under the hoodie - amazon web services...csrf/clickjacking: 1 local privilege escalation: 17 none....
TRANSCRIPT
Under the Hoodie
Lessons learned from a season of penetration testing
Samantha HumphriesRapid7
NOPE…..
>whoami?
Samantha Humphries
Senior Product Marketing Manager – Global Consulting
Services
20 Years in IT Security
Nephophile, F1 Fanatic, Star Wars Geek, Terrible DJ
Dislikes: Airports, Polystyrene, & Liquorice
@safesecs
>whoamRapid7?
Established in 2000
Acquired Metasploit in 2009
Only vulnerability management vendor listed as a
Researcher by MITRE
Research projects: Under The Hoodie
Project Heisenberg
Project Sonar
National Exposure Index
Quarterly Threat Reports
>whoamRapid7?
Powering
The Practice of SecOpsShared visibility, analytics,
and automation
Rapid7 Insight
Threat Intelligence
Research & attacker modeling
EXPERTISE
Visibility into new attacks
Open Source Community
COMMUNITY
Thousands of global users & contributors
At Rapid7, our passion is to be ahead of the attackers—the people and groups that might use technology to harm our businesses and
lives.
Security Researchers
Dedicated teams and consultants
All pentests are not equal!
Pentesting is essentially artisanal
Penetration testers focus on micro details
What happens at a macro perspective?
Pentesting techniques are often occult
Pentesters “always” “win”
Under the Hoodie
Collected survey results from 268 engagements in 2017-
2018
Includes pentests of various scopes
Covers multiple industries, org sizes, geographies
General tactics employed:
Vulnerability types
Common misconfigurations
Credentials
Building the Report
Scope & Target Organisations
Let’s Scope-ify!
Scope & Target Organisations
Engagement Types
External: 157
Internal: 85
Neither: 17
Mixed: 9
Scope & Target Organisations
Engagement Times
>1 week: 29
1 week: 178
2 weeks: 35
3 weeks: 7
4+ weeks: 2
Scope & Target Organisations
Surprise: Attackers tend to like their weekends!
Scope & Target Organisations
Data Types for Validation
Sensitive Internal Data: 155
PII: 144
Credentials: 100
PCI: 57
Medical Records: 29
Scope & Target Organisations
Test Frequency – Small Orgs
Don’t Know: 57
Quarterly: 6
Semi Annually: 7
Annually: 62
You were our first: 22
Test Frequency – Large Orgs
Don’t Know: 38
Quarterly: 4
Semi Annually: 100
Annually: 9
You were our first: 37
How often should we run a pentest?
Vulns Exploited
Vulnerabilities are unintentional functionality or an undocumented API
Exploits are interfaces that leverage vulnerabilities until the functionality is removed by the vendor
84% of engagements saw at least one vulnerabilityexploited
Vulns ExploitedInternal Tests (n=178)
Broadcast Name Resolution: 43
CSRF/Clickjacking: 1
Local Privilege Escalation: 17
None. W00t!: 6
SMB Relaying: 46
A N Other Vuln: 41
XSS: 3
External Tests (n=214)
Broadcast Name Resolution: 2
CSRF/Clickjacking: 25
Local Privilege Escalation: 5
None. W00t!: 43
SMB Relaying: 3
A N Other Vuln: 94
XSS: 29
Vulns ExploitedAll Tests
A N Other Vuln: 140
None. W00t!: 67
SMB Relaying: 51
Broadcast Name Resolution: 47
XSS: 32
CSRF/Clickjacking: 26
Local Privilege Escalation: 25
Wait, Sam! These numbers don’t quite add up?
Good Pentesting Involves Exploit Chaining
Guess how many times we used a 3rd party 0day?
Misconfigurations Leveraged
It’s not just Vulns & Exploits….
Misconfigurations Leveraged
Not really something to be “patched”
Usually site-specific implementation errors
Usually common across sites
Usually more common on internal assessments
Misconfigurations Leveraged
Internal Tests (n=235)
Default Account Access: 18
No Detection Controls: 17
No Least Privilege: 33
No Network Segmentation: 20
No Patch Management: 31
None, hooray!: 9
Password Re-use: 36
Svc Accts as Domain Admin: 26
Service Misconfiguration: 22
A N Other Misconfig: 22
Misconfigurations Leveraged
Internal Tests (n=235)
Default Account Access: 18
No Detection Controls: 17
No Least Privilege: 33
No Network Segmentation: 20
No Patch Management: 31
None, hooray!: 9
Password Re-use: 36
Svc Accts as Domain Admin: 26
Service Misconfiguration: 22
A N Other Misconfig: 22
External Tests (n=201)
Default Account Access: 6
No Detection Controls: 5
No Least Privilege: 9
No Network Segmentation: 2
No Patch Management: 9
None, hooray!: 71
Password Re-use: 7
Svc Accts as Domain Admin: 5
Service Misconfiguration: 27
A N Other Misconfig: 56
Credential Capture
Considered an “easy win” by penetration testers
Credential Capture
How often were credentials successfully obtained? (Cue: Possible Emotional Response)
Credential Capture
External Engagements
Creds obtained: 33%
Internal Engagements
Creds obtained: 86%
Mixed Engagements
Creds obtained: 78%
Credential Capture
What was the most common method to successfully obtain credentials?
Automated social engineering? MITM? 3rd party password dumps?
Credential Capture
We guessed. Yep.
Credential Capture
Also, usernames aren’t *that* hard to find
Credential Capture
Different organisations tend to use the same patterns:
Variations of “password”: Password1, Password1!
Our favourite: Current season + year + bang: Spring2019!
Variations on the organisation’s name: Acme1234, Acme1234!
Credential Capture
Common Trailing Digits
Single Digit: 1
Double Digits: 23
Triple Digits: 123
Quadruple Digits: 2009 (?)
Quintuple: No Surprises.
Credential Capture
Get elegant with your password policy
Detection Evasion
Remember, we’re generally pretty unsubtle
Detection EvasionCatch us if you can!
Detected with 1 hour: 20
Detected with 1 day: 56
Detected with 1 week: 20
Evaded detection: 153
Wisdom From Under The Hoodie
Fascinating stuff, Sam, but now what?
Wisdom From Under The HoodiePatch / Effective Vuln Mgmt*
Segment your networks
Practice Decent Asset, Account,& Privilege Management
Revisit software configuration –default passwords are bad, m’kay
Tighten up your password policy (no seasons!)
Even Moar Wisdom From Under The HoodieLoads more stats & analysis in the report: https://www.rapid7.com/info/under-the-hoodie/
Also, stories! “This One Time on a Pentest” sidebars
At us on Twitter!
@todb (Research Director)
@kwantative (Sr Data Scientist)
@safesecs (Me!)
@rapid7 (All of us)
Meet our team at stand R580