Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

IDNeon's Achievements


Newbie (1/14)

  1. What does get into the industry even mean to you? That's probably the right place to start. Help desk > systems/network admin > then security Gotta know how something works to secure it
  2. I'm pretty sure encrypted police radios will be deemed illegal soon enough. Police are not protected by national security acts that are the only thing that allows public property to be hidden from the public.
  3. Oh and the "novel" portion is the terminology. I thought I explained in the beginning of the thread that I was asking about verbage to explain what is generally discussed in seminars on findings about APTs and their operations. I tried to illustrate such an instance, where the lecturers about such an APT had described a network of compromise, but had failed to give it a name. And had described the futiluty of wiping the device discovered to be compromised because the rest of the compromised devices would restore whatever device they wanted to that network of compromise. The idea then was to box in that network so all suspected compromised decices could be wiped too. So the novel characteristic is to define this compromised network. And wipe it all based on reasonable assumption rather than actionable intelligence.
  4. That's all in another thread. And this was a spinoff of that more along the lines of testing the concept of "network of compromise". The main point here which I hope hasnt been lost is that I think it's possible to box in an attacker into a smaller and smaller box which provides you faster counter intel. What this thread is not intended to do is to explain a sure-proof means of preventing exploits by network segmentation alone. So this thread starts with some initial assumptions that including other technical controls will effectively compartmentalize a smaller and smaller group of endpoints and all networked devices into effectively segmented networks. So when compromise is detected within that network the entire network can be wiped and restored efficiently. If the idea of using the term "network of compromise" made sense. Then I am willing to discuss more about how to effectively box in an attacker into those networks. So they are more tightly restricted in lateral movement from where they first infiltrate. But such a scale of conversation will naturally lead to quite a lot of tangents because there's a lot of areas that need to be covered to really start to box in a persistent attacker. As you've noted.
  5. Unspoken truth for sure. A real world example was a network I recently had to walk in on because of how messed up it had gotten by a number of issues. And one of them was the onsite IT moved the wrong servers physically to ports assigned to the wrong vlans for those servers. Among other physical issues. Such as switch configuration inconsistencies and problems. Point being. Given how complex a working infrastructure can become. When I'm crafting this document the word "actionable" comes to mind. If you have to build a space shuttle chances are your clients won't be able to. But also actionable implies not just the useability for the end user and onsite admin. But the effectiveness of what can be implemented. Ideally I'll have this so much like legos that management can pick and choose what's most actionable for their needs while remaining effective and providing enough security to meet the expected risk.
  6. Disabling what you can for hardened OS per best practice to endpoints should always be a must. The general assumption is best practice technical controls will be applied. This more deals with what should the network look like (while security architecture deals with what should the whole IT infrastructure look like and why). It is apt to say this would be analog to wireless client isolation. But the reason is administrative. You want to be able to know what the attacker knows as soon as possible. It is not because such isolation is inherently more secure to exploit. That is not true. Does that make sense? Basically by subdividing endpoints. Instituting best practices. And controlling admin-credentials to better isolate the server core from things such as pass the hash....what you do by implementing this is give you better counter-intel allowing faster more defenitive response while actual intelligence gathering takes more time.
  7. Ok got a moment actually so to respond more to the other particulars of the above quote. The AP is a good analog where the server core should be the channel of communication between endpoints. Endpoints should not be able to communicate laterally outside of their allowed permissions to the server core.. Ideally the subnetting is for internal use to nuke these networks of compromise. The general assumption is the controls are effective. Thus you prevent lateral extension into the server core by other means alluded to in the "Security Architecture" thread. And you prevent lateral extension to other endpoints by proven subnetting/networking/and System Admin techniques. For instance you can get so granular that each user has an assigned workstation and can only log into that workstation by logon policy (system admin). Or you can create ACLs that allow traffic between endpointand server. But does not route to other endpoint subnets. (Network). Just as examples. These controls assume effectiveness (can be proven by investigation). And so compartmentalize the possible network of compromise so you can "nuke" it and replace the endpoints with clean images. Whether thru virtualization or thru sysprepped images or whatever your means of image deployment. Network of Compromise attempts to define what is reasonable to assume. So that your investigation is not the bottleneck to a likely definitive outcome (wiping all compromised machines). Investigating what is ACTUALLY compromised can be more time consuming. And should be given less criticality by this methodology. I guess it's a "shoot first ask questions later" approach where you "nuke" a whole subnet and then check to confirm no more activity can be detected outside that.
  8. I want to respond to you more in full but I am headed to a meeting so in brief first just soI remember to respond. The answer to your question lies in the nature of infiltration. It is harder to "land" on a server than to land on an end point and it is easier to "lock down" a server or other endpoints from lateral extension. It is extremely difficult to prevent endpoints from being "landing pads" or points of infiltration due to their use by lay-persons without security focus, and the latitude given them by your own policies which may or may not be enforced by rules or actual technical controls. Just because a policy exists that users will not use company property for web browsing doesn't mean they won't. And doesnt mean youve locked down webtraffic which is actually more difficult in practice than in theory especially with Windows10 almost mandating the existence of Edge and IE11 and some port 80 and 443 external traffic needing to be allowed for most businesses.
  9. Just curious but you have two independent wifi adapters for your host?
  10. Lol this gives me the strange idea. Can you use virustotal as your host since apparently they let you download content that's been uploaded?
  11. There's a question in there somewhere for anyone interested in discussing. This isn't really a thread about networking. The question is based on the assumptions of APT activity within a compromised network does the remediation logically address the issue such that the defender can say they have effectively wiped out the network of compromise such that an attacker has to essentially start over from scratch. I think the methodology is on the right track and believe that subnetting and disabling certain services, remote features, etc, will box in the attacker so that their lateral movement is hindered significantly. Also is "network of compromise" a reasonable and effective way of defining attacker activity such that it can be effectively targeted. Afterall language precedes action and if the activity is not accurately defined then the action to remediate it will be the wrong action.
