Use What You Have

all right good morning everyone welcome to the second session of b-sides track two uh before we get started a quick clerical announcement apparently there was a t-shirt kerfuffle of some sort I don't know um Davey say check your emails if you're missing your shirt I think there was something wrong with the XL shirts but anyway check your email if you're looking for one of those shirts and then take that email over to the registration table so today we have Corey Buzzard talking about use what you have I'm sure not all of us has these large corporate budgets that we see some of these fan companies represent so this will be an awesome talk learning a little bit more about

using what we have and the best way to optimize this technology so that said let me turn it over to Corey

thank you thank you so just as he said um today I'm going to be talking about uh use what you have so there's a lot of things that you have in these things you may not have to go and spend money on they're just things that you could utilize take advantage of or deal with to improve your security obviously so with that being said who am I um in my professional life um vice president of security services for an organization called Blue Bastion I run a managed detection Response Team a digital forensics and incident response team and a devops team just because I'm a huge proponent of automation who am I personally uh well my husband a

father I'm a hobbyist there's a lot of different hobbies that I have and uh the last one on there is true I am an alpaca farmer I have baby doll sheep too many animals is what I'll say um so you'll see alpacas here or there with me so why the basics um you know there's a ton of tools out there uh you know insert an EDR platform insert some new buzzword term xdr that's out there can't I solve all my problems with that you can solve a large amount of problems with those tool sets and I'm not here to say that those tool sets don't work they do they work very well but what I'm here to say though is

maybe you should think about taking advantage of the underlying features of the things that you're implementing to the best degree that you reasonably can before you start adding on top of that security posture with new tools so as I said does that mean I don't need tools no no that is not what this speech is whatsoever so just to say that very clearly um the key ingredient here is um don't let the exception become the rule make the rule the rule and the exception the exception if you have an XP device in your environment okay that stinks maybe you can't get rid of that but don't let that become the rule for the entirety of your network

so what are the basics Basics could be many different things I'm going to point you to the CIS top 18. it's a really great starting point there's 18 major overarching things there that you could look into I think one of the ones that I will say the loudest right now is asset control discovery of your network um if you don't know it exists in your network how can you secure it that's the easiest way to say that right so that is a really great framework that you can start with take walk away if you've never heard of it if you have heard of it you're probably quite familiar with it so um digging into that you want to like I

said asset inventory is super key and data protection and Recovery drbc those types of things to do I see this a lot in the industry I see analysis or paralysis by analysis there's too many things to do where do I begin put one foot in front of the other just start moving forward pick something tackle it if you can do that you're going to slowly increase the cyber security of your network or Enterprise it's really hard to see I'm sure I added way too many things into this slide I almost apologize um but documentation I'm a huge proponent of it um why is this key documentation is ultra key because things like Network Maps I run a digital

forensic instant response team why is a networking map important if you're having an incident and you bring in an organization like ours how do I know what assets you have how are they interconnected do you just have one major site do you have fiber connecting multiple sites what's that look like another fun fact about Network diagrams is have a physical copy of them that you keep up to date if everything in your network gets encrypted so does your network diagrams so uh We've ran into that um org charts um that's going to play into another slide that I'm going to talk about here in a few minutes but how's your organization broken down do you have an HR department what do

they do what's their day-to-day look like as a cyber security individual you have to understand what your organization is built from what do the people in your organization do your HR people they open up PDFs all day day in day out right resumes they're going to get all kinds of stuff like that I'll tell you this I came from an offensive security mindset I won pen test by sending HR individuals resumes that just had macros in them that was an easy win so understanding who your user base is and what do they do as part of their job will help you understand how you can help them become more secure as well so talking to your user base is

quite key but also understanding what the roles inside of your organization are understanding these things creates a foundation for how you can also create better cyber Security Programs inside of your organization as well because what you'll find out is if I sit down and talk to one of my developers and they only use python as an example and they only use pycharm in as their development platform I should never see things like vs code or vs Studio on their on their machine I shouldn't see c-sharp apps running right so but without that intricate knowledge of who they are what they do and how they work you're you're going to end up deploying an EDR system and say well I don't know

