Feed on

This might be interesting. A few hours ago I was contacted by a company that is providing consultancy within the automotive business. Apparently they have received a request for cybersecurity in car development and that is a completely new skillset for them so they have reached out to me to check if I´m the right person.

So what is cybersecurity in a car? Frankly, it is nothing out of the ordinary: secure development, threat modelling, secure infrastructure, key management and that´s about it. Anyone working deeply in the automotive industry will disagree with me but from what has been presented to me this looks like more or less it. If I´m offered the assignment I will most probably accept just for the chance to learn some more details.

I expect there will be several challenges that I havn´t encountered in years like thinking about processor usage, size of applications, optimisation etc. ?

It is very interesting to see what happens when legal gets involved and starting reading paragraphs to the sourcing provider. Apparently we are now allowed to do more or less anything we want as long as we don´t make changes to service accounts or restart the servers.
We have just deployed Azure ATP at the premises to get some understanding what is happening with all the domain admin accounts. We have killed off all accounts that where personalised and currently we are running with just five accounts that are heavily monitored. It is amazing for my customer to see what the sourcing provider actually is doing and be able to monitor what they do according to the contract just be being able to capture where they logon compared to the tickets they receive.

Not to be frank but their service provider is most probably not up for renewal next year. Monitoring of accounts sure is valuable.

Following the discussion with legal after my previous post we have got some guidance to move forward. Apparently this was a common business practice from the service providers side to minimise cost. When challenged by the legal department they quickly became more accommodating in helping us. This is something to take note of. Never allow a service provider to dictate your security practices.

Right now we have found out that the domain admin accounts we were investigating for suspicious behaviour wasn´t personalised as was in the contract but due to cost management they where used as group accounts on standard laptops, not on dedicated workstations as in the contract.

Moving back to legal there sure are going to be changes here. I´m not too keen about being the bearer of bad news but then again, I´m not to keen about not speaking out when I see something that put my customers at risk.

More to come for sure.

Welcome to 2019, the year when we are supposed to know what we are doing. I´m currently experiencing an interesting situation with a customer. They have outsourced their AD to a service provider and right now I´m helping them to investigate a rather simple problem: What servers are using unsigned LDAP. There are a bunch of reports readily available in Active Directory and there is a lot more information to get by running a few tools. This is no big deal and normally this would have been done in about 8 h and then reporting back they day after.

Right now we are stuck on our third day trying to answer very detailed questions from the service provider what the exact impact will be on the servers. We are almost down to the level of measuring processor usage of the tools. My customer is used to this but I have started to question why we even are doing this. After some digging in the contracts I have found out that the service provider has a strict SLA and everything that isn´t running under a change request that takes the server totally out of their responsibility, including all servers that are affected by this server, will be challenged indefinitely. So any change you want to do on Active Directory means that all servers connected to Active Directory will be included in the change request putting most of the server park in maintenance mode and that is not covered by the standard contract creating an extreme cost for my customer.

Today we just gave up for now and have asked the legal department for advice.

Bolted on

What did my friend actually mean with bolted on? For sure he means a security solution that might or might not be well integrated into the operating system and even if that is a big issue in itself the real challenge was that the user interfaces sometimes mandated some serious training to be able to use making the cost of using the solutions a lot higher than solutions using a familiar interface that looks like the operating system or other applications built for the operating system.

Is this really a security problem? Yes, because it consumes resources that could be better spent to provide a higher degree of security. Instead of having a team of eight he needs a team of ten just to cope with a few solutions that uses non-standard interfaces and non-standard integration.

So first thing when he´s back from vacation is to replace those solutions with some that is better integrated with the rest of his tools. Best of suite beats best of breed.

Happy new year

It is somewhere between late night and early morning. Family has stopped celebrating, the bottles of champagne are empty and everyone is sleeping. Only the security architect is awake.

During the festivities I had a long discussion with a friend of mine of the futility of cybersecurity. How hopeless it is to try to stay on top. Either you loose within a few hours or you spend hundreds of thousands of Swedish Kronas on consultants that only implement security solutions that you don´t understand and have challenges to operate afterwards. His simple question to me was: How on earth am I supposed to come out on top of this?

I had to give it some thought as he was actually pointing to that my work didn´t provide a value to a company. After some clarifications, there was champagne involved, I understood that it wasn´t my work in particularly that was the problem but all those non-standarised technical solutions that was challenging to integrate and operate that was the problem.

