under the hoodie - amazon web services...csrf/clickjacking: 1 local privilege escalation: 17 none....

Under the Hoodie

Lessons learned from a season of penetration testing

Samantha HumphriesRapid7

NOPE…..

>whoami?

Samantha Humphries

Senior Product Marketing Manager – Global Consulting

Services

20 Years in IT Security

Nephophile, F1 Fanatic, Star Wars Geek, Terrible DJ

Dislikes: Airports, Polystyrene, & Liquorice

@safesecs

>whoamRapid7?

Established in 2000

Acquired Metasploit in 2009

Only vulnerability management vendor listed as a

Researcher by MITRE

Research projects: Under The Hoodie

Project Heisenberg

Project Sonar

National Exposure Index

Quarterly Threat Reports

>whoamRapid7?

Powering

The Practice of SecOpsShared visibility, analytics,

and automation

Rapid7 Insight

Threat Intelligence

Research & attacker modeling

EXPERTISE

Visibility into new attacks

Open Source Community

COMMUNITY

Thousands of global users & contributors

At Rapid7, our passion is to be ahead of the attackers—the people and groups that might use technology to harm our businesses and

lives.

Security Researchers

Dedicated teams and consultants

All pentests are not equal!

Pentesting is essentially artisanal

Penetration testers focus on micro details

What happens at a macro perspective?

Pentesting techniques are often occult

Pentesters “always” “win”

Under the Hoodie

Collected survey results from 268 engagements in 2017-

2018

Includes pentests of various scopes

Covers multiple industries, org sizes, geographies

General tactics employed:

Vulnerability types

Common misconfigurations

Credentials

Building the Report

Scope & Target Organisations

Let’s Scope-ify!

Scope & Target Organisations

Engagement Types

External: 157

Internal: 85

Neither: 17

Mixed: 9

Scope & Target Organisations

Engagement Times

>1 week: 29

1 week: 178

2 weeks: 35

3 weeks: 7

4+ weeks: 2

Scope & Target Organisations

Surprise: Attackers tend to like their weekends!

Scope & Target Organisations

Data Types for Validation

Sensitive Internal Data: 155

PII: 144

Credentials: 100

PCI: 57

Medical Records: 29

Scope & Target Organisations

Test Frequency – Small Orgs

Don’t Know: 57

Quarterly: 6

Semi Annually: 7

Annually: 62

You were our first: 22

Test Frequency – Large Orgs

Don’t Know: 38

Quarterly: 4

Semi Annually: 100

Annually: 9

You were our first: 37

How often should we run a pentest?

Vulns Exploited

Vulnerabilities are unintentional functionality or an undocumented API

Exploits are interfaces that leverage vulnerabilities until the functionality is removed by the vendor

84% of engagements saw at least one vulnerabilityexploited

Vulns ExploitedInternal Tests (n=178)

Broadcast Name Resolution: 43

CSRF/Clickjacking: 1

Local Privilege Escalation: 17

None. W00t!: 6

SMB Relaying: 46

A N Other Vuln: 41

XSS: 3

External Tests (n=214)

Broadcast Name Resolution: 2

CSRF/Clickjacking: 25

Local Privilege Escalation: 5

None. W00t!: 43

SMB Relaying: 3

A N Other Vuln: 94

XSS: 29

Vulns ExploitedAll Tests

A N Other Vuln: 140

None. W00t!: 67

SMB Relaying: 51

Broadcast Name Resolution: 47

XSS: 32

CSRF/Clickjacking: 26

Local Privilege Escalation: 25

Wait, Sam! These numbers don’t quite add up?

Good Pentesting Involves Exploit Chaining

Guess how many times we used a 3rd party 0day?

Misconfigurations Leveraged

It’s not just Vulns & Exploits….

Misconfigurations Leveraged

Not really something to be “patched”

Usually site-specific implementation errors

Usually common across sites

Usually more common on internal assessments

Misconfigurations Leveraged

Internal Tests (n=235)

Default Account Access: 18

No Detection Controls: 17

No Least Privilege: 33

No Network Segmentation: 20

No Patch Management: 31

None, hooray!: 9

Password Re-use: 36

Svc Accts as Domain Admin: 26

Service Misconfiguration: 22

A N Other Misconfig: 22

Misconfigurations Leveraged

Internal Tests (n=235)

Default Account Access: 18

No Detection Controls: 17

No Least Privilege: 33

No Network Segmentation: 20

No Patch Management: 31

None, hooray!: 9

Password Re-use: 36

Svc Accts as Domain Admin: 26

Service Misconfiguration: 22

A N Other Misconfig: 22

External Tests (n=201)

Default Account Access: 6

No Detection Controls: 5

No Least Privilege: 9

No Network Segmentation: 2

No Patch Management: 9

None, hooray!: 71

Password Re-use: 7

Svc Accts as Domain Admin: 5

Service Misconfiguration: 27

A N Other Misconfig: 56

Credential Capture

Considered an “easy win” by penetration testers

Credential Capture

How often were credentials successfully obtained? (Cue: Possible Emotional Response)

Credential Capture

External Engagements

Creds obtained: 33%

Internal Engagements

Creds obtained: 86%

Mixed Engagements

Creds obtained: 78%

Credential Capture

What was the most common method to successfully obtain credentials?

Automated social engineering? MITM? 3rd party password dumps?

Credential Capture

We guessed. Yep.

Credential Capture

Also, usernames aren’t *that* hard to find

Credential Capture

Different organisations tend to use the same patterns:

Variations of “password”: Password1, Password1!

Our favourite: Current season + year + bang: Spring2019!

Variations on the organisation’s name: Acme1234, Acme1234!

Credential Capture

Common Trailing Digits

Single Digit: 1

Double Digits: 23

Triple Digits: 123

Quadruple Digits: 2009 (?)

Quintuple: No Surprises.

Credential Capture

Get elegant with your password policy

Detection Evasion

Remember, we’re generally pretty unsubtle

Detection EvasionCatch us if you can!

Detected with 1 hour: 20

Detected with 1 day: 56

Detected with 1 week: 20

Evaded detection: 153

Wisdom From Under The Hoodie

Fascinating stuff, Sam, but now what?

Wisdom From Under The HoodiePatch / Effective Vuln Mgmt*

Segment your networks

Practice Decent Asset, Account,& Privilege Management

Revisit software configuration –default passwords are bad, m’kay

Tighten up your password policy (no seasons!)

Even Moar Wisdom From Under The HoodieLoads more stats & analysis in the report: https://www.rapid7.com/info/under-the-hoodie/

Also, stories! “This One Time on a Pentest” sidebars

At us on Twitter!

@todb (Research Director)

@kwantative (Sr Data Scientist)

@safesecs (Me!)

@rapid7 (All of us)

Meet our team at stand R580