Application Consent - Persistent Access for the Good and Bad

sweet i'm gonna drop off we'll hand over to george talking about application consent persistence for the good and bad over to you mate thank you can you hear me i can't hear me uh what a setup um thank you for staying to the very end i thought i would have just my little private cheer squad up the back and then a couple in the front so well done you all deserve a round of applause [Applause] and don't worry my talk is not one that requires heavy brain work so it's perfect for the end

so who am i that's me i went to nalu station and the sunset was awesome i was so happy i took a picture of myself um but you know i'm just a regular guy i work for empire as a senior consultant doing cyber security stuff for them and i like trying to go outside and camp and fish and i'm sometimes a champ at rocket league if i play enough so i wanted to talk about application consent because it seemed like i was seeing it in quite a few of the incidents i was managing or the blogs i was seeing as a means of maintaining persistence in customer environments i had to actually work out what it was first and how

it could be used or unintentionally create scenarios where it could be used so that was the idea for the talk application consent basically allows programmatic access into your environment normally you know a user would have to log in to an account and you know we're probably quite familiar with the process of assigning permissions to a user account but this isn't necessarily assigning permissions to a user account it could be a service account and it could be permissions much more privileged than what a user would normally get so it's programmatic in nature it simplifies integration and it's used with single sign-on it's it's bigger than i thought but it's probably still a bit small the text to

see up the back this is an example of me signing into github on my iphone using my github account so it's my account and it's my phone but i'm still giving permission to the github ios app to act on my behalf and and that's so when i open up my phone i don't need to type in my username and password do my two-factor authentication it just i open it it has the permissions saved all right and having a look at the permissions it's it's actually quite um it's it's the whole account so to put it into context if someone knew the pin number on my phone and stole my phone they've now got full access to my github good luck to them

there's nothing useful in there but i mean they'd still get it having a look at the other side of this um this is looking inside github the permissions that that application has been granted all right so this is the the sort of uh permission like a regular consumer would be using uh with a consumer service but it applies equally the same in your corporate environments or in your enterprise and you know it it may well be them using your uh their personal or their work email with office 365 signing into monday.com and granting full access to their mailbox and if you're looking after your environment you might be concerned unless you've done a full risk

assessment on monday.com and every single other application your users have the ability to consent to allow their data to be used within so here's my google account signed into my mac right do you know when you're in mac you've got uh maybe some of you don't but like you can go into the accounts and put in your google account it has access to your calendar your mail in the mail app calendar and the calendar app and some other resources and and it's just another example how my mac doesn't need me to log in for me to use my google resources it's it's been consented away my mac is now me for google this all works using a thing called

oauth oauth is an open standard used to provide authorization for resources it uses whatever authentication protocol the identification provider uses so i've shown you two different identification providers github is an identification provider and it's using oauth to consent to the github app google is an identification provider for my gmail and that's consenting to the mac os to use it and oauth is the mechanism oh it's great because it's uh secure it uses https so that's all the stuff that james was talking about this morning it allows it to be safe it's an open standard so you can implement it across many platforms or any platform it doesn't stick to any one programming language operating system platform

there's three types of tokens that are used based on the type of process that has got first of all is the access token it's the simplest one an access token is given immediately after an authentication all right so that access token is used to authorize based on whatever permissions the account has been granted in that system now an access token is only short-lived speaking in azure id because that's where i live if you're looking in auth0 or many of these other authentication providers there's more capability but the principles generally the same access tokens are short-lived like 60 minutes long all right uh but the with a access token it's kind of immutable i say kind of there's

many there's always you know ways to split it but if someone steals your access token they can be you and have all of the access that you have um but it's transmitted securely so that they would have to you know steal it some other ways or they'll have to dupe you with like a fish get your credentials then they can log in as you and have an access token the refresh a session token it's a bit like a cookie it might grant an access token and a session token at the same time for a web service and the access token and the access token is less important because the session token could be whichever defined session length and

