As a Security Analyst, your job is to identify business risks and raise the alarm to higher along with your recommendation of a solution. Some times you get approval for immediate mitigation action, other times for whatever reason the recommendation will be overruled.

Risk = Threat x Vulnerability

Lets make this a scenario and say the risk is a major gap in data protection that can only be fixed by purchasing solution X. Being an off budget item of significant cost the decision is passed down to add solution X to next years budget process which is a solid 8 months out yet. Tack on the procurement process and project implementation time of solution X and this data protection gap is going to exist for at least the next year.

Did you get that decision from management documented in writing, or was it just given verbally during a check-in meeting?
What happens when that specific security gap gets exploited in 7 months and you have to deal with the fall out of a massive data breach?
What do you have to show you recommended the data protection gap be corrected and that management knowingly accepted the risk to the business?
Are you the fall guy for managements call and your lack of documentation?

ENTER THE RISK ACCEPTANCE LOG

A Risk Acceptance Log is a living document to raise awareness of identified risk in your environment. The Log should be reviewed in detail with management, depending on the organization this will more than likely be the C level Information Resources representative. Once management fully understands the risk and the recommendations for mitigations or a fix, they sign off with official acceptance of the risk.

They sign on the dotted line and essentially state “As CIO of YourOrg I acknowledge and accept the risk of running Windows XP in our Organization.” — That is a very powerful statement.

Categories recommended to include in the Risk Acceptance Log, but not limited to are;
Risk Title :
Risk Details :
Decision Date :
Decision Maker :
Status : (Approved, Pending, Needs further action)
Likelihood of Occurrence : (High, Medium, Low)
Impact to Business : (High, Medium, Low)
Qualitative Risk Score :
Risk Score explanation :
Requestor :
Recommended Fix/Remediation :
Notes from Review :

A qualitative risk analysis is great for this scenario, its subjective, quick and gets the point across of the risk associated to the business. I do like to add a section for “Risk Score Explanation” in the Risk Log since scoring is very subjective the end result depends highly on your environment and what sort of defense in depth controls you have deployed between the vulnerability and the threat.

The beauty of a Risk Acceptance Log is that its not just for use by the Security team for Security business risks. Does your organization have old hardware that’s out of support? Maybe running a generator for backup power that’s past its recommended lifespan? Both are examples of risk, not specifically tied to Security but are undoubtedly risks to business continuity or productivity in the event of an outage. Add them to the log, the more risk awareness we can raise the more change we can push and in the end the business benefits.

There are two major benefits of a Risk Acceptance Log that immediately come to mind, coverage for yourself and getting eyes on risks.
CYOA, we all know what it means but when stuff hits the fan and we are in a breach situation for something you were aware of and are pretty sure you had brought up as a concern previously. A breach is no time to point fingers, however as a Security professional having piece of mind in knowing that you had identified a risk, brought attention to it and management signed off on accepting the risk instead of spending budget or time to fix it, that piece of mind can be priceless.
You will also be amazed at how tying a name to a decision and making management acknowledge the risk and officially sign off on it will help push security initiatives to a higher priority instead of just getting lost in the Cyber Sauce. Not only that but its a great tool to track risk over time, review risks at budget time and demonstrate accomplishments and successes over time.

So you might say, okay great, we’re documenting all of our security weaknesses, what happens when a malicious attacker gains access to our network and comes across the Risk Acceptance Log? Now they know where all our vulnerabilities are. That is a valid argument but with proper data protection the Log itself should be fairly secure. Access to the Log should be limited to only the few that need to know, no more. If an attacker has made it on your network and has spent enough time tooling around to run across your Risk Acceptance Log you probably have way bigger issues already. The immediate benefits of having a Risk Log in my professional opinion far outweigh the business risk it may inherently contain itself.

A Risk Acceptance Log has instant benefit to you as a Security Professional and your Organization. It should be a tool in your arsenal that is utilized and reviewed often!

WeisterCreek InfoSec 4/10/2021

My own three month journey ended the other day in success passing the CISSP (Certified Information System Security Professional) certification test. Thought I’d outline my study strategy as a whole, what really helped, what was a waste of time and some other tips and tricks I learned along the way. If this guide helps one Security Professional pass the CISSP then it was well worth the time in putting together.

