The “Human Sensor” Continuum How people can counteract suspicious activity and crime in the workplace As a security professional for over 20 years...
Quick Bites Ep 5 - The Call Is Coming From INSIDE THE HOUSE
Man, I’ll be honest - I’m super excited to be doing a Halloween-themed blog post this year. So, long before I was big into hacking, I was into horror, specifically horror movies. I’ve devoted a large part of my life to horror. I have a rather nice collection of horror movie posters, memorabilia, props (some I’ve created myself), masks, and even a couple old school style lunch boxes. My colleague Kathy Collins and I are HUGE horror buffs. We’ve waxed poetic quite a few times over different movies, and I think that horror has a lot to offer viewers who are interested in it.
Aside from the blood, guts, and gore (that I thrive on - I wanted to be a Special Makeup Effects artist when I was growing up), horror is one of the primary places to learn about morality tales. As a matter of fact, there’s a lot that the IT Security industry can learn from horror movies. OOOOOOHHHH! Maybe I can write a series of posts about different horror movies and how they can be viewed from an infosec perspective? That’s something to chew some brains over in the near future… [Editor’s note: We really tried to get him to talk about something else besides eating brains, but he threatened us with a large butcher knife. It’s Halloween season, so we let it go.] Maybe we can get some other horror fans in here, and have conversations about it. I’m spitballing here, but the point that I’m trying to make is that we can draw a lot of parallels between horror and infosec.
So, come on, hitch a ride at Midnight on a dark lonely road with me. Or rather, sit in the attic with me in the dark, so you never see my face. We’re diving into an old trope today.
“The call is coming from inside the house.”
Some of you may be familiar with this phrase, as it’s been used in several different artforms over the years since its inception. Most people popularly believe that it came from Fred Walton’s When A Stranger Calls (1979), however, that was actually the second known use of the phrase. The original use was in 1974 with Bob Clark’s** classic Black Christmas. Now, I’m not going to ruin anything for you about the movie except this -
The call was coming from inside the house.
In many circles, the original version of Black Christmas was one of the original prototypes of slasher cinema. John Carpenter’s Halloween stands out as the first slasher movie per se, but Black Christmas really had it all to begin with - including the creepy ending about where the murderous calls were coming from all night long.
Long story short, the killer in these movies is OFTEN the insider threat. Kevin Williamson and Wes Craven did a fantastic send-up/homage to the insider threat in Scream. While that wasn’t necessarily about the calls coming from inside the house, it WAS about how it was someone in the inner circle of friends/colleagues killing everyone else. Scream, man. That’s a great movie. Sorry, I can go on about movies for …awhile. Especially horror movies. It’s a gift! Ahem.
Anyway, what does this have to do with infosec? Everything.
“The attack is coming from INSIDE THE NETWORK!”
The insider is one of the most dangerous threat actors, because they already have access. What do they have access to? Well, that depends on what you GAVE them access to. Account privilege and file permission misconfigurations are one of the most exploited vulnerabilities on networks and web applications (APIs - I’m lookin’ at you). When a user has been misconfigured, they may have access to things that they shouldn’t.
Here’s the thing - we attackers have been preaching on this for years, so I’ll go back to my oldie but goodie - the HR, Accounting, and IT departments at Silver Shamrock Industries. All three departments typically exist in each organization (and let’s be real - they’re easy to pick on), and they’re about to experience some major issues.
The insider threat looks something like this -
- IT has access to the actual servers which store the data for all departments. It’s a part of their job function. However, access should be limited to the servers themselves, and the file shares that belong to the department. (This will come into play later…)
- Accounting has access to accounting shares, accounting software which connects to AD for SSO, and other systems that are needed for their job functions.
- HR has the same types of access as accounting, except for the HR department’s job functions.
Over the years, several people have moved in and out of different positions through the company, but the IT department isn’t always the best at managing the group and file permissions. Quite often, when a user has a group added to their account, it STAYS in that account.
Additionally, there’s a few misconfigured file shares on the file servers, and a couple of them have some nice information for an attacker (CRM administrator credentials). This has caused a lot of headaches over the years, but not enough to warrant a process to remove permissions. After the breach they’re about to have, that’s going to change drastically.
Let’s look at a couple different ways the insider threat can use this information to attack a network and take a bite out of its neck.
SCENARIO 1: The Outsider Attack
The outsider attack is, well, a bit of a cheat. It’s when the outside attacker (Dr. Daniel Challis) gets internal network credentials to something on the network (or webapp), and uses them (and their privileges) to get access to all of the data they possibly can. Depending on the account access obtained, it could be someone in HR or Accounting, but because of file permission misconfigurations, our attacker Dr. Challis can now scan the network and find other files that may be useful…like, ohhhh, I don’t know…CRM admin credentials? Or, maybe he just found credentials to access the mask making equipment. If these are found and used in a malicious way, it could mean murder for your business.
SCENARIO 2: The Actual Insider Attack
Listen, I’m not gonna lie to you. The actual insider threat is a MUCH bigger deal. Seriously.
Why? Because the insider is already familiar with most aspects of the organization, including what the network looks like, what the organization does, and how they work - the processes. As a tester, I spend quite a bit of time learning how a company works (as much as I can) before starting testing. Often, other attackers do too. An insider already knows most of what I’m gonna be looking for. Honestly, it’s probably at least half of the job here. :)
With that being said, account and file permission misconfigurations will come into play now, as the Accounting department’s Mr. Rafferty is tired of being looked over all the time by Mr. Cochran, and is ready to spill the beans on some of the activities that are going down at the Silver Shamrock factory. He’s learned recently how to hack some Windows networks because he’s spent time watching YouTube videos, and is now ready to pounce and strike, right before Halloween, the busiest time of the year for Silver Shamrock.
Rafferty finds the different file shares with the previously mentioned credentials, and starts poking around on the network until he finds the controls he needs to wreak havoc. Let’s get a good look at what happened, below.
Found footage of the Silver Shamrock factory after the Insider Threat took over
Oh man, Mr. Cochran looked like he had a bad day. However, I did hear something about how they have a nice statue of him out in front of the factory now.
Anyway, my point is the insider threat is SCARY. It can do some serious damage to a business, up to and including becoming a zombie. You don’t want to be a zombie, do you? (Don’t actually answer that haha!)
So, first things first. Make a POLICY.
It’s really important to have a POLICY for this process as well, complete with a designated person to do the checking, a designated recurring time, and other factors that your organization may deem necessary. Reach out for more information regarding policies at email@example.com or firstname.lastname@example.org, and we’ll glad to help with the process.
Now, make a PROCESS.
Once the policy is created and signed off on, define a PROCESS per the policy of checking out account and file permissions on a REGULAR basis. This applies to every system that has file and account permissions - on-prem servers, storage, and web applications, cloud-based servers, storage and applications, and anything else that has some permissions. Side note - vulnerability scanners will generally not check for this, so you’ll need to do it manually, or in larger orgs, there are tools out there to help you manage this problem.
Just following through with this policy/process on a weekly or monthly basis can greatly reduce your overall attack surface, which in turn reduces your overall risk.
If you made it this far, here’s your obligatory Scream reference.
Oh, this is the greatest fun. You're going to love this. We got a surprise for you, Sidney. Yeah, you're going to love this one. It's a scream, baby. Hold a second.
I’ll be right back. - Stu Macher
** Yes! That Bob Clark! The guy who also directed A Christmas Story (“You’ll put your eye out!”) and Porky’s! He’s a legend! Exclamation! Point!