Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Testing for compromise

  • 19-11-2019 10:11am
    #1
    Registered Users, Registered Users 2 Posts: 408 ✭✭


    Hi all,
    Hypothetically...if you were being hired as the first InfoSec person into an existing company with 300 users and some IT staff, what tools would you use to see if the network/AD etc was already compromised?


    TIA


Comments

  • Registered Users, Registered Users 2 Posts: 908 ✭✭✭Tazium


    First InfoSec person would be better to align security strategy to business strategy, make connections and gain support of senior management team while investigating tools and technologies. Depending on the motivation of the attacker, for command and control you would be advised to check proxy and gateway logs, e-mail logs for known phishing addresses/domains, and AD logs for privileged access anomalies. Asking questions and finding out if they've been breached before, invoice fraud, ransomware, misuse etc. Is a good indicator too. Good luck,


  • Registered Users, Registered Users 2 Posts: 4,065 ✭✭✭spaceHopper


    you could down load dumps from other breaches, for example run all the company email addresses agains have I been pwned. Download data dupms look for company domain in them. Compare hashed passwords agains current user hashes. Look for users who have left that have logged in since. If I wanted to steal an account that's one I'd go after.

    you may need to write tools in python


  • Moderators, Education Moderators Posts: 2,610 Mod ✭✭✭✭horgan_p


    If its first things first, I would insist on a scope of work sorted with senior management BEFORE I went poking around anything.

    Otherwise, you aren't an infosec professional , you're just hacking around your employer's network.


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Tazium wrote: »
    First InfoSec person would be better to align security strategy to business strategy, make connections and gain support of senior management team while investigating tools and technologies. Depending on the motivation of the attacker, for command and control you would be advised to check proxy and gateway logs, e-mail logs for known phishing addresses/domains, and AD logs for privileged access anomalies. Asking questions and finding out if they've been breached before, invoice fraud, ransomware, misuse etc. Is a good indicator too. Good luck,


    Suggest you inform the CEO or similar. Spend time telling the story to him/her. Do what is needed to gain access.


  • Registered Users, Registered Users 2 Posts: 570 ✭✭✭Joe Exotic


    Tec Diver wrote: »
    Hi all,
    Hypothetically...if you were being hired as the first InfoSec person into an existing company with 300 users and some IT staff, what tools would you use to see if the network/AD etc was already compromised?


    TIA

    I assume that in this hypothetical situation you are looking to do a bit of threat hunting, essentially looking for active threats /compromises in your systems.

    Unfortunately there is no easy answer to this, a good threat hunting process is one sign of a very mature security function.

    Before getting into this you would be better off (as others have said) in examining other areas.
    1. Security Frameworks (e.g. ISO 27001 - align no need for certification)
    2. process, people, technology
    3. Risk assessment etc.
    4. Security Monitoring (SIEM to view what is happening on network and to gather logs in 1 place)

      However if you really want/need to look at threat hunting in this way you need to be methodical about it.
      1. Identify the main threats to your organisation (On what are the business functions most reliant - could be info or systems)
      2. what would be the worst case scenario for a particular function (E.g. HR - attacker gains access and exfiltrates the Employee Database)
      3. how would you see this (Where would it show in the logs?)

      From the last point above you are essentially looking for IOCs (Indicators of Compromise) on your network. you can get Known IOCs from threat feeds online.

      You also could look at the Mitre attack framework which shows the common stages of compromise and describes the tactics used for each stage by real APT's.

      As you might see now this is a very hard ask without having in place the appropriate tools and polices

      I would say its also next to impossible if you don't have a SIEM in place to facilitate searching the logs.

      If a SIEM is out of the question (For now !) then concentrate on what you can do.
      • Examine your organisations entire public IP address range with NMAP (Get permission!! )
      • List every open service on each IP and ensure that there is a business case for each one- asnd no vulnerabilities/mis-configurations.
      • For every web page ensure that the software (CMS, PHP etc. ) is up to date.
      • Look at your Anti virus product ensure at a minimum all endpoints are covered and updating, Ensure you are getting emails when alerts are triggered.
      • Find out what your patching program is like internally - improve it !!!!

      Ive probably gone on there a bit and thats just off the top of my head
      But if everyone did the last few points they would improve the security profile of their organisations no end

      Hope it helps


    1. Advertisement
    Advertisement