BDIR Podcast Episode-008

TOPIC: EPIC FAILURE, Who Do You Blame? You decide

SPONSORS OF OUR PODCAST

NEWS-WORTHY:

A tweet from Dave Kennedy on TrustedSec efforts

  • “On a screenshare with my team on an engagement watching our completely custom exploitation framework + C2 being deployed and using undoc techniques all the way through with a ton of EPP/EDR products on the endpoint without detection. Proud of the research team and #TrustedSec :)“

NSS Labs fires off anti-malware-testing lawsuit at infosec toolmakers

Are they colluding to NOT fail the tests?

The report "Endpoint Detection and Response Market by Component (Solution and Service), Enforcement Point (Workstations, Mobile Devices, Servers, POS Terminals), Deployment Mode, Organization Size, Vertical, and Region - Global Forecast to 2021", The EDR market size is estimated to grow from USD 749.0 million in 2016 to USD 2,285.4 Million by 2021, at an estimated Compound Annual Growth Rate (CAGR) of 25.0%.

Gartner says EDR will be a 1.5 BILLION, with a B business by 2020

EDR Market by 2020.gif

Michael’s DerbyCon 2017 talk on Testing EDR

Michael and BRIAN talk Credential Stealing at BSides Austin 2018

Forrester Report on is EDR overblown

Interesting quote from the article

“At its core, EDR turns your infrastructure into a fabric of queryable systems with scalable remote management capabilities and the ability to detect abuse. Done. That’s it. This is only tangentially a security tool and it’s time to reframe how we think about EDR into that of a SecOps tool”

SITE-WORTHY

1.  None this episode

TOOL-WORTHY

  1. None this episode

MALWARE OF THE MONTH

  • None this episode

TOPIC OF THE DAY

EPIC FAILURE, Who Do You Blame? You decide

  • ENVIRONMENT

  • Less than a dozen offices

  • Network devices with IPS

  • DNS Proxy on all endpoints

  • MSP Agent

  • EDR agent

  • No Admin rights on endpoints

  • DevOps app deployed nightly

POINT OF ENTRY

With all this in place, A brute force against an Internet facing RDP server open for employee use and subsequent infection of over 150 assets within 20 minutes of initial infection (Patient 0).

RECOVERY

The Volume Shadow Service (VSS) retention period was at the default retention period is too short such that by the time the root cause was found and went to roll back infections, VSS had already written infected files to storage and rollback wasn't an option.

INVESTIGATION

The first infection Credentials were circumvented due to the threat agent using the System Management software suite (name a few) to kill the EDR services then infect the machine.

The EDR vendor did everything they could to understand and report on the issue. They paid to have the server shipped to them where they completed a full forensic analysis subsequently proving how the service was terminated and then infected.

The 2nd infection, was missed by EDR but was caught by AV that was installed the same day to see what it would find.

They do know the current recommendation from IT Security thought leaders is to use a blended solution like EDR and AV. But money isn't endless for clients so that may be problematic.

A Log Mgmt solution was deployed after the fact and discovered a lot happening in the environment of which stunned the staff.

EDR Vendor position

The position was taken the open RDP connection was the root cause and EDR was not at fault for not catching or rolling back the infection.

So let’s look at what they did RIGHT…

  • Endpoint users were not admins

  • EDR on the endpoints

  • DNS proxy agent on the endpoints

  • DevOps pushed out updates nightly

So let’s look at what went wrong here...

  • RDP Facing the Internet

    • RDP on the Internet with just username and password is one, if not the RISKIEST things you can do as a company, goes for all Remote Access

    • If you don’t use 2-Factor AND collecting login attempts, you WILL get owned

  • The credential that was brute forced turned out to be an admin account with access to their System Management Software solution

  • They did NOT look for, or detect the brute force of an Internet facing system for remote access

  • The account used for System Management Software had access to the Internet?

  • Accounts for remote access should not have admin access, use a separate account that has to be entered once logged in to reduce this type of threat, consider a jump host to get to these management solutions

  • Logging was not enabled or used until after the event started

  • Logs were not collected or managed in any way

  • Logging was used only AFTER the event started, where they saw a stunning amount of information

  • No AV, just EDR was installed

  • EDR was stopped by an approved System Management solution designed to do this type of activity

  • The System Management solution was not being monitored for access

  • The EDR vendor did not seem to have a service status option (a flaw with many Security tools, if the agent is stopped, how is it detected? The Windows Advanced Logging Cheat Sheet” covers this type of non-Windows service permission changes to capture logging of services that are stopped

ARTICLES:

FireEye Baselining RDP

RDP Thriving on the Dark Web

Using RDP? Make your business less of a target for Ransomware

Gartner’s 2018 Magic Quadrant for Endpoint Protection Platforms (EPP): What’s Changed?

Endpoint Detection and Response: A New Wave in Security?

-----------------------------------------------------------------------------------------------