Saturday, 7 May 2016

Red Team Case Study

A red team exercise involves completely reimagining the traditional penetration test and vulnerability analysis. Rather than examining individual components of the security model in isolation, red teaming simulates a real criminal attack under controlled conditions. These tests mimic the real-world targeted attacks that businesses face on a daily basis, using a goal-based engagement that delivers the true business impact of a breach.

Our client engagement started with a threat and risk analysis, personalised to the business, to identify real-world attackers, their motivation, their skills and likely avenues of attack. Once the most likely and damaging threats had been identified, scenarios were created that the staff of the organisation would recognise as real and pertinent to their company.

Each scenario began with an information gathering and reconnaissance phase to identify potential weaknesses in physical premises, staff members and Internet-facing technology. Premises were located and reviewed online to produce a short-list for further examination in person. On-site reconnaissance of selected buildings was used to plan a more detailed, multi-staged operation.

The organisation’s registered domains, address ranges and Internet hosts were examined, exposing the software in use, and finding public-facing systems such as Outlook Web Access. Internet searches harvested email addresses and associated employee information from sites such as LinkedIn. Emails were sent to elicit responses containing the company’s official style and layout.

A spear phishing campaign was mounted, using email addresses discovered in the information gathering phase, with fake domain names and cloned sites facilitating password theft.

The stolen credentials were then deployed in an on-premises attack against a branch office. Physical access to premises was facilitated through a combination of impersonation and telephone pretexting. Subsequent network access using the phished passwords permitted theft of information from a variety of servers and also demonstrated persistent remote access through technical exploits.

More sophisticated on-premises attacks were then designed to test visitor controls and desktop security at head office. Scenarios were developed with team members having fully-developed ‘legends’ (back stories) for each engagement. The stories selected entailed impersonation of a potential customer requiring a tour of a facility, and another masquerading as a member of the press researching the charitable activities of the business. Carefully planned emails and phone calls resulted in a legitimate appointment at head office. Once on site, one team member kept staff occupied in a business meeting while another excused themselves for a ‘comfort break’ and took the opportunity to look for unprotected computers and to plant a remote control device on the network. That team member was never challenged during their excursion and found unlocked offices containing unattended and logged-on computers.

This threat-based approach highlighted vulnerabilities that otherwise would have been missed or perhaps not even considered during a typical ‘due diligence’ exercise. It delivered critical results for a modest outlay in time and expenditure. Red teaming is not an alternative to traditional testing, but it is a very valuable additional activity.

There was also the opportunity to use the results of the red team exercise as the basis for world-wide security awareness training. Presentations based on these simulated criminal attacks engaged people in a fashion completely unlike traditional training. Because the audience was following a story, and because that story was genuinely relevant to their organisation, it was possible to raise the bar on that most difficult of security controls - the human firewall. Security awareness at all levels was increased significantly and staff members became security evangelists in their own right.

Further red team exercises will build on this exciting precedent and provide more engaging stories to continue the education of everyone in the organisation.

Tuesday, 26 January 2016

Windows Password Issues

How Long is Strong?
You might imagine that a seven character password is very difficult to crack. However, if we were to try guessing every possible seven character password using an automated tool, it would take just two days to work through all the permutations on a typical desktop PC.
Even worse, most people choose simple passwords - perhaps using the name of their partner with a number appended, or some other word commonly found in a dictionary. An attacker with the right software can try most words and proper nouns, each with one or two numbers appended, in just a few minutes.
It Gets Worse ... 
There is another threat to Windows passwords: rainbow tables. Putting it simply, these are lists of passwords with their encrypted equivalents, making the process of finding a password very fast indeed. Since the tables contain both the encrypted password and its corresponding plain text, you are effectively looking up the password rather than needing to guess it.
The only restriction for rainbow tables is size - the longer the password you are trying to guess, the larger the tables need to be.
What About 'Complex' Passwords?
The traditional response to the problem of weak passwords is to encourage users to use a combination of random letters, numbers and symbols.
Unfortunately, such passwords are impossible for the average person to remember, resulting in other serious problems such as passwords being written on post-it notes or hidden under the keyboard where even inexperienced attackers can find them.
If you decide to make a complex password memorable,  
What's the Answer?
The maximum length of a Windows password was increased to a massive 127 characters many years ago. Although the 'change password' dialogue box limits you to 32 characters, this still makes long, secure passwords possible.
So, instead of trying to memorise a complicated string of numbers, letters and symbols, envisage the password as a passphrase.
A phrase such as “I.love.green.tomatoes” is very easy to remember, yet all but impossible to crack using any automated tools.
Isn't it time you considered switching to passphrases?
More Info
Get your copy of the full Windows passwords white paper