If you’re reading this article you probably already know what CISSP is, however if you do not, here is a high level overview. CISSP certification covers eight domains of Cyber Security, you’ll hear people say CISSP is 10 miles wide and and inch deep which is very accurate. You don’t need to be an expert in all eight domains, but you do need to be fluent enough in each one of them to know Processes, Protocols, Frameworks, Laws, Regulations, Workflows, the list goes on. For example: you need to know details on the Network OSI model, Layers, what devices and protocols operate at each layer. You do not need to dive in to a TCP packet and describe each bit in each section as traffic flows. Acquiring CISSP Certification “in theory” proves you have general knowledge on Security design, implementation and management of a cybersecurity program.

The eight security domains and exam weights as of 2018-2021 are as follows;

Note: the domains/weights may be updated at some point in 2021

Timing is an important consideration for scheduling the actual test. Summer/fall are always busy times for me, so it made sense to start studying in December and schedule the exam for end of March. Unless you know it all already you need ample time to study, do not cut yourself short here. Life happens, things come up that will cut in to the study plan, make sure to add some extra padding to your timeline.

I deviated a little from the overall goal of CISSP in the beginning. CompTIA Security+ is actually somewhat similar to CISSP, granted I would rate it as not as difficult. Security+ focuses on eight Security domains, slightly different in domain structure but its all about repetition so how they differ doesn’t matter, its retaining the information that counts. From mid December to Jan 10 I studied for Security+ as a practice exam. Studies consisted of reading the 11th HR CISSP Study Guide book as well as InfoSec Institutes CompTIA Security+ course by Mike Meyers which I highly recommend both. InfoSec Skills runs $35/month with unlimited access to self paced courses (bootcamps are not included in that subscription). A few weeks of studying down and passed the Sec+ exam without difficulty, if nothing else it was a confidence booster while building for CISSP.

What works for me may not work for everyone, but I prefer to pound in the information repeatedly with multiple methods, videos, books, hand written notes and flashcards. I also don’t work Domains 1 through 8 in order for each method.
A random study example week:
Monday: Read on Domain 2 for an hour, highlighting and taking notes
Tuesday: Watch videos on Domain 4 for an hour
Wednesday: Create flashcards for Domain 5 and study
Thursday: Read on Domain 3 for an hour, highlight and take notes
Friday: Videos on Domain 2 for an hour
Saturday: Create flashcards for Domain 6 and study
The point of rotating above is I’m not concentrating on all Domain 1 and then moving on, so three months from start point I’ve forgotten what was studied. By randomizing studying, reading about X domain one day, then watching videos maybe 3 weeks later on it, and Flashcards later I’m continually reviewing the information, touching all senses.

There were a number of resources that were very helpful to passing the CISSP exam. Here is what I used and an explanation of each;

11th Hour Study guide: This was a great high level quick and dirty resource. By itself alone it doesn’t give enough information to pass each subject, but it does a great job summarizing ideas and hitting key points. I ended up reading this twice, first time during prep for Security+ while highlighting important info, then the second time the week before the CISSP exam. At $20 for a paperback copy it is well worth the cost.
https://www.amazon.com/Eleventh-Hour-CISSP%C2%AE-Study-Guide/dp/0128112484

(ISC)2 CISSP Official Study Guide & Practice Tests Bundle Second Edition: Want to get real down deep in the weeds, this is the book to do it in. Packed full of detail on every aspect of Information Security this is a great resource to lean on. This was read front to back one time, was where majority of my Flashcards and hand written notes came from, and each domain ends with a 20 question quiz. $50 used or $57 new, again well worth the price in my opinion.
https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119523265/ref=sr_1_1_sspa?dchild=1&keywordWs=cissp&qid=1617296356&s=books&sr=1-1-spons&psc=1&spLa=ZW5jcnlwdGVkUXVhbGlmaWVyPUEyNEswWUs4SkpQUElYJmVuY3J5cHRlZElkPUEwMjc3MDI1Mk4yODFSVjQ0UkNPJmVuY3J5cHRlZEFkSWQ9QTA3NjM2NTVBRjRUOEsyOE5GVFImd2lkZ2V0TmFtZT1zcF9hdGYmYWN0aW9uPWNsaWNrUmVkaXJlY3QmZG9Ob3RMb2dDbGljaz10cnVl

InforSec Skills: There are a lot of subscription based learning sites out there now days, Udemy, Pluralsight, Lynda and the list goes on. I used InfoSec Skills due to its large library of classes included in its monthly subscription for $35. The class named “(ISC)² Certified Information Systems Security Professional (CISSP)” is 17hrs worth of CISSP videos, enjoyable to watch, informational and again would recommend.
https://app.infosecinstitute.com/portal/skills/homeSki