then once that expires you need to re-authenticate and then lastly there's the refresh token which is beautiful has anyone noticed that you might only need to log in every 90 days to a lot of the web services facebook twitter yeah that's because when you sign in it gives you an access token for that immediate session that you're currently in and then a refresh token which lasts for whatever has been defined by that service when your access token expires it uses the refresh token to give you a new access token without re-authentication all right there's a bunch of services this is these are actually um identity providers but they all use oauth uh this is this is the login on

the epic game saw i mean it just felt easy because there's you know lots of colors and lots of providers but they all allow you to use your account with these external services to register and log in with epic right so epic doesn't necessarily have to maintain their own although i'm pretty sure that at the very top they also have their own

so what's the big deal so if you're consenting to an app or if your users in your organization are consenting to an app you're hoping that they're only consenting to low risk low privileged apps right so that's sort of like read only permissions you can still steal a whole mailbox with read only but they can't delete the mailbox i don't know if that's better so typically you only want to allow a user to grant access to low value resources maybe their own personal calendar a lot of the time you'll find but it's whatever they have access to they can delegate access or consent to give to another service so if it's an executive assistant in an organization

with access to 10 mailboxes including the ceo then maybe that person's not so low risk even though their job function doesn't have privileged roles it's got sensitive information behind it so uh it's it's always a risk assessment activity don't just make assumptions you've got to have a look at this stuff here's an example of a very high important low-risk app consent uh it's expired and i have deleted it out of my facebook i don't actually know if i ever used it but my friends told me i could get a free shape if i had the app so basically all this did is allow me to log into the hungry jacks app using my facebook account

all right and you can see the permissions uh all it gets is my profile picture and my name and my email address and you know i mean so many of them dumps that go around that my email address is is no longer private and if you were really clever you'd probably be able to guess it so low risk maybe you can't read it that would be good so what does a high risk app look like uh you know maybe permission's a scope to the whole tenant rather than just to a single user maybe an administrator has done the application consent um rather than an unprivileged user because then that application can retain administrative privileges which can be quite scary if

it's like a global admin signing off and stuff and i've got a good example next um and you know like if the application can then manage other applications or manage users then that has potential to be a bit scary here's uh a program like the the the fun thing does this work oh look see these green ticks that means someone sufficiently authorizes said yes you can have access to this whole tenant all right and then if you have a look at the you know application read directory read all groups read and write all groups so they can manage it can manage uh all manage access as a user like pretty much all of exchanges is

is owned but that one can consent required no but it's been granted anyway because there's this button which is really easy rather than individual granting you can just grant all and do the one click but basically this is meant to be high permission it's for veeam backup vm backup for office 365. they need to get everything right but the way it's set up it still has a client secret and if a bad guy got that client id and client secret maybe out of a poorly configured vm agent uh then they've got that access right it's it's wonderful uh script-based logins cairo was talking about stuff around this yesterday there's a lot of environments where you

cannot manage the way connectivity is put in or maybe the vendors being you know has bad or lazy security practices but essentially you can register an application in your identity provider so i'm always thinking azure id and then you assign permissions to your application and that way you can automate when that script runs and you just put in well you shouldn't but most people do just put in the credentials in the file um you know you've got to protect it like it's your password well that's easy to read so like we've got three variables on this right we've got the client id which is like the the username in this instance we've got the tenant name which is like

the uh the place where that username lives and we've got the client secret right and then this is to make a graph api connection which is the back end of all of microsoft 365. so you generate a token and then you basically send a web request with that um that information and then you're authenticated so you've got an access token that's what this header is all right so this this is really straightforward i mean i just pulled this off out of the microsoft docs i'm not really great at programming but i'm bad enough to be dangerous and and you know like i started off leaving these things in here and that's bad right and and there was a

talk a couple of back where they uh where he was talking about um putting it as an environment variable that's infinitely more better but ideally you would probably at least in as you use a managed identity or key vault to sort of keep your secrets safe because uh this application couldn't do much just manage the whole team's tenant for a state government organization but i promise you i did change the client id and the secret i actually went and just generated them with the right amount of digits uh i don't know if it's the right format but that won't work anywhere and you know that tenant might exist anyway so don't try it so what can go wrong right

