7 Minute Security

This is part 2 of a series focusing on public speaking - specifically for the ILTACON conference happening in Vegas this week. In this episode I share a high-level walkthrough of my talk and the 10 "Blue Team on a Budget" tips that the talk will focus on. These tips include: Turning up Windows auditing and PowerShell logging Installing Sysmon Installing Security Onion Don't put too much faith in endpoint protection Keep an eye on Active Directory Install RITA Deploy a Canary Use strong passwords Install LAPS Scan and patch all your things

Seems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or vice-versa. Either way, the team I work with is excited to kick the tires of some popular patching solutions over the next few weeks, and we'll audibly barf up what we learn into this mini-series! Solutions we'll poke around with include: Ninite ManageEngine PDQ Deploy PS: None of these solutions are sponsoring 7MS. They're just popular patching solutions we're trying out to learn more about 'em and give you the pros/cons we discover! In today's episode I dive a bit into... Ninite Pros Cheap Does one thing, and does it well Been around for a long time Cloud-based - doesn't rely on LAN-side server Cons Only cloud-based...no LAN-side option Requires an agent Agent's only purpose is patching - no extra bells/whistles like remote control or inventorying capability

I spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (home) environment. After a few days, I went back to check the Security Onion dashboard to check the alerts. There was a bunch of benign stuff (computers pinging each other, Dropbox broadcasting to the network) but also a couple interesting finds - SO caught one of my VMs downloading (intentionally) Invoke-Mimikatz. The dashboard allows you to see transcripts of file downloads like this, as well as a tool called Network Miner to extract a copy of the downloaded file for further analysis. One thing the SO didn't pick up on was the DNS-based C2 tunnel I setup on a test victim client. However, it turns out RITA works great for exactly this type of analysis - it reported the huge number of DNS requests from my victim client to the C2 server. Very helpful info for an incident response situation!

Documentation is super boring, right? Yet it's critical to getting your client/audience excited about making their security better! In this episode I talk about my mixed feelings towards the "big" standards like ISO/NIST/etc. and how a more tactical, down-to-earth documentation approach might be more effective in some cases. And I think we need our documentation to be much more focused on consultation/remediation and not just "Hey, your security sucks...and these next 100+ pages will tell you exactly why!" We can do better! Yes, this episode is like 18 minutes because, well, I guess I'm really passionate about documentation. :-)

Been having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look! I also spent a lot of time the last few nights playing with Security Onion and love it. After zipping through the install wizard and hitting reboot a few times you're pretty much good to go. A few recommendations I'd make after those initial reboots though: Run the soup command to update Security Onion with all the latest packages Use ufw to adjust the internal firewall to allow management from ports other than SSH (which is already preconfigured) On a side note, I think you might have to have your vnic in VMWare set to promiscuous mode in order to allow proper network sniffing. Do a wget http://testmyids.com to ensure Security Onion alerts are coming in the squil dashboard security alerts are pouring in. Also, check out this article for some handy tips on threat hunting with Bro. Next up on my "test this out list" is to setup DNS tunneling to a Digital Ocean droplet I setup, and see if the onion picks up on that, or if I can at least get warned somehow about a high amount of DNS traffic.

Today's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error. Yes, this oopsie was 100% my fault, but I think backup providers can do a better job of warning us (via text or automated call rather than just email) before blowing away our life's work.

This week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, such as the ability to break the Bro + ELK stack across multiple machines. I also lost a lot of sleep these last few days playing with Security Onion and will do a future episode focusing only on that!

I've been wanting to get a Bro IDS installed for a long time now - and for several reasons: It looks fun! My customers have expressed interest It will be part of my upcoming ILTACON session. So this weekend I started getting the hardware portion ready, which includes: Ubiquiti Edge Router X (~$99) TP-Link TL-SG105E (~$35) CanaKit Raspberry Pi 3 Complete Starter Kit (~$70) If you need additional information such as screenshots/configs etc to get the VLANs passing properly from the Edge Router X to TP-LINK switch, let me know. Otherwise for now I'm just focusing on crafting content for part 2, where we'll dive into actually turning the Pi into a Bro sensor using Sweet Security.

I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into Kali - or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options: --throttle <milliseconds> - for example, I've been using --throttle 1000 in order to be a bit less intense on my target site --request-timeout and --connect-timeout help your scan recover smoothly from site errors/timeouts Also, if you find yourself in a situation where you're testing a production Wordpress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats hitting F5 in Firefox every 10 seconds :-)

Tell me I can't be the only one who regularly wants to combine a bunch of small Nessus scans files into a big fat Nessus scan file, and then make pretty pictures/graphs/summaries that the customer can easily understand? Over the last few weeks I must've tried every Powershell and Python script I could get my hands on, yet still didn't find the magic bullet solution. That is, until I found this little beauty of a tool: NamicSoft. It's a $65 tool for Windows that will not only combine multiple Nessus files into one huge file, but it offers a ton of export/reporting features to make the Nessus data more valuable. Oh, and it can also digest Burp and Nexpose data as well! More on today's episode...