CISSP® Self-Paced Training Seminar: Don’t Waste your money on this! The other trainings mentioned so far I highly recommend, which I can not do so with the official ISC2 Self Paced Training Seminar. Coming in at around $800 I was expecting this to be the know all be all of courses and alone by itself be sufficient to pass the exam. It was very high level, did not contain the detail that was expected, and the instructor said “I think” way too many times for my comfort. You are the instructor teaching a class, on the pertinent information to pass an exam, you need to know, not just think. At one point he said, I believe I’m correct but you can look it up on your own. That is not okay and ISC2 should be embarrassed they put this product out there, my end of course review did not hold back those feelings.
https://learn.isc2.org/d2l/home/

CISSP MindMaps: If you do a search for CISSP MindMaps on Youtube you’ll find 29 very well put together videos made by Destination Certification split up by domain. I utilized listening to these in the last week of study as a nice review while driving.
https://www.youtube.com/channel/UCXk6whiDrWq42y9Tdv1MEhg

Discord: Winding down to the last week of study someone on Twitter pointed me to the Certification Station Channel #CISSP. Where I didn’t utilize it a lot I can see the value in the channel to assist in tracking down additional training resources, Exam QnA channels and general discussion on the exam.

On to test day, since you are required to sign an NDA prior to the Exam I can’t discuss anything in detail, but I can give some tips as what to expect. First and foremost make sure your two forms of ID are ones they accept. I was a little concerned as my drivers license has my shortened name, not legal name, so I ended up using my Passport as my primary ID and Military ID as my second form. Do not overlook this, they take security VERY seriously and if you do not have proper ID you will not be able to take the exam.
The exam timer does not stop, utilize the restroom directly before the exam, total time allowed is 3 hrs which is plenty, but best to be safe than sorry.
Lastly the questions are tricky, read the question, read the answers, re read the question, choose an answer, then triple check. Read it all one last time and make sure it is exactly what they are asking. Many questions have multiple correct answers, however there is one answer that is the best answer, take your time and be read carefully.

Is CISSP worth it? It all depends on the situation you are in, for me yes it is worth it. I learned a lot in the process of studying, a lot I will use again, some I won’t. Where it really pays for me is for some reason HR seems to be dead set on CISSP being a requirement for many job postings, so wit that being said its a HR filtering bypass tool that will at least get your resume a second look.

Does CISSP mean you are a security God, No, Far from it, its just a tool in the tool belt to utilize

WeisterCreek InfoSec 4/1/2021

The CVSS or Common Vulnerability Scoring System, in its most basic form is a framework used to assign a numeric score 0 – 10 to severity of vulnerabilities, 10 being the most severe. The score is based on vendor neutral qualitative estimates of risk, in combination with end user input depending on environmental specific considerations. It is designed in a manner to be scalable enough for rating vulnerabilities on all levels from Operating Systems to Web Applications to Protocols.

Current version of CVSS is 3.1, however the CVSS SIG (Special Interest Group) is currently working on the update to 4.0. Those potential improvements can be found here.

Scoring is measured in 3 categories:

Base Metrics: Base factors are those that will not change over time and are not dependent on other factors. It will be scored on Exploitability, Scope and Impact

Temporal Metrics: Opposite of Base Metrics, Temporal factors are those that will change as exploit code matures over time. Availability of remediation actions (vendor patches) are also taken in to consideration when calculating the Temporal Metric Score.

Environmental Metrics: Environment Factors take criticality of Assets in to consideration. If the Asset is mission critical a higher score will be assigned. So if the vulnerability deals with authentication to a Domain Controller, that score will be much higher than a low level vulnerability on a standard user laptop. The other consideration the Environment Factor allows for is mitigations applied to the asset, Air Gapping is an example here.

The three Metrics above are calculated based on weight for the final Qualitative product. One note on that calculation is that the Base Metric is mandatory, however the Temporal Metric is optional, both of those scores are provided by the vendor when the vulnerability information is released. Lastly the Environmental Metric is entered by the product end user and is also optional. So as you can see there is room for a fair amount of score manipulation which is somewhat of a short fall of CVSS.

Now we have a general idea of how scores are calculated, so what does that all mean for me as an administrator patching a system?
With everything related to CVSS, it depends. There are general guidelines of patch priority based on score but your specific environment as well as your personal risk acceptance comfort level threshold need to be taken in to consideration.

Here are two examples of different organizations, use them as a guide but remember as a Security Professional you must decide whats best for you.