if you consent to an application then you're trusting that application all right it's as simple as that you're saying whoever this application doesn't want to do harm installing this application in my environment and giving this permission means i trust the application and if you give it broad access then you're trusting it an awful lot scripted tasks you know back in the day on just on-prem stuff it was pretty straightforward you'd have a service account um and you know a lot of the time you can still do a similar thing but you just need to try and obfuscate and protect your passwords right uh so and and use the the services that help you keep your stuff safe in

like if you're using an azure function you can use a key vault so i've got some hypothetical examples well only one really because i was asked to be quick like what happens if an attacker gained access to a a sufficiently low privileged account but it could modify an app principle because there is an azure id role called cloud app administrator or it could be um you know they've managed to somehow get a privileged account and they're modifying a low privileged app but with that app they can create themselves a secret and once you create the secret it obfuscates it in the system so you've got to copy it it's annoying as hell because if you forget you've got to

delete it and create another one um so you create the secret and then you go to the api permissions and you can just say you know um everything and consent um a lot of the time if unless you've got like you know enterprise grade licensing you are not going to know because there's there's no logs i mean there's like audit logs there's the unified audit log in in microsoft but i don't know how many people sit there i mean beck smite but like there's not many people who sit there watching this log source right yeah and and i i am a complete microsoft shield there are products that you can buy and easily use to do that but you

know maybe your sim if you've configured it properly would have it but i i know before december last year many many organizations did not have it all right but solargate showed us that attackers were using this as a really valid method for persistence and elevated permissions um i can't remember what month it is but we got this nice uh communication from you know the three and four letter organizations talking about an attack where the russian gru was using kubernetes instances which they had automated to do a global attack on office 365 and basically they were just looking to um you know maintain persistence or x fill and you know what i'm talking about fits in

right here right and and low privilege just use like i've given that out just to my phone you know like because i read email on my phone so it's it can be you know a bit scary fortunately um you know we can do things like if it's a username and password you can have put multi-factor authentication in which is much safer and if it were a um if it were a service account you can you know put conditional access actually on a service account and say you can only run from certain places or do certain things so how do you defend it basically you are there's this one really good toggle switch which says that your users cannot

consent to applications period but that might that might upset your users who want to be able to um use their 365 account with instagram for whatever reason i mean i don't think there's a a link there but like my point being like a user will want to sign in with their work account many places that you've just why so you can turn it off but you know if you're not completely draconian you can turn it back on and limit it to really low value permissions so like my hungry jacks app right so they can share their email address share a picture of them enough so that they can log in you know linkedin integrates well you can log in with your

work credential it doesn't really pinch much info microsoft already has it i guess but like um you know that that level of access you can make it so they can do it without having um any further uh impediment and then if they do try to uh consent to their data being put into another app and one of the permissions falls outside of what you've allowed you can have a consent flow and essentially you nominate someone when you're setting it up as the porsche micro has to go and review all of these ones but like it's better than just allowing anyone to have access so it may be ticket driven however you want to integrate it but they'll go in to

ad portal or mcas and review it and they can do a risk assessment which is what we should be doing we don't want to block users from doing everything we just don't want to block them from doing we want to block them from doing stupid things it depends on the user around me i mean i'm glad i don't support you but like maybe if you use the canon camera um and if you use the if you have got a casby uh you can use it to monitor because everything that goes over your https with your accounts can be tracked through it and you can set up rules so even if you you don't want to go through and set up the

constraints you can still set up policies in your cosby to watch what is going on and then just go have conversations with people uh wait i've got more all right um yeah make sure you've got sufficient logging i've heard this a few times seems common sense to me until you've got to buy storage or pay for cloud storage yeah so it's not easy but make sure you're logging like important things mighty i'll send you the slides you don't need to

and and if you've if you have got the logs and you're putting it into a sim then you can also create an alert to match the sort of thing that you're looking for right um more importantly make sure you're logging certain actions like if a new application is registered log it if a client secret is changed or added log that and generate an alert yeah because these are signs that someone's trying to maintain persistence in a covert way or you know the password's going to expire in a month and for a change they're changing and before they get a support ticket that the service isn't working um and yeah if you can use conditional access it's it's super powerful i don't

