BSides puts on events for the information security community which expand the spectrum of conversation beyond the traditional confines of space and time. So of course, I volunteered for the local BSides Chicago, which put a powerful local forum together for discussion outside the bounds of the traditional big name conferences. The evening before the conference I met with other volunteers to help fill swag bags and prep badges. The people working behind the scenes were dedicated security professionals looking to differentiate BSides from other conferences that sell subscriber lists and give preference to speakers from big paying vendors. They succeeded as all the presenters brought their own style, unique content and ideas to the stage.
For example, Shannon Fritz took us on a journey from cracking into a stolen Microsoft Windows laptop to hacking Active Directory (AD). In his example, Mr. Fritz was able to take control of the laptop simply by accessing Notepad from the command prompt, then replacing a few files so he could reboot the laptop and take over with administrator privileges. For his next trick, he assumed that he was able to access the target’s Wi-Fi connection via a lobby or mothers room to start his successful attack on AD. Shannon easily took advantage of unmonitored service accounts, gained administrative rights, and finally viewed and changed AD records.
What can you do?
Here’s a few tips to prevent nefarious hackers from going down the same road with your PC.
First, if you haven’t already, ensure you use disk encryption like BitLocker. Bitlocker not only encrypts the boot drive, but implements a second level of access control on startup. Bitlocker can be configured in many ways, and in user authentication mode it will ask for pre-boot authentication which can prevent hackers from trying to boot the PC from a thumb-dive. Highly motivated hackers might try a Cold Boot Attack, however this relies on data left in RAM and as such is not an easy target.
Second, there are many controls that can be put into place to protect and monitor AD such as Micro Focus Directory Resource Administrator (DRA) and Privileged Account Manager (PAM). DRA can be used to delegate access including permissions to AD, and PAM can be used to enforce least privilege as well as create additional risk-based access controls. If you have AD in your environment how are you preventing hackers from taking control? Yeah, I thought so!
Who’s best? East or West?
In another session, Alex Holden gave an intimate account of our adversaries in Eastern Europe. We discussed who these people are and what leads them to a life of crime. It was a sad account of desperate young criminals driven by money, drugs, and extortion; they see no other way out than to turning to the Dark Web.
They use sharpened technical skills, social engineering, and influence to hack big name targets looking for any return, even a small one. He told us about a hacker looking to sell a database with millions of records for just a few rubles. In addition, malicious hackers work for crime bosses as a loose team of contractors, each specializing in an area like cracking passwords, ransomware, network infiltration, and database exfiltration.
Often hackers won’t even know the goal of the attack, but only what they have been contracted to do. This emphasizes on why understanding each phase of the Kill Chain can provide a roadmap to creating an effective security strategy.
Alex and his team go to great lengths to understand the criminal mind. His staff speak multiple languages including Polish, Ukrainian, and Russian. They also undergo intensive training designed to help identify malicious behavior and communicate with hackers. They have been credited with the discovery of many high-profile breaches including the JPM breach and the Target breach.
I caught up with Alex and he told me that he regularly works with Brian Krebs, the author of SPAM Nation, an inside look into organized crime from Eastern Europe. My takeaway is that we are facing a tidal wave of attacks as relentless hackers are growing in numbers and will go to any length to profit from crime.
Where to next?
For those who wanted more hands on experience, there was a CTF (Capture the Flag) contest where participants were able to practice hacking into a fictitious healthcare company and a lock-pick village.
BSides events are a great place for experienced professionals and those just looking to get into the industry to get involved in the community check out the next events in Zurich, Warsaw, Delhi, Manchester, St. Louis, Dallas or a place near you!