NIST sets their scores slightly different than the recommendation above, then incorporates a patch decision tree to help decide what action to take and how soon. More info can be found here on the NIST process: https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Patch_Management_S508C.pdf

Microsoft uses the following recommendation for patching.
https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system

If you are going to take one piece of advice away from here, execute the following:
– Talk to Asset owners and have a patch plan in place that works for your organization
– Know your risk tolerance level and that of your C level sponsor (They don’t have to match, probably won’t)
– Stay on top of patch notifications for the systems in your Organization

Questions that will help along the way when figuring it all out:
– What is the Asset exposure, Internally available only or Externally available ?
– What defense in depth security controls do you have in place ?
– Is the vulnerability being exploited already in the wild ?
– Is the attack vector Network based or Local ?
– Does the attack require user interaction ?
– How complex is it to exploit, can it be done by a script kiddie with metasploit ?
– Is the exploit code still a Proof of Concept or has it been validated ?
– Is there a workaround available that can buy you time until a Maintenance window opens ?

Take CVSS with a grain of salt, if its a 9.8 or 10, jump on that and patch, don’t wait. If its coming in at a 7, the questions listed above are going to be a lot more helpful in deciding whether to stop operations and pull the trigger early, or waiting a week or two for a patch window.

Lastly if you are a security analyst, admin, engineer whatever your title is and you bring a recommendation to patch now to your C Level Exec who is willing to push off the patch and accept the risk, Document that decision. Its your job to make the recommendation and push for what is best on the security side, some times that gets trumped by needs of the business. If Risk Tolerance is higher on the C Suite that’s okay, that’s what they get paid the big bucks for, but just make sure to document that decision for later reference.

Patching is a non stop war – Have a battle plan ready

Weister Creek Information Security – 2/11/2021

M$ Patch Tuesday February 2021 fixes 56 bugs which include a ZeroDay, and a high priority DNS (Domain Name Service) Vulnerability patch.

ZeroDay CVE-2021-1732 is an elevation of privilege bug that comes in with a slightly lower CVSS of 7.8, due to the attacker already needing some sort of access on the targeted host. Once exploited the attacker elevates from standard user to System Level access, this ZeroDay was supposedly used by a threat actor known as Bitter as far back as May 2020.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732

DNS heavy hitter CVE-2021-24078, a critical vulnerability in Windows DNS server 2008-2019, all versions are affected. This bug could be used to remotely install malicious software simply by an end user visiting an infected website, so came in at a high CVSS of 9.8.
Krebs on Security stated- “Recorded Future says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). Kevin Breen of Immersive Labs notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization’s web traffic — such as pointing internal appliances or Outlook email access at a malicious server.”
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24078

TCP/IP stack bugs CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086 are patch now vulnerabilities, the first two listed RCEs coming in at 9.8 CVSS and the last Denial of Service CVE was CVSS of 7.5.
From Microsoft on the TCP/IP CVEs “The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely [to be exploited] in the short term.” “We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release,” “Thus, we recommend customers move quickly to apply Windows security updates this month.”
In Microsoft’s quote they state the RCEs are complex to exploit, however in the official update-guide linked below the Complexity is listed as low. Either way don’t wait to find out on these, its the TCP/IP stack, just patch as soon as possible.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086

Other CVEs to note
CVE-2021-1733 – Sysinternals PsExec Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1733
CVE-2021-26701 – .NET Core Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701
CVE-2021-1727 – Windows Installer Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1727

ZeroLogon Reminder- CVE-2020-1472 Second patch Round
As a friendly reminder this month is when MS is releasing its Domain Controller patch to enforce Secure NetLogon communications. Previous patches released in August 2020 fixed the flaw on Windows Server systems however did not stop devices from attempting to use insecure NetLogon. With that initial patch the Windows Event IDs 5827-5831 which help to identify any of those legacy systems reaching out with insecure NetLogon requests.
For a more in depth look in ZeroLogon and Event IDs refer to: https://weistercreekinfosec.com/2021/01/23/zerologon-last-minute-need-to-know/

Patch em if you got them!!

Weister Creek Information Security – February 10 2021

Over they years I’ve seen a number of ways to deal with Local Administrator account passwords from setting it once at build and never resetting, to deploying a change routinely via GPO (Group Policy Objects) among other poor practices. Problem with the first method is obvious, one password across multiple endpoints that never changes, wrong for so many reasons. Changing passwords with GPO is a small step up from set at build, you have ability to update passwords as needed, but the issue remains of a common password on all endpoints making pivoting throughout your domain effortless. Its also possible to extract the password from sniffing GPO traffic. There are better options.