know how many orgs are not in 365 in my day job everyone is because i work for microsoft partner but if if you have got conditional access use it it is so powerful and you can block quite easily if you're a developer practice the principle of least privilege don't ask for more than you need all right it's easy to just ask for everything because then everything works but then you're sort of opening up your org to a lot of risk and use a key vault uh or obfuscate your secrets in such a way that it can't just be lifted up and pinched right i'm being cheeky i just can't let this opportunity go by i mean i don't know about you

but uh they put me last and i was quite happy about that it was a surprise but because i'm lazy and i didn't read the whole email the email was so long and i had to click the button in gmail to show the whole table and then i had to scroll like three pages to find me so i thought hey i'm i'm i'm the lock note and i put it on twitter asking and nigel kindly responded thank you and he said he prefers the closing keynote uh and someone else who is rather sneaky responded and and told me that i might be the tail talk charlie but i did put it on twitter if it's the

lock note and i had a resounding seven votes that said yes and we all know twitter is the source of truth so uh here we go um very smooth thank you powerpoint i promise you this is like three minutes long um so basically for those of you who don't know what a lock note is it's like a touchy-feely session to round up a conference so you just feel good about yourself especially if you felt dumb because you didn't understand most the topics but um i don't think that's anyone here the dumb people ran out of stamina and have fled looking for more donuts right so congratulations everyone again [Applause] and honestly all i'm going to do is

recount my last three years of coming to well four years but you know you'll see but like you know this was my first b-side and i was a bit shy i only did two tweets the whole weekend and the first tweet was about you know food because if anyone knows me food um and the second one was i was just amazed at the badge i'd never gotten such cool loot at a tech conference before all right and honest to god uh coming to this conference was transformative for me because it's the first time i saw like a valid career path that i might be interested in because i was at a real doldrums i mean

i'd been working in the tafe teaching it was great but i'd kind of reached some limits so i was like well what can i do and then i came to b-side and i saw you know heaps of cool talks uh i loved watching the the vp of silence watch his product got bypassed you know immediately after he had it um uh you know learning about wiggle like my eyes were open the whole day it was bloody awesome all right and then you know building on that strength the next year i almost won the inaugural and prestigious australian cyber security uh professional of the year almost and i know i'm not alone here there are other people who are like who else was

here and was a finalist don't be shy look yeah we've got a few people and then i was really lucky they let me run a workshop i hadn't been teaching for a little while so i did do a workshop on raspberry pi and made a little hack tool which was fun and i met some really cool people through that workshop including gail and you know like from that b sides because i was a little less shy i met like a bunch of people i got to meet ian and i got to join the comfy con crew if you don't know about comfy corner it's your loss because it's awesome i got to meet bex and a handful of other

people right it's it's been super good i was so keen for 2020

and then we came to 2021 and that was yesterday's first tweet um which was awesome like this is a great conference and i i don't believe uh we should underestimate like how good and how much of an impact it has on our community and and like you know for me i i think because in part because of b size not completely i'm going to have a little bit of ownership of my own destiny but attending the b sides really did present a new perspective all right so it was i'm now have a satisfying role in in cyber and i'm included in an awesome community comfy con and b-sides i mean we've got people from all around australia coming in

every year when nigel announces the date i block out my calendar because i want to come and i think i was like the first ticket buyer but i think he was just teasing me uh and i was i was 856 or 857 and the first purchase i had to refresh but i was keen and like maybe not getting the first ticket because i'm going to fire you every year but like learning and and having your perspective shifted is an opportunity sort of open to anyone who attends you know so if you're thinking about a role in cyber and you're not quite there or maybe you're in one part of cyber and thinking i'd like to try something

different and you haven't like just have a go because you've got like all of these people who would talk to you about it all right so it's awesome so thank you thank you to you three thank you to all the other red shirts um they're the coolest red team i know and thank you for listening to my talk and indulging my second talk as well so thank you very much [Applause]