thought in line with some research that I started recently (but was side-tracked) and then have seen the report so purchased that instead! (Sometimes it’s easier to not do everything yourself right!)

Education

PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV

There’s thousand of vulnerabilities, but do you ever struggle work out what ones might actually be useful to you if you are defending or attacking?

Well don’t worry I’ve started to document some things that might help you both attack and defend in CYBERSPACE!

Leadership

Tabletop: “you have 400 servers; 800 users and your…

CISO Tabletop Scenario Intro

I thought it would be fun to explore what people do with regards to Cyber Securityleadeship, budgets, contraints and realities of business change. So here’s a blog post to supliment my thread on twitter:

MrR3b00t | #StandWithUkraine #DefendAsOne on Twitter: “Tabletop: you have 400 servers, 800 users and your cyber security budget is 100K…. what do you do? https://t.co/Nw0Pd7rH8L” / Twitter

please note: the list below is based on experiance, it’s also a list I made whilst drinking about half a cup of tea so it’s not complete or “the answer” it’s just some observations about an approach I advocate.

Defense

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Potential Actions

Reset all user account passwords twice (thanks @tazwake)
- Reset all administrator passwords
- Reset all service accounts passwords
Reset (twice – but bear in mind the issues with replication so there’s specific guidance on this) the KRBTGT password
Reset all computer account passwords
Check the value of the computer account password change value
- By default, it is 30 days, threat actors can change this to give themselves access using machine hashes for a longer duration. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age
Reset all LAPS Passwords
Reset permissions on AdminSDHolders object
Revoke and re-issue all certificates from ADCS
Check for malicious scheduled tasks (thanks @SchizoDuckie)
Check for malicious WMI event filters
Check for malicious autoruns or other registry-based persistence mechanisms
Check for utilman style backdoors
Check for malicious printers/printer drivers (thanks @SchizoDuckie)
Review Active Directory Delegated access permissions (thank https://twitter.com/@indachtig)
Rotate ADFS token signing and token decryption certificates (thanks @4n6Bexaminer)
Check Service Control Manager (SCM) security descriptors (https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) (thanks @EricaZeli)
Check for object changes around initial access/event timescales (thanks @IISResetMe)
Validate group memberships against known baselines (replication metadata, backup, AD reporting tools/reports etc.) (thanks @IISResetMe)
Harden Active Directory (look at pingcastle and MITRE) (thanks @MarkSewe)
Review logon scripts in GPOS and SYSVOL (thanks @CisoDiagonal and A-HAX!)
Rotate Group Managed Service Accounts (GMSA) (thanks @infosecspy)
Rotate LAPS credentials
Review Azure AD/AD Connect (thanks @infosecspy)
Harden Endpoints
Update AV
Deploy EDR
Deploy SYSMON
DNS Zone Integrity (Public and Private) (thanks to @jermuv)
Rote domain trust keys (thanks @DebugPrivilege)
Review potential RBCD Bakdoors (thanks @DebugPrivilege)
Review msDsConsistencyGuid attribute of compromised accounts (thanks @DebugPrivilege)
Check Exchange (easy right?)
Review accounts for “Key Trust Account Mapping” takeover and reset if required (thanks @nodauf)
- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
Review Active Directory Domains and Trusts (thanks @dragon199421)
Deploy new Domain Controllers (keep existing forest/domain metadata)
Clear VSS/Backups/Snapshots that are likely to be classed as unsafe (thanks to @Digit4lbytes) Read more “Post Compromise Active Directory Checklist” →

Defense

Snake Oil Defence: Defending against lies and false claims

Defenders of the Realm

We often talk about not selling using fear, uncertainty, and doubt (FUD). It is quite a big thing in the cyber security industry where the entire purpose of existence is to help people and organisations manage risk to prevent, detect and respond to impact to confidentiality, integrity, and availability. A key foundational component is that we operate using science, trust, and integrity.

This does however become quite interesting when you look at some rather dubious sales and marketing techniques employed by a few.

What I have noticed are there are a range of patterns that are similar (it is like they all went on the same con artist course!) so I thought I would look at some of the indicators I see which bring up flags to me. Read more “Snake Oil Defence: Defending against lies and false claims” →

NHS 111 Supply Chain Cyber Attack Summary – events…

NHS Supplier Cyber Incident 4th August 2022

Supplier Assurance Tools

Do they replace the need for OSINT and Supplier engagement?

Cyber Insurance: How would I decide to buy it…

Is Cyber Insurance right for you?

PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV

Tabletop: “you have 400 servers; 800 users and your…

CISO Tabletop Scenario Intro

Post Compromise Active Directory Checklist

Potential Actions

Snake Oil Defence: Defending against lies and false claims

Defenders of the Realm

NHS Supplier Cyber Incident 4^th August 2022