We boiled it down to three larger problems:
• bolted on rather than built in, meaning that the user interface was not standarised so that the staff needed to train specifically how to navigate
• siloed solutions, so an event in one tool was challenging to correlate with another albeit a well working SIEM solution with trained staff
• measuring the effectiveness, they bought tools others bought but it was hard to show effectiveness as the only way to prove was conducting expensive pentests that still would find another way through the defenses

We didn’t find any good solutions this night and when the Gin and Tonic was served we forgot about it but now I´m sitting here thinking about it and I might have and idea moving forward. Drop in here in a few days I I´m sure I have cracked a few bright ideas. Until then: Happy new year!!!

A customer of mine have asked me to device a security strategy for them. This will be an interesting task. The background to this assignment was that I was doing a presentation of cost effective security management using MITRE Att@ck as an example to prioritise your actions. After the presentation their CISO came up to me and asked if I had time to help them with a few weeks assignment. They are currently in the process of creating the plan for the following years and update the way they are tackling the security threats and would like to bring in smarter ways of managing security.

My task in this assignment will be to help them create a framework containing the needed policies, processes and methods to enable a good measurable security posture using my way of thinking as a template. This will be interesting and I´ll post the results here later in January.

When I first read about MITRE Att@ck I realized it was good stuff, but I didn´t expect a major company to adopt it so fast. ?

One of my core mantras when I discuss security is to do the right things first. So how do you know that you are doing the right thing, isn´t that what the risk analysis is for? Correct! Five points to Gryffindor! There is however a better way to move forward. Imagine that someone has already done a very thorough risk analysis on a technical level that you could reuse. Say hi to MITRE Att@ck .

This framework points to a very important part in my campaign for better security globally: Do the right things first! This means that you should make sure that you block all known attacks using the tools available to you so that you then can spend time on the more challenging attacks. Not a hacker in the world will bother about using Spectre-attacks if your admins will click on a link on a workstation the use for both mail and domain admin tasks. MITRE Att@ck lists a number of attacks, attack play books, that you need to protect against. This framework is also used to evaluate the effectiveness of different security tools.

So take a good look at MITRE Att@ck and start using it today.

In the aftermath of the pentester´s failed attempt to get hold of Active Directory we started to discuss the long lead time of getting a pentester onsite. Sure, it´s mainly a question of resources and money but there is an underlying challenge seldom thought of. Today security functions is not static or passive. They have active components, they are updated, they work in conjunction with humans and are a lot more fluid in their functions than before. The standard pentest is normally just some person coming in testing a solution not taking the active defenses into account. The deliverable is a report explaining the identified flaws and we are sitting there with a long (or short) list of actions to take.

This isn´t good enough. You would want to have something more similar to the real world attacks. Entering the red and blue team. So, what is that in reality? Well the blue team is your Cyber Defence Centre doing it´s daily work and the red team is bunch of pentesters trying to find ways into the environment. The strength is the mutual learning when the red team explains how they did attacks and the blue team explains how they responded. With an ongoing campaign you will end up with a security level far surpassing anything you have today. And by the way, drop that IDS project, will you?

Sure, I´m not to fond of pentesters. Not that they don´t do a good work, making sure a solution is secure is important and there is always the possibility that I have assumed something that´s wrong. So testing is a good thing. It´s just that some are really cocky and view themselves as state of the art security consultants. Well…when we had the pentest done on the ESAE I told you about last time I was the one that could be cocky.

It didn’t start out good. The pentester arrived in the stereotype black long coat and with the typical set of gear that any pentester need. With a bit superior voice he told me that: ‘He´ll be delighted to become domain admin again. It´s just a Microsoft Active Directory.’ He managed to intimidate the CISO so I quietly told him: ‘Let him try. We´ll go have a coffee and I promise you that he´ll be here within two hours and ask for a user account’.

So we went down to the cafeteria and started to discuss Tier 1 security. After 1 h and 53 minutes the pentester came down and, with a lot less confidence in his voice, told us that he is now ready to use a user account to move forward because we passed the first tests. He left and I became a bit cocky and told the CISO that he´ll be here within an hour asking for a domain admin account. I was wrong with 15 minutes. It actually only took him 45 minutes to give up.

‘Apparently you have done a decent job in security against standard user access but getting to be a domain admin is easy so I´ll go for the hashes now. But I would also ask for the domain admin account to test the rough admin scenario.’ I knew that he hadn´t found any domain admin hashes because I had reports from Azure ATP the whole time.

If you give them a domain admin account, your are bound to lose but I told the CISO to have faith in me. He´ll be here just before lunch. We continued discussing Tier 1 and Azure and the pentester came down again, with wild eyes and asked me: ‘How on earth can you give me a domain admin and still be secure?’

Older Posts »