Enter LAPS

Microsoft LAPS (Local Administrator Password Solution) made its debut in May of 2015 offering a FREE method for System Admins to manage domain joined Local Workstation or Server Administrator account passwords via Group Policy and password storage in AD. LAPS allows for truly randomized passwords to be applied individually to each Server or end user laptop/desktop using a fully customizable password policy.
A couple important notes to consider when deploying the solution: LAPS does not support UNIX, LINUX or MacOS operating systems, Windows is it. Local Guest or unique accounts are not compatible with LAPS either, only the Administrator account. Lastly there is no true Centralized Console for auditing, reporting and alerting of issues. The LAPS UI can be used to query domain machines, but its a very basic tool, my preference is the Powershell Module I’ll touch on later.

With those considerations in mind, if you are looking for a free solution, quick and easy to configure and low maintenance after initial set up, LAPS is an excellent option, so lets run high level through the config and deployment, I’ll be concentrating mainly on the GPO and AD side of things. Your method to build deployment to push the LAPS agent to managed workstations will vary depending on tools at your disposal. Microsoft has a nice work instructions doc that would include the deployment side, LAPS_OperationsGuide.docx which is included with the download.

Current version of LAPS is 6.2
Download and guide: https://www.microsoft.com/en-us/download/details.aspx?id=46899
My config steps below are the 3,000ft view to highlight notes and recommendations, refer to guide above for in the weeds install

Summary of install
• Installation of GP CSE (Group Policy Client Side Extension) via MSI installation
  • On management computers
  • On clients to be managed
• AD preparation
  • schema extension
  • Permission updates
• Group policy configuration

During install I like to push out the all administrative options to those admins that need access to LAPS passwords. The UI client in the pic above is nice for admins that may not be avid PowerShell users, our HelpDesk is the main user of the fat client UI.

Your Active Directory Schema will need to be modified for the LAPS install. Schema updates are low risk, especially on something like LAPS that has been around for years, however always run any sort of potentially high impact Schema update during off hours or better yet during a maintenance window where if the absolute worst happens you have time to recover. Schema is extended to add two new Attributes to AD Computer objects, “ms-Mcs-AdmPwd” and “ms-Mcs-AdmPwdExpirationTime”. The first new attribute, ms-Mcs-AdmPwd stores the Local Administrator Password and fairly self explanatory the ms-Mcs-AdmPwdExpirationTime is the expiration time and when the reset will take place. The Password is stored in Clear Text in the attribute, we’ll work on locking this down later.

GPO Creation is next on the to do list. Located at Computer Configuration > Policies > Administrative Templates: > LAPS

Password Settings: GPO setting allows to set Password length, complexity and maximum age

Enable local admin password management: Enables management of password for local administrator account. If you enable this setting, local administrator password is managed. If you disable or not configure this setting, local administrator password is NOT managed

Since the attribute is stored in clear text, we’ll need to lock that down next to only allow those admins that require it to be able to query. There are two methods to do this, basically remove inherited permissions, or set Deny permissions on the attribute. Both methods have their advantages, which ever you go with make sure to thoroughly test after making the change using different copied AD User accounts. MS does provide PowerShell Scripts to assist in setting proper permissions, as well as locking down.

“SELF” computer object permission is required for the computer to write to the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-Adm-Pwd attributes for updates after passwords reset is executed. Next run an audit to see what users or groups permission to “All extended rights”, this will need to be removed from anyone that does not need to access passwords. The other option to lock this down would be to create a group with Deny permissions on read/modify for ms-Mcs-Adm-Pwd. Last permission are needed for who has access to force reset a password on the objects. Use the available MS scripts to assist, they lay it out very nicely.

Now that LAPS is configured and deployed lets take a quick look at the PowerShell modules available. The following basic commands should be all you ever need:
Get password: Get-AdmPwdPassword -ComputerName ‘name’ | fl
(I prefer to pipe the results to fl or format-list just encase the password is long and gets cut off)
Reset password: Reset-AdmPwdPassword -ComputerName ‘name’
That’s it, its really too easy, and in my opinion PowerShell is way quicker than using the UI client

