Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

Testing for compromise

  • 19-11-2019 11:11am
    #1
    Tec Diver
    Registered Users Posts: 407 ✭✭


    Hi all,
    Hypothetically...if you were being hired as the first InfoSec person into an existing company with 300 users and some IT staff, what tools would you use to see if the network/AD etc was already compromised?


    TIA


Comments

  • #2
    Tazium
    Registered Users Posts: 899 ✭✭✭Tazium


    First InfoSec person would be better to align security strategy to business strategy, make connections and gain support of senior management team while investigating tools and technologies. Depending on the motivation of the attacker, for command and control you would be advised to check proxy and gateway logs, e-mail logs for known phishing addresses/domains, and AD logs for privileged access anomalies. Asking questions and finding out if they've been breached before, invoice fraud, ransomware, misuse etc. Is a good indicator too. Good luck,


  • #3
    spaceHopper
    Registered Users Posts: 3,958 ✭✭✭spaceHopper


    you could down load dumps from other breaches, for example run all the company email addresses agains have I been pwned. Download data dupms look for company domain in them. Compare hashed passwords agains current user hashes. Look for users who have left that have logged in since. If I wanted to steal an account that's one I'd go after.

    you may need to write tools in python


  • #4
    horgan_p
    Moderators, Education Moderators Posts: 2,603 Mod ✭✭✭✭horgan_p


    If its first things first, I would insist on a scope of work sorted with senior management BEFORE I went poking around anything.

    Otherwise, you aren't an infosec professional , you're just hacking around your employer's network.


  • #5
    Impetus
    Registered Users Posts: 1,667 ✭✭✭Impetus


    Tazium wrote: »
    First InfoSec person would be better to align security strategy to business strategy, make connections and gain support of senior management team while investigating tools and technologies. Depending on the motivation of the attacker, for command and control you would be advised to check proxy and gateway logs, e-mail logs for known phishing addresses/domains, and AD logs for privileged access anomalies. Asking questions and finding out if they've been breached before, invoice fraud, ransomware, misuse etc. Is a good indicator too. Good luck,


    Suggest you inform the CEO or similar. Spend time telling the story to him/her. Do what is needed to gain access.


  • #6
    Joe Exotic
    Registered Users Posts: 565 ✭✭✭Joe Exotic


    Tec Diver wrote: »
    Hi all,
    Hypothetically...if you were being hired as the first InfoSec person into an existing company with 300 users and some IT staff, what tools would you use to see if the network/AD etc was already compromised?


    TIA

    I assume that in this hypothetical situation you are looking to do a bit of threat hunting, essentially looking for active threats /compromises in your systems.

    Unfortunately there is no easy answer to this, a good threat hunting process is one sign of a very mature security function.

    Before getting into this you would be better off (as others have said) in examining other areas.
    1. Security Frameworks (e.g. ISO 27001 - align no need for certification)
    2. process, people, technology
    3. Risk assessment etc.
    4. Security Monitoring (SIEM to view what is happening on network and to gather logs in 1 place)

      However if you really want/need to look at threat hunting in this way you need to be methodical about it.
      1. Identify the main threats to your organisation (On what are the business functions most reliant - could be info or systems)
      2. what would be the worst case scenario for a particular function (E.g. HR - attacker gains access and exfiltrates the Employee Database)
      3. how would you see this (Where would it show in the logs?)

      From the last point above you are essentially looking for IOCs (Indicators of Compromise) on your network. you can get Known IOCs from threat feeds online.

      You also could look at the Mitre attack framework which shows the common stages of compromise and describes the tactics used for each stage by real APT's.

      As you might see now this is a very hard ask without having in place the appropriate tools and polices

      I would say its also next to impossible if you don't have a SIEM in place to facilitate searching the logs.

      If a SIEM is out of the question (For now !) then concentrate on what you can do.
      • Examine your organisations entire public IP address range with NMAP (Get permission!! )
      • List every open service on each IP and ensure that there is a business case for each one- asnd no vulnerabilities/mis-configurations.
      • For every web page ensure that the software (CMS, PHP etc. ) is up to date.
      • Look at your Anti virus product ensure at a minimum all endpoints are covered and updating, Ensure you are getting emails when alerts are triggered.
      • Find out what your patching program is like internally - improve it !!!!

      Ive probably gone on there a bit and thats just off the top of my head
      But if everyone did the last few points they would improve the security profile of their organisations no end

      Hope it helps


    1. Advertisement
    Advertisement