we'll just allow it to a developer and that's not going to get you to the place that you want to be so documentation is quite key um also understanding things like what are your most important Assets in your organization I'm going to say this two different ways because it's very important number one is what are your most important it assets to your it organization within your organization If This Server goes down what does that mean the second way to say that and the second piece to note is that's Ultra important is what are your most business critical assets sometimes those aren't the same as it if I lose my DC for example I don't have authentication but

if I lose this manufacturing device that doesn't use active directory for authentication that can run without it but it goes down I lose millions of dollars a day there's a there's a major difference there so this is where documentation becomes so key so if you're walking into an organization and you're brand new to it and the first questions you should be asked asking that organization are these types of questions by the way this is not like this is the exact way to do things these are just examples hopefully that that makes sense so uh with that being said some other good questions to ask are what are the key stakeholders in the organization if I have an incident who do I contact who

are the important players you know do I have developers who from the management side of the fence do I need to contact who's going to talk to the um news heaven forbid if they get involved or there's some level of leak to them and now all of a sudden I have to have a public response who's going to do that inside of my organization so those types of questions are really really great things to do up front and alls it does is it takes time it's not a cost it's not a I have to go buy this tool set to do these things writing it down understanding it another great one is active directory um I I can't lean into incident response

enough I walk into uh all kinds of different scenarios and one of the things that I see quite often is stale user accounts this isn't uh something I see in small organizations only by the way I see this in large Enterprises I see this in mid-market organizations I see this in small I see all kinds of different things so reviewing a couple things your ad accounts in general are they being utilized when was the last time they were used do I have any stale accounts out there if so start disabling them create an audit that you do this once a month once a week once a quarter whatever it is I will say this a court once a quarter sounds absurd but

if that's all you have time for that's all you have time for and that is much better than not doing it at all um so then also with that in mind your service accounts the same thing applies I see a lot of people will focus in on user accounts forget service accounts maybe I have this HVAC system I replace the HVAC system it had a service account that had to do all these terrible things and had so much access we forgot about it we replaced it we still have that service account out there active in life and it had to be enabled for snmpv1 and all of these bad things that just makes it super easy for some offensive security

person to come in and just snag that and start running wild with it or worse a threat actor creating an onboarding and off-boarding process for your employees again these are things that are so simple you just got to create the process and stick to it creating an onboarding and off-boarding process for service accounts so creating these audits making sure that you're checking in on them in a timely fashion and then also staying on top of it and anytime somebody says I need a new service account I need this user spun up making sure that that happens in a timely fashion and having an onboarding and an off-boarding process for them so with that being said we'll move on to

least privileged access these privilege access is typically another one of those things that is just a time commitment thank you so least privilege access is just one of those situations where it is a time commitment thank you by the way um so to get there you're going to spend a lot of time in A.D more than likely you're going to spend time in your file server restricting access to those files or folders Etc so least privilege access is a huge piece that you can spend a lot of time in with minimal minimal budget or cost reviewing your drbc plan do you have one step one if you don't have one uh create one there's no time like the present

drbc plans are something that are so incredibly important to your organization if it doesn't exist it it needs to and it needs to right now um if it does exist what you can do is ask all kinds of different questions around it what happens if start inserting some ifs into that statement what happens if my building catches on fire what do we do what happens if water Rains Down from the ceiling from an HVAC system onto our servers what happens if our server room floods these aren't these are real scenarios so um what happens if and those are two physical or a few physical examples what happens if somebody gets my veeam account my veeam service account maybe

you use veeam for backup I hate to pick on vendors but we see that happen a lot what access will they have what can they do can they delete your backups do you have an incident response plan I'm sure everybody knows this one I'm sure everybody thinks about this one if you don't have it make it um same thing no better time than the present for this one uh this should go hand in hand with your drbc plan um if you have it update it I've walked into many organizations that have an an IRP plan and it hasn't been updated in three years not a single key stakeholder that's on that document even exists in that

