![Page 1: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/1.jpg)
Securing the managed environmentYou, me, and everybody
Pepijn Bruienne @bruienne
R&D Engineer Duo Security
![Page 2: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/2.jpg)
About Me• 15+ year as Mac Admin
• Small, medium, large enterprise
• Higher Education
• FOSS user, contributor and author
• AutoNBI
• BSDPy
• Break Macs for profit
• Protect customers
• Contribute to community
• Active contributor
• Slack (macadmins.org)
• Github
• Macadmins.org podcast
![Page 3: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/3.jpg)
The Problem
![Page 4: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/4.jpg)
The Numbers
![Page 5: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/5.jpg)
Wait. Printers?
![Page 6: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/6.jpg)
Yes. Printers.PRET - Printer Exploitation Toolkit
https://github.com/RUB-NDS/PRET
http://seclist.us/pret-printer-exploitation-toolkit.html
![Page 7: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/7.jpg)
The Target
Source: Verizon DBIR 2016 Report
![Page 8: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/8.jpg)
The Goal
Source: Verizon DBIR 2016 Report
![Page 9: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/9.jpg)
Early Conclusion
![Page 10: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/10.jpg)
![Page 11: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/11.jpg)
The Threats
Malware aka APTs
Credential theft
Server attack
![Page 12: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/12.jpg)
Malware/APT• Adware
• Mostly just annoying, can deliver malware via Flash, leak data
• Spyware
• Records A/V, takes screenshots, keylogging, data exfil
• Ransomware
• Encrypts local/network data and backups
• Virus/APT
• Everything else bad, deliver any of the above
![Page 13: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/13.jpg)
Breach Lifecycle
![Page 14: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/14.jpg)
• Credential bypass • Vulnerable systems • Brute force • 0-day use • No credentials
Credentials
• Credential exposure • Phishing • Insecure storage • Default settings
![Page 15: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/15.jpg)
Credential Compromise
Source: Verizon DBIR 2016 Report
![Page 16: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/16.jpg)
Phishing?
![Page 17: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/17.jpg)
Phishing BasicsIt’s important to note that email addresses aren’t always spoofed. They don’t have to be. Attackers can be tricky and do things like:
• Register a similar domain name (example: account-google.com as opposed to google.com or rnicrosoft.com or payppal.com)
• Use a domain that simply doesn’t exist. (Yep! These are almost always delivered just fine.)
![Page 18: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/18.jpg)
Credential Phishing
![Page 19: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/19.jpg)
Drive-by Phishing
![Page 20: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/20.jpg)
Macro Phishing
https://duo.com/assets/ebooks/The%20Trouble%20With%20Phishing.pdf
![Page 21: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/21.jpg)
Server Attack• Public-facing service
• Web • DB/NoSQL • File share 😱 • DNS 😱 😱
• Network gateway/firewall • Any other edge device
![Page 22: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/22.jpg)
Server Attack Types• Accidental Discovery: An ordinary user stumbles across a
functional mistake in your application, just using a web browser, and gains access to privileged information or functionality.
• Automated Malware: Programs or scripts, which are searching for known vulnerabilities, and then report them back to a central collection site.
• The Curious Attacker: A security researcher or ordinary user, who notices something wrong with the application, and decides to pursue further.
![Page 23: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/23.jpg)
Server Attack Types• Script Kiddies: Common renegades, seeking to compromise or
deface applications for collateral gain, notoriety, or a political agenda.
• The Motivated Attacker: Potentially, a disgruntled staff member with inside knowledge or a paid professional attacker.
• Organized Crime: Criminals seeking high stake payouts, such as cracking e-commerce or corporate banking applications, for financial gain.
🔗https://www.owasp.org/index.php/Threat_Risk_Modeling
![Page 24: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/24.jpg)
NoSQL
Source: Jordan Wright - Scanning IPv4 for free data and free shells
![Page 25: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/25.jpg)
NoSQLRedis RCE + fake ransomware • Targets auth-less Redis instance • Wipes existing on-disk datastore (flushall) • Creates new key with attacker's pub SSH key • Changes datastore path to /root/.ssh • Renames datastore to authorized_keys
🔗https://duo.com/blog/why-the-mongodb-ransomware-shouldnt-surprise-anyone
![Page 26: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/26.jpg)
Which of these should Mac Admins worry about?
