Session Recording: https://vimeo.com/246442544 (Available 12/8-1/4)
Next Sessions Registration: https://networkdefense.clickmeeting.com/cuckoos-egg-5
This week, we reviewed chapters 15-23.
Cliff discovers the attacker attempting to find a pathway into the CIA system by querying the Milnet NIC. He doesn’t find any computers, but he does find the names of four people. Cliff calls these people and finally gets in touch with someone to let him know that the attacker was searching for a CIA computer. The CIA take interest and send someone out the following Monday.
Cliff presents his findings to the CIA, including an agent named Teejay. He learns that DOCKMASTER isn’t a Navy shipyard, but actually an unclassified NSA system. The CIA lets Cliff know they can’t do much and it’s up to the FBI to pursue it. Teejay tells Cliff to keep monitoring and keep him informed regardless. He also shares a story about the zero trust model used at the CIA and a time when an insider intercepted agent data. He was caught when a secretary noticed the last login time on her terminal was something unexpected.
Most Security Practitioners are Choice Architects
The story Teejary shared about the CIA is interesting because of how they caught it. A secretary who was on vacation came back and logged in to her terminal. When a user there logs in they see the output of the last successful login they made. The secretary noticed her last login occurred while she was on vacation and she notified someone, which began the investigation that caught the inside attacker. The last login message is a trigger for a choice, and the people who implemented it are choice architects. All security people are, to some degree, choice architects.
The concept of libertarian paternalism (note: the term libertarian has nothing to do with politics) poses that it is possible and legitimate for someone to affect behavior while also respecting the freedom of choice. We have the ability to allow users to make their own choices while also “nudging” them towards choices that are in their best security interest. This is why default options exist, for example.
In class, we went through several examples of choice architecture that are less than desirable including Facebook’s implementation of “Last Login”, how Word/Excel notify users about macros, and Outlook’s user experience for opening attachment.
- Choice Architecture: https://www.sas.upenn.edu/~baron/475/choice.architecture.pdf
- Nudge – A book about choice architecture from Nobel laureate Richard Thaler: https://smile.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X?sa-no-redirect=1
- Beyond Nudges: Tools of a Choice Architecture: http://www.dangoldstein.com/papers/Johnson_etal_beyond_nudges_tools_ML2012.pdf
Dig Deeper Exercises:
- Level 1
- Observe your daily work and note opportunities for security-based choice architecture.
- Level 2
- Choose one of the examples you found, or one I presented in class and come up with a way to better nudge users towards a more secure state.
- Optional: E-mail/DM your idea to me for feedback (firstname.lastname@example.org)
The attacker logs back in and finds a password to the Livermore lab network. This lab does secret research and those computers are supposed to be isolated. They have unclassified computers connected to the network, however. Cliff discovers this when he observes the attacker log into the LBL lab from Livermore. He wasn’t aware that was even possible, but as attackers often do, a new pathway was discovered.
That attacker breaks into the MIT network from LBL. Cliff calls the network operator and discovers this was likely possible because a scientist who accessed Livermore’s computers also accessed MIT computers, and probably left his password laying around.
Network Architecture, Zero-Trust Networks, Beyond Corp, and Air Gaps
A network should be built with defensibility in mind. This means building a network assuming you will be attacked, and assuming at least some of those attacks will be successful. I discussed the components of a defensible network as defined by Richard Bejtlich. A defensible network must be: monitored, inventories, controlled, claimed, minimized, assessed, and current.
Traditional networks are perimeter focused. Many call this the M&M model with a crunch external shell and a soft interior. Things inside the network are trusted, things outside are not. However, the perimeter has shifted over time thanks to the heavy usage of cloud apps for critical services, the needs of remote or WFH employees, and bring your own device (BYOD).
Many people are now looking to Zero Trust Network models like Google’s BeyondCorp. When you plug into a ZT network, you aren’t automatically afforded any trust. You have to gain trust through multiple factors. Your system has to authenticate via a certificate, the user has to authenticate in two ways, the user has to be enrolled in the proper job classification, and more. All assets are available over the Internet. There’s no VPN to access things anymore or single points of trust assessment, it a combination of multiple rules and trust evaluations going on all the time. This is an oversimplification, but it changes how you might think of a traditional perimeter network.
