My background in IT comes mostly from a nomadic perspective. In my years of IT and InfoSec, I've had the makings of a career consultant - different client each week, different city, different nature of work. It's been a long and diverse journey, and I've loved just about every minute of it. I wake up every day and say "hey, I get to be a pretend bad guy and get paid for it!"
Some things are consistent, however, and I'm not talking about the flight delays or lost luggage - your most common adversary is a network run by an IT team. Most of the time that team is a wonderful, hard-working group of people, many of whom are forced to wear a number of hats on a daily basis to keep the clocks turning, the network up, and the users working. Of those hats, the most conspicuously absent is that of Offensive Security.
"Offensive Security? That's what I pay you for!"
This is, in part, true - organizations hire qualified penetration testers all the time, and it's money well spent! However, many of these same organizations forget a few things:
- The engagement is very focused and specific, such as PCI. In these types of engagements, the tester is intent on compromising a specific set of networks and data, in this case of the cardholder variety. While just about everything can be "fair game" in order to effectively simulate a PCI breach, these types of engagements are meant to test a narrowly defined block of network real estate. This makes it easy to overlook distant or non-affiliated (but still important overall) segments, such as development networks.
- Even with a non data-specific penetration test, it's important to remember that penetration testing is not designed to find all vulnerabilities. It may sound disheartening to think that you may remediate attack vectors 1-5 that were uncovered during testing, only to find that next year there is an additional vector due to a newly discovered vulnerability. Or, perhaps, a manager with an unpatched laptop was on vacation during the last pentest. Testing has a time constraint, whereas the bad guys don't.
Try as you might, security is enough of a moving target that you will likely never find "everything". On a scale of who has it the "easiest", it's probably the bad guys - they have unlimited time, no restrictions, and don't really care what resources they may knock over on the way. Penetration testers have to work with the constraints of scope, time, and a delicate touch, but even we get the advantage of not having "network tunnel vision" - that is, we see the network from a perspective most IT teams do not. Finally, IT teams have the hardest job - they are tasked with fixing myriad issues/weaknesses/vulnerabilities, whereas penetration testers (and by proxy, bad guys) only need to find one.
That's where the concept of "security self-defense" comes in. It's difficult to gain the same broad base of security knowledge when you only see a single setup day to day (vs the thousands of networks we get to see per year), but you can still learn the methods of offensive security and how to "think like a bad guy". Let's take a look at some useful areas of concern.
Man-in-the-Middle (MitM) Attacks
Man-in-the-middle (MitM) attacks are a very potent, multi-faceted, and devastating class of infrastructure based attacks. To defend against them takes the correct blend of network architecture, host, and network services configuration security and hardening. The best way to understand and secure against these attacks is to learn the mechanics of how they work. What is the attacker looking for? How about:
- Eavesdropping - an attacker may just want to listen in to see what hosts are communicating, what they are saying, and gain insight from any plaintext protocols.
- Session hijacking - with a tool (such as SpiderLabs' thicknet), sessions such as SQL server sessions can be hijacked to introduce rogue commands. For example, an attacker may trigger a command to add a user or change privileges.
- Data manipulation - Even simple web traffic can be manipulated, such as adding a UNC path to capture NTLM hashes.
It's tempting to think of compromise as vulnerability x leads to exploit y, but this is almost never the case. In fact, it's quite common to exploit normal functionality on systems in order to gain access. This has the added advantage that it appears as normal traffic and not a signature of a specific exploit. Items such as LLMNR, NetBIOS over TCP, and null enumeration can all combine to provide accounts for an attacker, all without even having to connect to the target machine first. Worse yet, user-based security gaps (such as password re-use) can provide headaches for containing a compromise.
An IT team's greatest nightmare can be the users themselves and the data they're tasked to manage. No matter how many policies they put into place, users will still be users - and that means leaving useful data (to a pentester) lying about. Whereas that Visio diagram of the network may be something you see every day, it's a wonderful find for an attacker. Router configs, user data in spreadsheets, even leftover scan data - all of these can be used as information for further compromise.
If you learn to think like an attacker, you can gain insight into how you configure your network, apply your policies, and better understand who/what you are protecting against. The idea that you cannot be 100% secure should not discourage you; rather, it should encourage you to find a happy medium wherein you can be "compromise resistant" enough to properly detect and respond to incidents before they become harmful.