![Page 27: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/27.jpg)
ALL OF THEM
![Page 28: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/28.jpg)
The Managed Environment
![Page 29: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/29.jpg)
The Source
Source: Verizon DBIR 2016 Report
![Page 30: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/30.jpg)
The Managed Environment
Vulnerability vectors
![Page 31: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/31.jpg)
The Managed Environment
Vulnerability vectors
The Cloud
Shadow IT
BYOD
Management tools
![Page 32: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/32.jpg)
The Managed Environment
The Cloud
• Credential compromise • Code vulnerabilities • Off-site data • Patched too slow
![Page 33: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/33.jpg)
The Managed Environment
Shadow IT
• Vulnerabilities • Malware/APT • Data exfiltration • Bypass managed resources
![Page 34: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/34.jpg)
The Managed Environment
BYOD
• Malware/APT transmission • Unprotected data • Stored credentials
![Page 35: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/35.jpg)
The Managed EnvironmentManagement Tools
• Licensed software theft • No payload verification • Apple management tools
• DEP -> MDM exposure
![Page 36: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/36.jpg)
Management ToolsInsecure Default Configuration
• JAMF SSL configuration defaulted to no verification
• Allows an attacker to MITM connection
• SSL MITM allows viewing traffic in the clear
• See plaintext XML, settings, passwords
🔗https://www.okta.com/blog/2016/09/deploying-jamf-server-software/
![Page 37: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/37.jpg)
Management Tools• Software deployment compromised • No payload integrity checking performed
• TUF - The Update Framework • Use multiple keys to validate payloads
• Insert replacement payload for existing item • Now deploys item + APT (as root!)
![Page 38: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/38.jpg)
Management ToolsDEP to MDM brute-force
• DEP API only requires a valid serial number
• Example: run /usr/libexec/mdmclient dep nag
• DEP API returns MDM config if serial number found
• Apple serial numbers can be easily guessed/generated
• Guess serial -> send DEP request -> get MDM config
• MDM enrollment -> get 🥓
![Page 39: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/39.jpg)
The Admin
What is their attack surface?
![Page 40: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/40.jpg)
The Admin
• Access to credentials for many systems • More access than needed (just sudo/yolo it) • Lack full picture of sensitive systems • Imperfect security hygiene
• Also vulnerable to phishing! • Password reuse / weak passwords
![Page 41: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/41.jpg)
The Admin• Store shared secrets in a common system
• Credentials compromised • Admin access on other systems
• Example: Palantír • Red team gained access to wiki • Contained JAMF admin credentials • Rogue payload added
![Page 42: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/42.jpg)
The Admin
https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
![Page 43: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/43.jpg)
What is U2F?
https://www.yubico.com/about/background/fido/
![Page 44: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/44.jpg)
The User
What is their attack surface?
![Page 45: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/45.jpg)
The User
• Top phishing target • Shadow IT to use tools they want • BYOD to use devices they want • Security hygiene
• Misconceptions • Lack thereof
![Page 46: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/46.jpg)
The User
• Phishing gains access to user • Attacker gains further access by pivoting
• Access internal-only systems/networks • Use contacts to phish other higher-
privileged users, gain access • Host CNC server for further attacks
![Page 47: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/47.jpg)
The User
https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
![Page 48: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/48.jpg)
What's the Solution?
![Page 49: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/49.jpg)
Not The Solution• Cycling passwords every month/week/day
• Cycle SSL certs instead • MOAR Antivirus!
• Checkbox security is not security • MDM!
• Fancy management tools won't fix bad practices
![Page 50: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/50.jpg)
The Solution - Managed Environment
• Don't expose services that don't need it • Leave no default configuration unchecked • Use 2FA where possible - U2F = best • Use PKI for SSH access to servers • Have a testing environment • Demand better from your vendor
![Page 51: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/51.jpg)
The Solution - Users• Educate users on good security hygiene
• Apply updates quickly • Phishing awareness • Strong, unique passwords • Password manager • 2FA (Push, U2F)
• Use 2FA? Stop using SMS!
![Page 52: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/52.jpg)
The Solution - Admins• Take your own advice!
• Offer software updates quickly • Phishing affects you too, more damaging • Strong, unique passwords • Password manager • 2FA (Push, U2F)
• Use 2FA? Seriously, stop using SMS!
![Page 53: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/53.jpg)
Conclusion• All members of the managed environment are
important • Overall security is only as strong as your
weakest part
• Perfect users + lax admins = ☠
• Lax users + perfect admins = ☠
• Perfect systems + lax humans = ☠
![Page 54: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/54.jpg)
Conclusion• Point is to make it a lot harder to be breached
using simple to follow practices • Rise of phishing = lazy works • Unless you are Google/Facebook/Twitter/GH
no one is going to burn a 0-day on you • Implement the top 5 and be 99% more secure
than you are now
![Page 55: Securing the managed environment - … the managed... · Securing the managed environment You, me, and everybody Pepijn Bruienne @bruienne R&D Engineer Duo Security](https://reader031.vdocuments.mx/reader031/viewer/2022022018/5b91c37609d3f2c05d8c500c/html5/thumbnails/55.jpg)
Thank you!
Questions?
https://seclist.us/pret-printer-exploitation-toolkit.html
https://github.com/RUB-NDS/PRET
https://duo.com/assets/ebooks/The%20Trouble%20With%20Phishing.pdf
https://www.owasp.org/index.php/Threat_Risk_Modeling
https://duo.com/blog/why-the-mongodb-ransomware-shouldnt-surprise-anyone
https://www.okta.com/blog/2016/09/deploying-jamf-server-software/
https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
https://www.yubico.com/about/background/fido/
https://duo.com/assets/pdf/Scanning%20IPv4%20for%20Free%20Data%20and%20Free%20Shells.pdf