Lets hit some potential questions that often come up:
Laptop not connected to VPN scenario– if a laptop is not connected to the network the password wont reset at the expiration time. The old password will still work just fine until the laptop connects back to the network, checks in to GPO and updates properly.
LAPS storing passwords in clear text is a major weakness– Yeah, this is an issue and guaranteed one of the first checks an attacker makes when on a network. First you MUST ensure your attribute is locked down properly. Second, you know who has access to the LAPS attribute, so use that to your advantage and set up a SIEM alert on LAPS queries for anyone outside that group. At that point you’re using it to your advantage and it almost becomes a honeypot.
Is there a record of past passwords– No, this is something that needs to be discussed within your Org and decided whether its acceptable or not. There is the possibility that a restored VM snapshot could have the old password, and if your admin account hasn’t logged in to cache could cause issues. My opinion is benefit outweighs the potential risk, but that needs to be a case by case decision.
How do I tell what computers are out of compliance- Another limitation with LAPS is the ability to audit compliance, there just isn’t a centralized console to run reports from. However, we’re admins and can script anything. Set a PowerShell query on a schedule to reach out and dump a report from workstations for the attribute date that is out of spec. Give it enough time where if an employee is on vacation and missed it by a week we aren’t bugging them, but if its 3 weeks out of spec, dig in to that one.

Microsoft LAPS is free, flexible in configuration, and better than having a single Administrator password across the board on all computers. Is it the best solution out there, not the best if you compare it to a paid solution, but may be the best free option.

WeisterCreek InfoSec – 2/3/2021

Seeing as how its closing in on the end of January and February patch Tuesday is right around the corner, hopefully everyone is fully aware of what ZeroLogon or CVE-2020-1472 is. However here is the high level just encase you’re a little late to the game, no worries though there is still time. Back in August of 2020 MS released a patch to fix a vulnerability in Active Directory NetLogon Remote Protocol, more specifically the cryptographic algorithm which allows an attacker to impersonate any Windows endpoint on the network when authenticating to a DC(Domain Controller), disable security features on the NetLogon Process and change a computers password. End result is a reported sub 3 second full DC takeover, giving the attacker free reign on the domain, ability to dump credentials and pivot latterly as desired.

Potential impact to the business is massive, CVSS scored this vuln a 10/10 which is not an understatement. With current working proof of concepts readily available on GitHub, and reports of CVE-2020-1472 exploits being tracked in the wild as early as last October, if you have not applied August patches to DCs yet, Drop everything and do it now!

Affected Server Versions:
Windows Server version 1903, 1909, 2004
Windows Server 2019
Windows Server 2016
Windows Server 2012, 2012 R2
Windows Server 2008, 2008 R2
Windows Server 2003, 2003 R2

The Domain Controller patch released in August 2020 must be installed on all DCs as well as Read Only Domain Controllers (RODCs). After the patch is installed DCs will begin enforcing secure RPC usage for all Windows device accounts and other DC communication. CVE and MS patch KB info can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472

The screenshot above was taken from: https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#EnforcementMode

August DC patch fixed the vuln on domain controllers, however to fully patch the issue MS will release another patch in February 2021 which will set secure connection enforcement for any client connecting to a DC. There is potential for breakage on older non compliant devices so it is essential to monitor logs for clients attempting to make insecure connections. Luckily with the August update MS implemented a few new Windows Event IDs to assist in Step 2 above: “FIND which devices are making vulnerable connections”, IDs, 5827 through 5831.

Event ID: 5827 (machine account error) and 5828 (Trust Account Error) – Events logged when connection is denied because vulnerable NetLogon secure channel was attempted

Event ID: 5830 (Machine Account Warning) and 5831 (Trust Account Warning) – logged when a connection is allowed because account as added to “DC Allow Vuln NetLogon Connection Group Policy (addressed later)

Event ID: 5829 (Detection of non-copmpliant devices) – Devices using vulnerable NetLogon secure channel connections will log an ID 5829, the event will include information for identifying which client sent the request. These are the clients you MUST investigate to as enforcement in February will DENY these connections.

If you do have that third party device throwing Event IDs 5829 and do not have the option to upgrade or mitigate in another way there is an option via Group Policy to allow that client to make insecure vulnerable NetLogon connections. Never recommended to go this route however if the absolute requirement is there, it is an option.

Enforcement mode goes in to effect Patch Tuesday February 9 2021 so there is still time to find those outlier trouble systems and mitigate before connections are denied and stuff breaks. Set up SIEM alerts on event IDs and be ready to take action when a vulnerable client is identified

For a great article on how to exploit CVE-2020-1472 check out: https://blog.zsec.uk/zerologon-attacking-defending/#how-do-we-fix-it by Andy Gill – ZeroSec

1/23/2021 – Weister Creek InfoSec

Question: How often does your Local Group membership for Servers change?
Question: How often does a local user account get created on a Server?
Answer: Very Rare to never in most enterprise organizations

For that reason these two events are prime SIEM Alert candidates for BlueTeams that offer a low false positive rate paired with a higher risk and potential impact probability.