Through kind of a weird series of events, I have an opportunity to speak at ILTACON this summer in Vegas (baby!). I'll be talking about some things you can do if you suspect your perimeter is breached, as well as low-hanging fruit you can implement to better defend against breaches. I'm pumped. And I've done the most important part and chosen a PowerPoint theme: A Few Good Men :-) I've spoken with some of you in the past and know a few of you spend your days and sleepless nights hunting threats. If so I'd love to talk to you to get some creative ideas as it relates to crafting the session content.

This week I had the fun opportunity to do a "blind" network security assessment - where basically we had to step into a network we'd never seen before and make some security posture recommendations. I've found that the following software/hardware is quite helpful for this type of assessment: The PwnPulse helps a ton in scanning wired and wireless networks...and even Bluetooth! I've covered the Pulse in past episodes - check out part 1 and part 2. Network Detective will do a ton of helpful Active Directory enumeration and point out potential red flags, such as: Accounts that haven't been logged into for a long time Accounts with passwords that haven't been refreshed in a long time Privileged groups that need review (Domain Admins, Enterprise Admins, etc.) AD policy issues (*warning: by default Network Detective only pulls back a few policies by default. Check out scripts such as my Environment Check to grab a dump of all GPOs. Thycotic Privileged Account Discovery is a free tool that can crawl AD workstations and enumerate the local administrator accounts on each machine. It makes a good case for implementing LAPS.

I'm continuing to love the our PwnPro and had a chance to use it on a customer assessment this week. For the most part the setup/install was a breeze. Just had a few hiccups that the Pwnie support team straightened me out on right away. In the episode I mention some command line tools and syntax that helped me work with the Pulse. One was using fping to sweep large subnets and accurately find live hosts: fping -a -g 10.0.5.0/16 > blah.txt Then, to setup the reverse shell, I just forwarded port 22 from my Ubiquiti gear to my internal Kali host, and then ran this to make the reverse connection: ssh pwnie@localhost -p 3333 Lastly, to setup the reverse shell so you can proxy Web traffic to an alternate host/port, such as the Nessus port, setup your shell like so: ssh pwnie@localhost -p 3333 -ND 8080 Then leave that window open and setup your Web browser so that you do a SOCKS5 proxy to localhost:8080. Finally, visit http://ip.of.your.host:XXXX. So if your Pulse was 1.2.3.4 and had Nessus running, you'd visit https://1.2.3.4:8834. Enjoy!

Warning! Warning! This is an off-topic episode! I try really hard to create valuable weekly content about IT/security. However, sometimes a virtual grenade goes off in my life and prevents me from having the necessary time/resources to get my act together. This has been one of those weeks. :-) So today I'm going off-topic and talking about an alleged burglary of some electronics at my home. And once we identified the culprit, wow...nobody was more surprised than me.

Intro I mentioned last week that I was speaking at the Secure360 conference here in the Twin Cities, and at that time I was preparing a talk called Pentesting 101: No Hoodie Required. I was so nervous that I've basically spent the last week breathing heavily into paper bags and wishing I was on sedatives. But I have good news to report in today's episode, friends! The talk was very well received and the attendees didn't get out torches and pitchforks! #winning! So today's episode (audio below) talks more about the public speaking experiences and highlights some lessons learned: Things I'd do again next time I'd not tempt the demo gods and still pre-record my hacking movies ahead of time. I saw some people do live demos of very technical things and it did not go well for a few of them :-( I would still spend way too many hours cutting together my movies in iMovie so that they followed a good tempo when presented live I would still have a copy of my presentation on two different laptops, 3 USB thumb drives, a cloud copy, and a copy sent to the Secure 360 folks just in case. Backups, backups, backups - am I right? What I'd do differently next time I'd hopefully have the preso done a few days (weeks, even!) ahead of time and practice it in front of colleagues to get some feedback. I'd still have a theme to the presentation, but rather than something specific like Terminator 2, maybe I'd go even more general and pick a movie/character that could appeal even more to the masses. I wouldn't worry so much about having a presentation that "nails it" for everybody. That's just not possible! We're all coming from different backgrounds and skillsets. It's not gonna be a home run for everybody.