organization updated make sure you're staying on top of that who just knowing who the contacts are in an incident is a serious leg up during an incident golden images anyone um so this one this one kills me uh golden images during an incident uh what we see a huge time suck in is re-imaging all of your machines so you have a few options there obviously but something that you could just do today is create a golden image you can get really really creative with this and really specific to departments you could have an HR golden image you could have a developer golden image the only requirements for this are time and space all I need is a place to put these

golden images after that you can start asking bigger questions like how are we going to mass deploy what happens if everything gets encrypted by ransomware how do I re-image all of my machines rapidly those are really great questions but make those golden images again time and space that's all you need the next one is also very very very important talk to your user base get to know them I hinted at this a little bit earlier in the talk but this is very very important I already gave the PDF example about uh the HR team that used to be my favorite um understanding job responsibilities how do they do their job what applications do they use what is their

preferred browsers these questions sound kind of absurd and they become very useful later you'll understand your network to a much further degree than what you ever would have before this this ever happened what do they do as part of their job what should they never do as part of their job sometimes you won't get that directly from the end user but you'll start to understand here are the things that they do all the time they work with inside of these systems they are a developer they hit SQL they hit this application server or maybe you have separate sets of developers that hit separate sets of applications in back-end databases okay perfect so you should never talk to

our HR platform easy enough but you wouldn't know that unless you understand their day-to-days find a champion within your organization I can't that that this one's huge it's a lesson that I've learned very very very much so very recently having a champion inside of your organization or having multiple champions talking to people getting out there understanding your user base is awesome take it to the next level by having Champions I have an HR department find a champion in HR I have an I.T uh help desk inside of my organization great find a champion over there and the reason these Champions become so valuable is it gives you a place to start testing things they feel like

they're on your side because they are on your side they're helping you do your job and you're helping them do their job by making them more secure so you start to create this really really awesome system so whenever you do that finding Champions throughout your organization they'll be much more happy to help especially whenever you're about to break everything in their day right because that's that's let's face it that's what we do um defining out all those questions and writing them down did I say documentation is important yet um because it is yeah another big one so I can't say how many times I'd say maybe like 60 70 percent of the IRS that I've been a part of personally

have been because of this one um log me in remote was left on a machine forgotten about my organization implemented insert remote access tool I won't get too specific um and it went up it was never updated seven years later it has an rce because of the version that it was it you could brute force it until you found the password and you were in that happened they were a developer with da access and often to the races reviewing your installed applications this kind of goes hand in hand with asset inventory understanding your assets understanding what is out there running things to find out what applications are installed out there what applications so after I've talked

to my user base I should have a pretty good understanding of what applications they use a lot and what applications they probably don't ever use you know I probably have Wireshark on all of my machines I shouldn't say that out loud I probably have Wireshark on all of my machines have I used it in a while probably not it's been a bit I could probably remove that ask questions like that go to your laptop look at the installed applications and and just when was the last time I used this get rid of it you don't need it get rid of it um so you can ask all kinds of different questions around that another really big

thing that I see quite often is looking for it tool sets so I just did this Mass deploy of insert whatever application security tool set whatever I use PS executive dude it was awesome and I created this specific folder with all my it tool sets in it and then a red teamer uh a threat actor comes in they're like oh hey all my tools are deployed for me look for those tool sets out there if you've deployed anything think about that I have what did I use to do it did I have a folder structure wipe that out have you had a recent penetration test or red team Services engagement did they leave any tools behind

because that happens look for those things what happened after I had this red team engagement did they leave any tool sets out there you know Bloodhound is a really awesome tool that if it's in your network I could probably find some ways to escalate my privileges firewalls most people have firewalls today I shouldn't say everyone does not every network has a firewall I really would like to say they do but what do you have if you're walking into an organization you may not know that answer how are you using it a recent conversation I just had was hey we have all of these awesome great next-gen ant firewalls in place we have the highest levels of the highest levels

and all the things are are quote unquote turned on but we receive threat and tell from it and we're not reacting for that is that your organization today because it could be asking those types of questions okay yeah we have the threat and tell from the big next-gen uh sorry next gen firewall vendor but are we doing anything with it are you using the application awareness features are you using all the feature sets are they implemented they're there are they just in passive mode are they in active mode are they reacting to anything again these are just things that you could go back to your organization and start implementing potentially today Network segmentation this one's always