  12. I can't go into explicit details but would like some feedback on a concept Im working on as part of the security architecture document Ive also created a thread about. The network of compromise represents all the compromised machines in your network. The idea is that if you wipe one compromised machine, the command and control within this network of compromise can recapture the wiped machine. If the command and control machine is wiped, then any other machine in the network of compromise can be promoted to a command and control device. Because the network of compromise may consist of different agents and back ends, you may find some compromised machines, wipe them, but leave others that were not known and then restore the network of compromise. The security architecture I'm currently researching to combat this functionality of the network of compromise are subnets and vlans. Ideally preventing any compromised machine from compromising other machines laterally. Assuming the network/server core which must be visible to all machines, has been secured by other means and won't be laterally compromised. If you can narrow how many machines can be visible latterally, ideally to one machine, then you can wipe all machines that are part of that subnetwork when one of those machines is foundto be compromised. Theoretically this would nuke the entire network of compromise. Doing this will preventthe network from being able to be restored and would return an APT to having to compromise a machine again through whatever other methods which are more difficult than relying upon a command and control and other back doors.
  13. Update: some areas of focus have emerged. The goal continues to compartmentalize authenticated users so that a compromise in one compartment does not compromise the other. This leads to the concept of the server compartment being the core, while the other compartment or compartments (note the multitude) is for the endpoints. The problems here to be addressed is what happens to the compartmentalization when IT employee Bob tries to login to a workstation with a server-admin credentials. Through various technical controls I've narrowed it down to as far as the authentication request is sent but not validated and no session key is returned. However, is this enough? From that compromised workstation the attacker now has half of the key. The authentication request. Can they pass this to another computer where server-admin is allowed a logon? Or is there specifics to each request that prevents this pass? Depending on that answer, compartmentalization may be achieved. As for another issue. Compromised endpoints may make-up a network of compromised devices with a command and control link. You may wipe one or several devices, even the current c&c, but as long as one compromised endpoint exists to take over as c&c then the attacker can continue to operate and expand in your network. To isolate this potential may require extreme subnetting. In a subnet with proper access control. Where each endpoint only communicates outside of that subnet through its core. Then it is possible to isolate this network of compromise to just that subnet. In which case you can wipe all the endpoints in the subnet to nuke any c&c that would restore the network-of-compromise. That concept is only starting to be developed but I think it's a step in the right direction.
  14. So I have begun building the outline for this comprehensive topic. The paper as im currently working on includes: Logical controls. Control mechanisms. Technical controls. These 3 things describe the intention of your controls (logical controls) the bridge between your intentions and how to achieve those intentions (control mechanisms) and the controls as actually applied in a system suchas GPOs. (Technical controls). Similar to programming, you have a problem, pseudo code to describe how to solve the problem and then the actual code that solves the problem. Logical controls, continually asks the question, does my technical controls meet the obejctive? And the logical control should be an effective objective. In the paper I begin to identify logical controls and attempt to briefly explain why they are effective, using citation to source material. For instance. Logical control - limit users to workstations only. Reason? Pass the hash and other lateral attack methods. Control mechanism - deny local logon, gpo controlling RDP, AD property logon computer. Technical Controls - these would be the exact procedure to implement (for instance) Deny/Allow local logon with the intended outcome (user cannot log into server locally, but admins can). This method can be expanded to all strategic objectives, described in this manner, then drilled down individually with citations for each methof and discussions how each method is effective.
  15. Something Im working on while desperately trying to avoid "reinventing the wheel" is Security Architecture. And what that entails is building a network so that all its components are secure. But not with the frame of mind that vulnerabilities are patched and best practices are implemented. But from the frame of mind that attacks work on certain strategic principles and to prevent those principles from ever being exploited in the first place. For instance in the most basic sense: an attacker controls a workstation and seeks privilege escalation or other credentials. In most networks this workstation might have an administrator profile that was once logged in. Theoretically an attacker could use the credentials of that account to access other parts of the network. Security Architecture attempts to implement compartmentalization completely, so that this is not the case. The problems I run into is effectiveness. For instance enforcing compliance so that the implementation cannot simply be bypassed. That's where my skill as a technical hacker is limited, and where I tend to do better with theoretical. If all good soldiers made good generals then all soldiers would be generals. That maxim simply illustrates that a strategist need not necessarily be a good tactician or technician. But it would greatly help for me to have some pool of talent who are technically competent to help see the areas they would attack, that I can integrate a proper implementation of a technical control to prevent the purpose of the explout from ever existing. The problem gets deeper and deeper as you explore each part. For instance if the goal is to isolate admin credentials so workstations compromised won't also compromise servers. But then you have to enforce policies that limit domain users from logging onto servers at all. If so then what servers? Because those users may need some servers to be accessible. Then how to prevent all sorts of other pathways of attack. What about hash passing? Man in the middle during remote logins? Basically the architecture would have to isolate each facet while keeping the intended purpose working properly. For instance if servers and workstations are on the same subnet then theoretically an attacker could packet capture and determine credentials or posion packets intended for servers. So part of the architecture must include proper subnetting for that reason. On that note, I'll leave it there for now. I have been drawing out a high level diagram to help me sort out the many parts. When it's complete I can possibly share it with the intention of drilling down deeper to each element.
  • Create New...