In April two members of OxCERT were fortunate enough to attend the FIRST Technical Colloquium in Amsterdam, kindly hosted by Cisco at their Campus offices. The event was well attended by representatives from national CERTs and SOC teams, including a significant presence from Cisco themselves. As always the talks were both interesting and informative, this post will touch on a few of the highlights.
Jeremy Junginger of Cisco gave an enlightening and entertaining talk entitled Threat Actor Techniques. He discussed the ‘workflow’ of an attack, detailing how an attacker can use an initial foothold to gain further privileges. Based on a real-world scenario, Jeremy’s hands-on demonstration of privilege escalation gave the audience a unique (yet somewhat chilling) insight into how simple, everyday choices made by system and security administrators can quickly lead to the complete takeover of an otherwise locked-down system. Emphasising the value of ‘lateral movement’ within a compromised network, Jeremy quickly directed his attack around standard defences rather than through them, eventually leading to a compromise of administrator credentials and exfiltration of arbitrary data within the short timeframe of the presentation; free of the obligation to present and explain, the attack could have been successful in under 10 earth minutes.
By contrast. Dave Jones, also from Cisco, gave a presentation on mitigating attacks that target administrator or ‘root’ credentials. This followed on neatly from his talk at the Bangkok FIRST conference. Dave focused on the application of two-factor and multi-factor security and how widely it can, and arguably must, be deployed in order to preserve the sanctity of administrative privilege. Whilst many of the techniques presented should not be new information to most security professionals, few of us can truly claim to follow all of them as rigorously as we should and being reminded to keep our house in order is no bad thing!
Henry Stern of Farsight gave an interesting talk about DNStap, a tool which allows for efficient logging of DNS transactions without the need for packet capture. The capturing stage of traditional DNS monitoring has always proven the most resource-intensive, as many of the system functions involved are fundamentally blocking in nature. DNS logging at gigabit line speeds is challenging enough, and traditional approaches simply do not scale efficiently enough once the 10G barrier is breached. DNStap achieves its goals of efficient DNS logging by integrating directly with the DNS architecture itself, bypassing the need to create and analyse intermediate packet captures; this approach supports many common implementations and may represent the future standard approach to the hard-problems of tracking and monitoring malicious domains, such as the ‘fast-flux’ algorithms employed by the Gameover-ZeuS malware networks.
Seth Hanford, also of Cisco, talked about CVSS (Common Vulnerability Scoring System) version 3. Classification of vulnerabilities may not feature in most security professional’s top ten most interesting subjects, but every single vulnerability report and security bulletin you read will refer to that standard CVSS number somewhere in the reference trail. The integrity and relevance of the CVSS system has kept it in regular use by the entire IT industry for over a decade; having a standard way to quickly assess the severity of a given vulnerability is very valuable and something which OxCERT regularly make use of.
Martin Lee, again of Cisco, gave a presentation about a concept of great debate within Cisco, in fact it is literally postered across many of the walls of the Cisco campus; the “Internet of Things”. Distinct yet intertwined with the network of servers and information content we know and understand, the Internet of Things refers to the growing percentage of networked devices which are real-world functional obects. With the advent of IPv6 and aggressing conservation of IPv4 via NAT, everything from your phone and smartwatch to your fridge and air conditioning is becoming globally addressable, and therefore accessible. The recently publicised attacks against Smart TVs with internet connectivity are a haunting vision of things to come, as the costs of storage and processing power continue to fall steadily we can expect to see connectivity become a pervasive element of nearly all electrical appliances. Martin went on to highlight some of the benefits of this expansion; smart building that can monitor and regulate their own power usage and temperature, intelligent transport networks that can re-configure to avoid congestion. Of course, being a security talk, the meat of the presentation consisted of the potential risks of creating a network of newly automated devices with the influence of the operator strongly diminished; what if a malicious person attacked your data center’s environmental systems and switched off the alerts, promptly followed by the air conditioning? A reliance upon a tiny ARM9 core and a Broadcom wireless chip to tell you about fifty million pounds worth of burning silicon seems foolish in this scenario.
Overall the attendance of the TC was thoroughly worthwhile, and confirmed to us the value of the smaller format as compared to the FIRST Conference. The more proximate surroundings permitted the exchange of some frank questions and answers that may not have found expression in a wider setting, and the talk certainly gave our delegates plenty to think about and report back.