Local Group Membership – Windows Event ID: 4732

When either a local server user or domain user account is added to any local server group there is a Windows Security event ID 4732 created. Why is this something to monitor? builtin server groups offer additional permissions to perform actions on the server. From the lower end “Remote Desktop Users” which allows users to RDP on to the server, to the high end “Administrators” group with Root access to the system, there are 25 default groups that grant some specific level of user privilege on servers.

The example above is a stock MS image. To Break it down is as follows:
Subject: (source of change)
Security ID: SID of the account making the change
Account Name: Display name
Member: (user affected)
Server Name: Local Server
User: Display name of user added to group
Group: (group info)
Security ID: SID of the group modified
Group Name: Local group display name user was added to

Of course we want notifications for the heavy hitters that have higher server permissions, “Administrators”, “Power Users” and “Print Operators”, but why not just alert on them all since “in theory” none should change very often, if ever. Setting an alert on the overall Security Event ID 4732 will give you notifications for group additions to any of the following builtin Server Local Groups.

*** Note: Windows Event ID 4733 is Group Removal which may come in handy for the same reasons above.

Local User Account Creation – Windows Event ID 4720

There are many advantages to using Active Directory domain user accounts over local server user accounts.
– AD domain user accounts must meet your Default Domain Password Policy requirments (or OU specific password policy if its unique)
– Increased ability to harden user accounts by setting specific restrictions
– Visibility – Authentications take place on your Domain Controllers so inherently logs are easily available to query
– Easier Auditing with one main source of record (AD). Instead of a remote WMI or PowerShell query of 50 servers to check for user accounts, either get-aduser or open the AD mmc and they’re all there
A short list among many reasons. Stay away from local user accounts if at all possible

*** Note: Disable RDP for Managed Service Accounts, there is zero reason for an Admin to ever have to log in as a Managed Service Account. Using “Run as” or “Run as a different user” will work just fine without adding unneeded risk to your network

Again another MS stock photo
Subject: (source of change)
Security ID: SID of the user who made change
Account Name: Display name
New Account: (created account info)
Security ID: SID of the new user account
Account Name: Display name
Attributes: (all attributes set on account)

Any local account created needs to be investigated. It could be a server administrator creating the account for a service to run, innocent enough but take the time to steer them away from local accounts and set up a proper domain account in its place.

Some other Windows Event IDs to pay attention monitor:
4722: A User account was enabled
4724: An attempt was made to reset an accounts password
4738: A user account was changed

Know your network and watch for anomalies

1/11/2021 – Weister Creek InfoSec

By now everyone has seen in the news the major Supply Chain Attack against Solar Winds.  If so feel free to skip this and jump to the next paragraph, If not a very high level summary is as follows:  Originally accredited to the Russian hacking group ATP29 (however questions been recently raised on accuracy of that allegation) Solar Winds was breached in early March and source code was edited without their knowledge.  Solar Winds approved the changes, signed the code with their certificate validating it and pushed it to production making it available to all customers. All code released between March and June 2020 had been maliciously altered.

The breach came to light on Sunday Dec 13 after the sophisticated malicious group attacked the security vendor FireEye Mandiant, who was able to track the entry point in their network to a Trojan backdoor in the Solar Winds Orion product. That was a very brief, obviously a lot more packed in to the entire scenario, but the point is what follows.

Like many security vendors Solar Winds likes to brag about who they provide services to.  Currently removed due to the obvious above, but this was a screenshot of the customer page of SolarWinds.com on December 12.

Cut to the point: If your organizations name is listed on a website with a known major vulnerability you’ve automatically become a target.  Minimizing OSINT is important!  OSINT (Open Source Intelligence) is information that can be gathered by anyone with a little time and effort. As employees or as IT Professionals we need to be mindful of what is posted online in relation to your place of work and more specifically Org IT, infrastructures and controls.  Where this sharing is not be done with malicious intent, it can be damaging to the Organization in the hands of the wrong individual.

Example:  I post on my linked in that I’m an expert in securing Apache 2.2 running in a server 2008 environment.  Reason for posting is to demonstrate a skill-set of securing old software on old out of support servers. Where intent is innocent, any attacker interested in attacking your Org would have a hay day knowing there is an old vulnerable web server sitting on our network, potentially open to the world.