fun I love this conversation um because some organizations will you walk into and they're very upfront they say hey you know what slat Network why what is stopping you put from putting vlans in today what's going to stop you from walking towards Network segmentation some organizations it won't work for or they're very small and there are great use cases or scenarios where it's just not going to work but most of the time you can walk towards Network segmentation and you mostly have things in place that could at least walk you there so uh the next one if you know me uh you know that this is a huge uh piece with me oh it's hardening

I have up here uh quite a few things um I'm posting this out to GitHub uh today as well so this whole talk will be out there public there's a lot of different features inside of an OS if you're in Linux deploying in a minimal install focusing in on application or Pat packages that you have installed and making sure that they're a up to date and B you're only using what you need in Windows they've done a whole host of things in Windows 10 11 2016 plus and that's kind of the focal point of what I have up here ASR attack surface reduction its features you just turn them on they can break stuff there's pros and cons to this you don't

need licensing for this by the way you can just enable it you don't have to worry about E5 licensing or anything along those lines you just have to understand what it is and how you're going to implement it so ASR great thing does all kinds of stuff there's an lsas uh injection technique that it can stop I know that firsthand during the pipeline uh incidents we dealt with one of those threat actors not for the pipeline but we dealt with one of those threat actors that were also attacking the pipeline we had first-hand experience enabling the lsas injection ASR rule hot it stopped the lsas automated injection attack that was happening right then and there they

work there are downsides to it like how do I know that it's working uh where do the alerts go because it just generates logs and if you're not logging all of your endpoints then Into The Ether but it's working um controlled folder access is another one that was recently uh implemented it's something I implore everyone if you don't know what it is go read about it it's it's really cool stuff Windows sandboxing uh enable it why not uh there's also some cool tricks out there I have a link in here you can make it so you can right click on executables Powershell and it automatically will give you the option to load it into the

windows sandbox when Windows access app Locker is what it was formerly called wdac now um all kinds of cool stuff you can do with that there are tiers to some of these some of these are things that you can't enable all of the features without licensing for but the base majority of you can at least do some of it isolated browsing it basically starts to use um what is it called now it's previously Spartan Edge whatever you want to call it um chromium it loads it into a VM style isolated segment so that your browsing is now isolated is it perfect is it everything you need it to be no but heck it's free why not take advantage of it

reputation-based protection is built into Windows 11 today you just have to enable it that's it it's a little slidey bar exploit protection still there still available change it into a slighty bar actually I think it's in the same section as uh isolated or uh rep and exploit protections um core isolation memory Integrity it's part of device guard so if you enable that it's meant to do things like TPM tpmv2 and Hardware Hardware security secure Butte also in that same place hvci was something that I learned about whenever I was doing uh the research for this talk very cool stuff in credential guard so those are just some some things there's also things like removing all of

the multicast stuff again if you know me if you've ever met you've heard me say llmr until my face turns blue disable it multicast disable all that stuff enable SMB signing disable smdv1 um out on the repository that I'll be placing this uh I have a Powershell script you can trust me by the way I'm not doing anything bad with it um I wrote it to be as easy and simple as possible for you to read through and understand it's meant to help you uh Implement OS hardening techniques and test it is the is the whole reason for it um it's not perfect it's not every single OS hardening technique but it gets the major ones that we see either

offensive security tackling every time they land in an environment or IR passwords um what's your password policy are you blushing because it's terrible um always work on your password policy work with your user base this goes back to working with your user base talking to them everybody's going to be upset about creating a longer password but there'll be a heck of a lot happier if you're their friend so that can always make things easier what else can you do to fight bad passwords well back in the older days uh prior to what Microsoft just implemented you would have to deploy a dll a custom dll for password filtering into ad it wasn't supported officially you can

