Embrace The Red

Some organization have this interesting concept of a bug jail to prevent new feature development when there are too many existing flaws in the system. For instance, if an engineer has 5 or more bugs assigned they aren’t allowed to work on anything else but fixing their bugs. What is the Security Bug Jail? A security bug jail goes along the same lines. The owner of a system can never have more than a certain upper limit of active security bugs.

Monte Carlo simulations can be a useful tool to uplevel your red teaming skills and provide a different and fresh perspective for highlighting, discussing and presenting findings. Red teaming is about challenging an organization. This includes analyzing business processes and methodologies, including our own. Obviously, using Monte Carlo simulations in the security realm is not my idea. I first ran across the idea in Hubbard’s book about measuring cybersecurity risk. Since then I have been thinking and playing around with applying these methods to security program’s, especially red teaming and threat modeling.

The results of phishing campaigns are often not comparable with each other over time. Various security vendors and red teams use different tooling and techniques - which is totally fine. However, I recommend requiring tracking a minimum set of metrics to be able to compare results over time. Funny side facts: At times employees are messing with the red team, entering invalid creds for CISO or CEO and things along those lines.

Last month I did some research on Firefox, specifically I was learning more about it’s remote debugging features. As part of that I was reading Bugzilla bug information and learned more about Mozilla’s infrastructure. One thing I noticed reading up on details was that Mozilla uses Phabricator. What is Phabricator? Phabricator is a collaborative web-based toolset for code reviews, checkins, bugs, work items, wiki, pastes, credentials and many other useful things.

Revisiting Cookie Crimes In 2018 @mangopdf described “Cookie Crimes”, which is great research around Chrome’s remote debugging feature that allows adversaries and malware to gain access to cookies quite convienently during post-exploitation. The original research is published here, and it still works today. The new Microsoft Edge browser and Chromium Microsoft’s latest Edge browser is based on the same code, Chromium. I guess, you already know where this is going now…

Chrome’s remote debugging feature enables malware post-exploitation to gain access to cookies. Root privileges are not required. This is a pretty well-known and commonly used adversarial technique - at least since 2018 when Cookie Crimes was released. However, remote debugging also allows observing user activities and sensitive personal information (aka spying on users) and controlling the browser from a remote computer. Below screenshot shows a simulated attacker controlling the victim’s browser and navigating to chrome://settings to inspect information:

Adversaries are leveraging widely exposed clear text credentials to gain access to sensitive information. At times the term “harvesting credentials” is used when red teamers emulate these attacks - which is something that appears to be more opportunistic and I would propose that security teams start to actively hunt for credential exposure that can put their organization at risk – in case you are not yet doing that. Actively hunting for credential exposure The idea of credential hunting is targeted and focused, leveraging intelligence about systems and combing it with powerful search techniques to identify exposure.

Conceptual Attack Graphs One question that I have gotten a few times about “Cybersecurity Attacks - Red Team Strategies” is around the conceptual attack graphs in “Chapter 3, Measuring an Offensive Security Program”. Specifically, how I create them. In this post I will briefly go over some of the reasons for creating them, and also how I create them and share a template for others to use and adjust. I’m not a graphic designer, so I’m sure there are better ways of doing this.

Announcement After countless evenings and weekends in coffee shops, and multiple vacations with the laptop, I’m excited to announce that my first book has been published. It took 18 months from writing the first words (at Victrola Coffee Roasters on Capitol Hill by the way) to finishing this project just a few days ago. Looking back its amazing how this all came together. The first intial draft had 100 pages, and in the end it ended up being 524 pages.

Pass the Cookie made it into the latest 2600 magazine! Very excited about this! I was just walking around Capitol Hill and stopped by Ada’s Technical Books on 15th Avenue - a great coffee shop with lots of technical books. Right after walking in to grab a cup of tea, I saw the latest Hacker Quarterly. A few months back I submitted an article about “Pass the Cookie”, so I had to check, and the article got indeed published!

Final Year Project - Web Application Security Principles About 18 years ago I worked on the final year project for my Bachelor’s degree in Computer Science. I had just gotten interested in security and was learning about security principles. The title of the project was “Web Application Security Principles - Designing Secure Web Based Enterprise Solutions”. Looking back, a really cool thing was that I had just started working at Microsoft as an Associate Development Consultant and was bold enough to send the paper last minute over to Michael Howard - who responded and indeed reviewed it!

This post highlights a simple mitigation to improve the security posture of your organization. The idea is to, by practical means, limit attack surface and prevent spreading of automated malware, as well as limiting lateral movement by adversaries. Network security over the last 15 years Malware can spread fast and damage businesses at scale. SQL Slammer [1] and WannaCry [2] are two well-known cases that showed how quickly and damaging this can be.

Excited to announce the book that I have been working on: Cybersecurity Attacks - Red Team Strategies Learn about the foundational tactics, techniques and procedures to elevate your red teaming skills and enhance the overall security posture of your organization by leveraging homefield advantage. Contents and Background Red Team Strategies covers aspects that are not as commonly discussed in literature, including chapters around building and managing a pen test team.

MITRE just updated the ATT&CK Framework to include Cloud TTPs. The update includes techniques for stealing cookies from machines and using them for lateral movement. These are the two techniques I helped contribute to the matrix: Credential Access - Steal Web Session Cookie Lateral Movement - Web Session Cookie It was exciting experience to collaborate with MITRE and contribute on this. And kinda cool to see the Pass the Cookie work referenced.

Recently Coinbase published a well written blog post on how they were under attack. The adversaries exploite Firefox 0-days. Details can be found here. One intersting aspect is the following: “We have also observed the attackers specifically target cloud services, e.g. gmail and others, via browser session token theft via direct access to browser datastores. This activity also offers the opportunity for behavior-based detection, as relatively few processes should be directly accessing those files.

No one should beat your security team on the homefield! For several years I have been using the term Homefield Advantage in the context of running a security program, especially in regards to certain aspects of red teaming. Homefield Advantage describes well what a mature security program has to realize and leverage. Wikipedia describes “home advantage” in team sports and highlights some of the benefits: “This benefit has been attributed to psychological effects supporting fans have on the competitors or referees; to psychological or physiological advantages of playing near home in familiar situations; to the disadvantages away teams suffer from changing time zones or climates, or from the rigors of travel; and, in some sports, to specific rules that favor the home team directly or indirectly.

Today I finalized moving the blog and publishing to Hugo. It was pretty straight forward and I decided to move things into a master branch on github, and publish via the docs/ folder features of Github pages.

One thing every red team should attempt early on and regularly is to perform some password spray testing across their organization to identify and help remediate usage of weak passwords. In the past I have done this on Windows a lot, but now I built a simple version for it for Bash to run it also from a Mac. Check it out: Bash Spray Ideally, a script like bashspray.sh is integrated into your response pipelines, and SOC, Blue Team as well as account owner get notified - so they change their password right away, and any SOC investigation can be performed if necessary.

Interacting with Active Directory on the Mac Did you ever have to interact with Active Directory on a MAC? If yes, this post might be interesting for you. I am pretty new to the Mac and basic things I know how to do on Windows need some research to figure out. This time around I explore Active Directory/LDAP Server interactions. First, there is the Directory Utility on MacOS which can be quite useful.

The Google Login Flow leaks additional email account information to unauthenticated users. I discovered this in the Google Account Login flow while building KoiPhish. Responsible Disclosure I reported this issue to Google and they looked into it and after a about 5 weeks of back and forth they decided that this is not an issue worth fixing. After asking if I can post about it publicly I got Google’s okay.