Ask information security professionals how they spend their time, and odds are the answers will include mention...
of penetration testing and incident response. In some ways, these are two sides of the same coin: One involves putting in the time to find out where the weaknesses are, while simultaneously being prepared to respond to emergency situations where time is of the essence.
Tod Beardsley, director of research, and Rebekah Brown, threat intelligence lead, both at Rapid7, sat down with SearchSecurity in November at Rapid7's UNITED 2016 event in Boston, and they shared their wide-ranging opinions on the pursuit of information security.
In the first part of the interview, Brown and Beardsley offered their thoughts on the increasing threats posed by insecure devices connected to the internet of things (IoT), especially as exemplified by the series of attacks using the Mirai botnet. Also on the table were some of their more notable -- and entertaining -- war stories collected over years of doing pen testing and incident response.
Editor’s Note: This interview has been lightly edited for length and clarity.
What are your thoughts on the Mirai botnet attacks and the other similar kind of malicious IoT activity that we're seeing so much of recently?
Tod Beardsley: So, Mirai is definitely a wake-up call. For many years, we've been looking at IoT through the lens of that [it] is too easy; it's junk hacking; it's stunt hacking; and it's hacking on easy mode. The security industry tends to be pretty dismissive of IoT. And I think the Mirai event [was a] bummer for DynDNS, but not so bad for everyone else, because it really illustrates like, 'No, no, no. This is real, and this is serious.' And we've been seeing this coming for a while -- 2016 is really when IoT kind of came out of the ghetto, the security research ghetto anyway, for both attackers and defenders. We're all taking a look at this in a much more serious way now, because I think the thing that the Mirai botnet had illustrated is twofold.
One, it shows that not only do we have to defend these IoT devices and make sure that they're built securely so your personal data doesn't get leaked and your camera's not on the internet, but we have to get it to a point where we're able to defend against it. So, security on IoT is not only securing the device and securing your stuff, but it's securing everyone else, too. So, there's a social good there that needs to be done.
And, secondly, it didn't really matter. Most of these things are like DVRs, CCTVs and things like that, and that particular data didn't matter at all. It's not what the attacker was going for -- the attacker was going for CPU, a little bit of storage and a little bit of bandwidth, multiplied many times.
And so I think that Mirai really will help wake up not just the security industry to [the idea] that, 'No, this is serious; this is not just joking around and stunt hacking,' but also wake up every manufacturer there that makes an internet-connected device, which is actually every manufacturer.
Rebekah Brown: The whole issue with default passwords or hardcoded passwords, we're seeing that in other devices, as well. We've known about it for years and years, and everyone says, 'Oh well, but nobody's going to do that. And no one's going to use it.' So, this is a very clear example of, yes, they actually do.
The attackers know about all the flaws you know about. You can't keep anything a secret, [and] you can't hope that they don't know about it. And then also you raise a very interesting point where they didn't care about the data, and they didn't care about the stuff on there. But that doesn't mean they won't in the future. It doesn't mean now that they're going to say, 'Oh, OK, well, here's one way we can use this.' Let's just say that they could be coming up with a more creative way now that they're very comfortable in the 'Let's hack all the IoT stuff space.'
Beardsley: Right, and it's that kind of shift in thinking that we saw with ransomware last year ... where the attacker doesn't care about the data. They care that the data's there, and that it's something to encrypt.
Brown: Yeah, they care that somebody will pay.
Beardsley: But, really, I'm not going to steal all your grandkids' pictures and sell them on the internet. That's not very viable. It's much more viable to just ask for money directly.
Have you got any good pen testing or incident response horror stories? What are the craziest, most unbelievable things you found during tests? And you don't have to give names, so the guilty can remain unmarked.
Brown: So, this was before I was at Rapid7. I was working at the state and local government space, and they have no resources and no funding and no staffing. So, it's a very difficult job. They would come to me when they had problems, and I would help out as much as I could. And there was one time, there was this city and their city hall had gotten something through their logs. And they thought, 'OK, something's wrong with our networks. Give me all your stuff.' We looked into it and realized two of their domain controllers were just completely riddled with malware. And these are domain controllers that basically can touch everything else in the entire city. All of their infrastructure was connected.