still do that in an older environment it does work or in the newer environments you can do what's called password filters in ad it's part of azure it's really cool and neat stuff so you could put things like my organization is you know insert your organization's name well I'm wearing a shirt so if my organization's blue Bastion nobody can create a password that is blue Bastion or you can generate different versions of that right so that's something that is very very important lapse is another one that you can do that there are limitations to lapse it can only do one local admin password but what it'll do is it incorporates the local admin password of

the machines that you put under it it randomly generates it on a time set schedule that you set you could have it to do it every seven days and then it incorporates that password into ad so it's really cool really powerful um and and I highly recommend it and it it's free patching are you patching if you're not patching please go back and start patching um this is another area that we see a lot of holes um a lot of things happen with with patching so one of the things here though is a lot most people are patching um but the questions become is your patching system patching properly I just had a conversation three weeks ago where

we found out that a patching system and it was proactive so this was positive we found out that a patching system said you're fully patched but a vulnerability scan came back and said whoa we're seeing all of these really bad things available but the patching system was saying it's fully patched so having that that double layer of audit there uh for patching is very important for that very reasoning and and that was quite eye-opening and and a good time centralized logging are you sending your logs anywhere um this one you could use open source tools it could take time you could use paid tools whatever works for you uh but whatever the idea here is sending your

logs somewhere uh because if IR hits if there's an event how do I go back and look what happened uh my firewall logs could turn over every 30 minutes and it's all gone poof a lot of times whenever we're brought in we're brought in a day later or we're brought in and you were popped maybe seven days ago and we're at the point where ransomware is everywhere how do we know how do we go back in time to see what happens the other thing with logs is it gives you visibility into it as well even if you're not in cyber security now I have a detailed list of things that happen on a machine whether I'm troubleshooting

that whether I'm trying to figure out how this user account got locked out whatever it is now I have an ability to go back and look one thing here to go back to a different point you do this make sure it's part of your drbc plan um I've walked into organizations that got hit and their sem solution was encrypted and their all of their logs were encrypted so there was no going back um and then obviously always auditing and checking and validating that your logs and log sources are pushing very very important ER next gen AV do you have it uh so why this is up there is if you have this in place um how was it deployed who deployed it

do you feel that it was a good deployment the reason I asked these questions is because a lot of times I've walked into an organization where they have EDR we're good it's deployed look at their policies all base level just deployed the agent and they thought they were good not the truth um you want to get in there and this will go back to those earlier points talking about talking to your users how do they use their stuff what tool sets do they use what are your I.T folks using what are your HR folks using allow listing block listing applications if you can do that in your EDR allow listing and blocking things becomes a

lot easier once you know your user base and you can spend so much time in these Solutions and really make your organization more secure by doing so but going back to making sure you understand your user base if you know them this becomes easier do you have a lot of noise from that solution there's only one way to solve noise dive in understand why do I have noise what's creating the noise and that's more of a general best practice why am I getting so much noise you're probably getting noise because you either don't know your user base well enough and I'm generalizing there's a lot of reasons you may have it but maybe you don't know your user base well

enough maybe a different organization different person implemented it they got it to a good place and then there was no care and feeding afterwards which is also very very important so then that drives you the question can I drive it further and if so how offensive tools for defensive teams uh this is some of my favorite stuff disclaimer very much so up front if you use offensive secure security tools and you're doing this for defensive tactics make sure you remove them at the end because again you don't want to give threat actors or an offensive security team a heck of a foothold and give them a bag of goodies just to take off with um but one of my favorite tools I

already talked about Bloodhounds is Bloodhound there's other tools out there like pink castle purple um I had left off the end but purple Knight um Bloodhound is open source you can just go download it another disclaimer with this if you work with a service provider or you have an internal security team or you're part of the security team talk to them and let them know that you just downloaded this tool set and you're about to run it because it makes people like me freak out so uh what does Bloodhound do it's a tool set that can find attack paths in ad so after you've cleaned up the eight active directory you've gone through the least

privileged access you've driven this as far as you possibly could download bloodhound pop it in place talk to somebody who's used it how do I use it deploy it run it see what that report says now I have all these different attack paths to get to domain admins now I have a new set of things that I can go back and start remediating removing spns is another really big one that I see out there um you could call these Kerberos attacks or I'm sorry golden ticket attacks there's all kinds of stuff with this but removing spns from accounts that do not need them very important and Easy in most instances so if you don't know what that

