Vulnerability Management and the Road Less Traveled
When I started my career as a penetration tester, the name of the game was all about breaching the external perimeter: finding open ports in the firewall, mapping ports and listening services, and trying to find vulnerabilities and available exploits to penetrate that layer of defense.
How times have changed.
Today, it’s only a handful of venues, primarily web applications (e.g. Citrix remote desktop, remote desktops still open through the firewall, and the omnipresent VPN or SSL VPN connections) that an attacker can exploit through the firewall. These include spear phishing attacks and drive-by downloads; vulnerabilities that should be addressed to ensure external attackers cannot compromise an internal network.
Given their adaptive nature, it’s no surprise that today’s hackers often take the “road less traveled” to compromise a network. This includes exploiting several medium-risk vulnerabilities that could lead to a major compromise. In fact, hackers are increasingly capable of quickly constructing paths or algorithms to chain found information, misconfigurations, and vulnerabilities in a way that can quickly lead to total network or application compromise.
Let’s examine some of the links in these so-called “kill chains” more closely.
The ‘Horizontal’ Move. In the past, an attacker resorted to ping sweeping and port scanning the network subnet from the compromised workstation. However, this ‘noisy’ approach could trigger alarms on internal network intrusion detection systems.
Instead, today’s more efficient approach is to query the domain for information on domain policies and users. In fact, one of the most neglected configurations on a Domain Controller is to allow a NULL session connection to it in order to perform reconnaissance on the network and enumerate domain policies, users, shares and more. A NULL session attack is something that system administrators often neglect to consider when hardening networks. This can lead to disastrous results as enumeration of a null session can divulge just about every bit of useful information an attacker needs to remotely gain access to a system. The remedy? Restrict NULL sessions on the domain controller to avoid an attacker enumerating the entire domain’s information.
Pass-the-Hash. A Pass-the-Hash (PtH) attack uses a technique in which an attacker captures account logon hashes on one computer and then uses those captured hashes to authenticate to other computers over the network. Similar to a password theft attack it relies on stealing and reusing password hash values rather than the actual plaintext password. After an attacker has stolen the user name and corresponding authenticator on a host, the attacker is effectively in control of that account and gains access to all the resources, rights, and privileges of that account. One of the more common PtH attacks is privilege escalation, or essentially using stolen credentials to gain access to another system of higher value in the organization.
The end result of a “kill chain” – total compromise and unlimited access to the domain controller, sensitive and valuable data included in SQL Server instances deployed within the domain, and lateral movement of the attacker to other parts of the domain or the entire forest.
As someone who has lived my career thinking like a hacker, it’s a given that it’s not always a critical security vulnerability that is exploited, and you can’t always measure risk based solely on CVSS scores. Yes, email phishing and drive-by attacks persist, however there are increasingly other, albeit less obvious vulnerabilities and exploits, that sit on the same kill-chain and are worth fixing.
Like Robert Frost in his poem, “The Road Not Taken,” it is often the road less traveled that rewards either a visitor to the forest, or in the case of cyber defense, a hacker on your network. Focusing on remediating “kill-chain” vulnerabilities allows an organization’s risk management program to zero-in on what matters the most – where an attacker is likely to strike.