With the Black Hat and DEF CON security conferences last week in Las Vegas, two topics are top of mind for me and those in my organization: best practices for securing the network and the importance of applying software security updates. An event like Black Hat or DEF CON certainly raises awareness, but what’s really important is to take that awareness and embed it into daily management of the network. For the most part, those practices are followed on end points and applications. Unfortunately, our data indicates that patching in the infrastructure is much less consistent. This is usually based on complexity and the demands of uptime placed on the network. Events like Black Hat give my teams an opportunity to deliver training on implementing network-based mitigations and defenses. In many cases, participants in these events are simply unaware of what is available in newer versions of our products.
In many exploit scenarios, an attacker finds a target and, if possible, establishes remote control over the system through known or unknown exploits. Whether the attacker uses a buffer overflow, insecure configuration, phishing for credentials, or cookie-stealing, the goal is clear: get a remote shell and gain complete control. Then what?
It is this post-exploitation environment that has interested me at this year’s Black Hat 2011. Several talks and trainings discuss post-exploitation techniques, and I’d like to share them in the interest of research – and defense.
Data breaches dominated security news during the first half of 2011 and companies across all industry sectors were equally impacted. Many of these breaches resulted from advanced persistent threats; others resulted from SQL injection and other brute force intrusions. In all cases, customer data and corporate intellectual property were at risk.
In the Cisco 2Q11 Global Threat Report, Cisco CSIRT Manager Gavin Reid discusses the unique challenges of APTs and network intrusions. Gavin offers real world practical advice from a frontline perspective, offering valuable pointers for tweaking and using the tools you probably already have in place.
In the last few years there has been a major shift in the vulnerability landscape from a focus on attacking network-based server applications to attacking client applications using malicious file formats. Due to this shift there has been a variety of new techniques developed by attackers for more reliable control post-exploitation.
One of the techniques that is commonly used by attackers is the EXE drop. Basically this technique revolves around placing an executable file within the data format in which the vulnerability takes place. Post exploitation, the payload searches for the file descriptor that is associated with the data file, copies the EXE file from it to disk, and executes the EXE file in a new process. Some examples of data formats that are commonly used in an EXE drop exploit are Office documents, Shockwave Flash Files, and image files. The EXE drop technique is useful for several reasons; one reason is because it makes coding the payload easier. The executable can be crafted quickly and compiled for a specific target. Also, by copying an executable file to disk (persistent storage) it’s fairly easy to maintain residency by adding an entry to the autorun registry keys for example.
As the Nexus platform has become a staple in the data center environment, securing the environment begins with the Nexus Operating System (NX-OS). The recently published NX-OS hardening guide seeks to deliver on that. The Cisco NX-OS Hardening Guide provides information to help administrators and engineers secure NX-OS system devices, inherently increasing the overall security of a network environment. With the ever-increasing opportunity for exploits and vulnerabilities to prevail, it is imperative that organizations adopt and apply best practices to harden their infrastructure devices. We all know that an environment is only as strong as the weakest link, thus every effort should be made to ensure that each device is hardened.