is uh I'll be happy to talk about it after this as well but um that's another easy win download nmap free open source runs of scans a huge question that is typically one of the first things I'll either ask or we'll go and get permission and find out whenever we're in an incident response scenario is what open ports do you have to the world that question sounds like it should be answered before I even get there and it isn't every time so if you don't know what ports you have open externally or you're relying on somebody else to tell you get permission start scanning your external fence just what what ports are open then ask should they be opened

if not get rid of them then once you get through that do internal you're going to have a heyday all kinds of forts so many ports are open um that one you can spend a lifetime in then from there now you've gotten your your your practice in a much better place approaching new tools how do I approach them the one piece here that is ultra important uh to me is if I'm about to review looking at a new tool set my favorite question is does this tool set overlap with another tool set that I already have deployed it's unbelievable to me the amount of organizations I've walked into that have this vulnerability management platform this vulnerability management management

platform they have an EDR with the vulnerability management licensing on it and then they have this other tool set that is an agent-based tool set that is also a vulnerability management tool so you have all these tools doing the same exact thing are you getting more value by having five six agents that are all doing the same thing you may there may be use cases for that but it's a question that needs to be asked and it could end up actually saving you money um what other options do you uh exist other than just tossing in this tool set is this a buzzword is this a new industry buzzword that we're looking for to achieve for some reason or is this

actually going to help me secure my environment better does this augment all the security things that I just did what happens when I get through all of these things congratulations you're just getting started that's it that's where you're at you're you're at the starting line um whenever you get through all of these though the one super important part to this is you know your environment better than you ever would have imagined you were going to you know the people you know the processes you know the applications they use if you talk to end users they'll tell you what they think their weaknesses are well straight out tell you that's awesome you can take that you can

learn from that and we can find defenses for it and that is sometimes the only way you'll find stuff out I did a red team engagement where I uh did a physical assessment of an organization and the first thing I always told was there's a guy who always goes down around this time he opens up the door to the back of the building and you could just probably walk in I don't know and uh it it happened I walked in and that was it like that was the end of the engagement because I was off into the races in a building that I almost had no hope of actually getting around some of their physical security

so just talking to people sometimes will get you the answers you have you're looking for I'll open it up for any questions does anybody have any questions

yeah absolutely that's a really good point so the question was if you couldn't hear it golden images and them going stale nobody's updating them so absolutely you implement those golden images and the I the idea there is create a system just like I said with active directory create an audit period when was the last time this was updated bring that golden image online update it run patches on it right otherwise you're going to be having to do that during an IR or drbc scenario or Worse um and make sure that that it it's up to date the other thing that you need to question with those golden images is does this have the latest and greatest

applications that those users use especially if I start to get more specific with it so very good question any other questions go ahead

thank you oh automated asset inventory uh that I am a huge proponent of because it goes back to what I said earlier you can't secure what you don't know about if I don't know that it's there so I I'm a huge proponent of both automated but also interviewing your end users so doing those together as as as one solution did that answer your question cool any other questions awesome well then I'll uh oh go ahead

very good question if you didn't hear that question uh how do you secure those automated asset inventory uh Solutions MFA uh hide them don't tell anybody about them put them in a secret room no make sure that all of your best security practices are against all of your security tool sets asset inventories tools all the documentation that you made you need to have as part of your drbc plan have it physically printed out so those are some of the ways that you could do that but yeah I could probably have a whole talk about how to secure your your security tools any other questions all right awesome like I said I'll have uh all oh go ahead is there another

question you need that no I'm just kidding oh uh it is it's going to be Quarry fire bb github.com quarryphire bb you can go to that that'll keep it super simple um and then you'll see conference resources uh and all of the things that I'll have in this talk the um Powershell that you can trust me trust me um you can trust me it'll all be there I still have some of it to upload but it'll be there before the end of the day that's a good question awesome thank you