Some questions to ask yourself:
What do you post on Twitter, Facebook, Instagram and the tik tok etc?
What does your LinkedIn profile say about you, more importantly about your Orgs software that’s run?

General rules of thumb:

• Whenever a new software purchase is made make it a point to opt out of the software vendor adding your companies logo / name to their customer list on their website
• Don’t discuss the products you use with competing vendors unless there is an absolute need to know, keep your cards close to your chest
• Never post an employee badge pic online
• Never post information specific to a system
  • This is a harder one,  if we are hiring a Fortinet admin there is no way around posting a job listing without Fortinet info.  In that instance keep it general, no version numbers, no specifics on modules that are run
• Never post pictures of your laptop which will again display software used
• Never post pictures of infrastructure, Data Centers etc

Keep OSINT top of mind and always remember…

No longer breaking news as I’m sure every Cyber Security Professional is aware that FireEye announced on Dec 8 2020 that they were victims of a data breach from what they are calling a “state sponsored attack”. Now that things have settled down a little and more details have been officially released lets dig in to the breach to summarize what we know and analyze what sort of impact this could have on the the Cyber Industry and businesses across the world.

But first, who is FireEye?
FireEye was initially founded in 2004 specializing in sandboxing technology but really took shape to the FireEye we recognize today when they acquired Mandiant in December 2013 for $1 Billion. With this acquisition they expanded thier portfolio and became a world leader in Incidents Response services. Today FireEye Mandiant offers the following services: Network Security and Forensics, Endpoint Security, Email Security, and of course Consulting, Incidents Response and training. As of December 2019 their employee base was around 3,400, today they are estimated at a net worth of 3.12Billion.

In FireEye’s initial write up release on the attack they stated the uniquely constructed attack was executed “by a nation with top-tier offensive capabilities.” “They are highly trained in operational security and executed with discipline and focus.” Who better to lead a breach incident than Mandiant themselves, however they are doing their full due diligence and pulling in the FBI and Microsoft among others to assist in the investigation. Major news agencies are reporting the main culprit in this attack is looking like Russia’s elite hacking group know as Cozy Bear or ATP29.

During investigations it has been discovered that the main target of the attacking group was FireEye’s treasure trove of custom Red Team assessment tools. Where we can assume these tools by themselves are quite dangerous in the hands of an enemy, there does not appear to be any Zero-Day exploits included in what was taken.
“The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit”

FireEye took a cautionary route in releasing more than 300 countermeasures to the public to detect and minimize potential impact. Yara, Snort, ClamAV and OpenIOC detections have been released so we can guarantee that AV and IPS vendors are hard at work updating rule sets before anything is seen in the wild.

Details can be found here: https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html

The github of countermeasures: https://github.com/fireeye/red_team_tool_countermeasures

Business News Insider reports that FireEye stock took a 13% hit after the breach was disclosed which equals around -$450 million off the groups market capitalization. Will they bounce back from this attack? In my opinion yes, without a doubt. They handled the breach in a very respectful manner, assisted the industry in being open with releasing IOCs and countermeasures. Lets face it, the fact that they didn’t open their first public statement with “we take security seriously” gives them a few extra points. Maybe with the drop in stock prices that just means now is the time to buy.

Some very sophisticated tools stolen are now in wrong hands, there is no arguing that fact but this will not be the straw that breaks the Cyber Professionals back. We have no idea what the attacker will use these tools for, or if they will even end up being released at all to the public. If one of these tools truly is a framework similar to CobaltStrike yes its good to be aware of its existence, but again for the average organization this is not an event to prioritize over general Windows patches for example. If your org has the bandwidth and the tools required to detect IOCs released in the countermeasures by all means take action to protect yourself. If your org has port 3389 open to the public or haven’t deployed MFA, knock those out before even thinking about spending time on protecting yourself from these tools.

The well known saying “Its not if you will get breached its when and how bad“ as always fits this FireEye situation. RSA, Kaspersky, the NSA, SANS are just a few of the many high scale Security vendors breached over the past few years. It will happen but how you react at that time when the pressure is on is how you will be remembered and judged for years to come.

references:
https://www.csoonline.com/article/3600893/fireeye-breach-explained-how-worried-should-you-be.html
https://github.com/fireeye/red_team_tool_countermeasures
https://github.com/fireeye/commando-vm
https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html