Air-gapped networks are those that are theoretically physically disconnected from public Internet-touching networks. I say theoretically because in practice many of them aren’t. Someone once said that an air-gapped network is really just a high latency network.
- Bejtlich’s Defensible Network Architecture 2.0: https://taosecurity.blogspot.com/2008/01/defensible-network-architecture-20.html
- BeyondCorp Research Papers: https://cloud.google.com/beyondcorp/#researchPapers
- How Google Protects its Corporate Security Perimeter: https://www.youtube.com/watch?v=d90Ov6QM1jE
Dig Deeper Exercises:
- Level 1
- Research BeyondCorp and examples of real-world deployments outside Google. What were the challenges faced?
Cliff discusses the attack with friends and draws a link between some of the attacker activity. The passwords he’s chosen…jaeger and hunter are german. Benson and hedges are also German — a specific brand of cigarettes.
The attacker breaks into an ELXSI super computer at LBL by guessing a password to a default SYSTEM level account. Cliff discovers this and writes a program to slow the computer down to a crawl when the attacker dials into it. This is to not give away that the attacker has been discovered.
Cliff strengthens his monitoring system by purchasing a pager to notify him when a compromised account logs in. This keeps him from sleeping at the office.
Cliff calls the DOE about the Livermore break in. They tell him to keep it quiet, but to call the National Computer Security Center, which operates out of the NSA. The NCSC is receptive, but can’t do anything about it.
Cliff does some legal research and discovers a warrant isn’t legally required to do a phone trace (USCA SS 3121). He looks over his notes and realizes he wrote down all the numbers the VA telco operator said during the trace. There are only a few available permutations, so he social engineers the operator and has her check the registered owner of all of them, claiming he was erroneously charged for calls to these numbers. Only one is active, and it points to MITRE, a defense contractor in McClean, VA.
He calls the VA Telco and asks them if they could confirm the number he found on his own. They aren’t supposed to do that, but they do it anyway. This is essentially a form of social engineering by getting someone to confirm a piece of information rather than just asking them for it.
Cliff used social engineering to extract information that he needed to further his investigation. Social engineering in security is an act that influences a person to take an action that may or may not be in their best interest. It usually takes the form of phishing (e-mail), vishing (phone), or impersonation (e-mail, phone, or in person). The human plays a significant role in many breaches. The success rate of external pen tests with humans out of scope is often fairly low (<20%). With humans in scope, it is usually near or at 100%.
In class we examined a few different SE scenarios and debated which types of scenarios would be most effective. We discussed Maslow’s Hierarchy of Needs and how attackers will leverage primary and secondary needs to illicit action, supress action, reveal information, or change information.
- Social Engineering: The Art of Human Hacking, Book: https://smile.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539?sa-no-redirect=1
- The Social Engineering Framework: https://www.social-engineer.org/framework/general-discussion/
- Kevin Mitnick’s Books: https://smile.amazon.com/Books-Kevin-Mitnick/s?ie=UTF8&page=1&rh=n%3A283155%2Cp_27%3AKevin%20Mitnick&sa-no-redirect=1
Dig Deeper Exercises:
- Level 1
- Go to http://www.malware-traffic-analysis.net/ and go through several of the blog posts. Find malware that relies on SE for execution and consider what human emotion it appeals to.
- Level 2
- Review the SE Framework (https://www.social-engineer.org/framework) and plan your own SE attack against an entity you’re familiar with. Don’t actually execute your plan.
- Level 3
- Experiment with BeEf to get a sense of what control an attacker has simply by getting you to visit a link.
He speaks to a network operator at MITRE who says that it is impossible his network is hacked. He agrees to put a trace on the line and wait for Cliff to call him the next time the attacker logs in. This would validate the connection.
Questions to Consider
Are Zero Trust Networks inevitable for all modern networks?
- Why or why not?
- What current challenges exist for specific types of networks (see below) to move towards a ZT/BeyondCorp model?
- Small networks
- ICS network
- International networks
January 4th 7:30PM ET
Read Chapters 24-30
Register/Attend Here: https://networkdefense.clickmeeting.com/cuckoos-egg-5