And so we told them, 'Oh my gosh, this is bad. We don't even have data past six months.' We can see at least it's been back six months, so we're good. And so we kind of came up with a plan for how we could help them and their sys admin says, 'No, no, it's OK. I wiped the boxes, so we're good.' And I said, 'You wiped them?' He said, 'Yeah. I only had been allocated two hours to solve this problem. So, I just wiped them and I got to go work on my other stuff.' And I said, 'All right, I'll see you next week then I guess,' because it's very clearly not solved. But that was the way they approached the problem, and this was only a few years ago. This was not 20 years ago.
Beardsley: And I think that illustrates that there remains a gap between IT people and security people. And so we're hopeful that we can start bridging that gap a lot more seriously. A lot of people talk about it; we're actually trying to do it with our Insight platform. It's not merely to make things easy, but at least make the easy things easy so you have time for the hard and kind of fun stuff. I got started in security from IT. You know, the kids these days go and they get their cyber degree, and they are instantly into security. And they have no background in the realities of change control review boards.
Brown: Absolutely, absolutely.
Beardsley: And the deadlines come and you have to produce. And so, I think we need to see more in the way of not just how security vendors like us talk to security departments within customers, but how we talk to IT people and how we talk to developers, because like I said, everyone is making an internet-connected something. And I cannot imagine a future where we'll have less internet in our life.
Brown: Actually, one of my most fun pen-test engagements was because of that IT guy we were working with. It was a red on blue, so they were trying to do live responses to us, and I was actually on the blue team side at this point. And the red-team guy kept messing with us. And so we got the brilliant idea by talking to one of the IT support guys from this organization. We asked him where the mouse drivers were on the Windows machine. We were able to get access to the red team machine and wiped their mouse drivers, so he can no longer use his mouse to attack us. We wiped the keyboard at the same time. Then, we took a nice coffee break while he tried to figure out exactly what was wrong with his machine. It was a good time.
Taking pen testing to the extreme
Beardsley: I guess my go-to war story is, I was red team and ...
Brown: Somebody wiped your keyboard driver.
Beardsley: Yeah, and suddenly my mouse wasn't working anymore.
I was red team, and part of the engagement was to go to a big, sprawling campus with lots of buildings. It's a major hardware manufacturer that's listed on my résumé, not hard to find out. And the task was drop a laptop on the local network that had a modem on the other side so we could dial in and just have persistent [access], right on the network.
Well, on the way over to the other building, I was riding a motorcycle and it was raining, and I dumped the bike. And so, I'm now bloodied on the left side of my body, jeans are all ripped up and I've got this limp, but I'm really close. I'm like, 'Look, I'm just [going to] drop the thing off, and then I'll go into the hospital.'
Brown: Then, medical emergency can commence.
Todd Beardsleydirector of research, Rapid7
Beardsley: It turns out if you are obviously wounded, people open all kind of doors for you.
So, all my plans of trying to be nice and social-engineer my way past the guards that didn't know who I was -- it's a different building than I normally work in. Yeah, everybody falling all over themselves like, 'Oh, wow, you look really hurt.'
[I said,] 'Yeah, I got to go to the hospital, but I [have to] drop this one thing off.' [Then, they said,] 'Oh, can I get the door?' [I said,] 'Yeah, sure. I just [have to] set up in like an empty cube. Do you have one?' [They said,] 'Oh, yeah, yeah, come here, use my cube.' I said, 'All right. Cool. I'll just be like 10 minutes, it will be fine, then I'm out.' [Then, they asked,] 'Do you need to call the hospital?' [I said,] 'No, I'm fine. I'll call somebody -- it's fine.' As soon as they leave, boom, under the desk, plug the thing in, and get out.
Brown: That is dedication, Tod.
Beardsley: I was fine by the way, thank you.
Brown: OK, good. How was your motorcycle?
Beardsley: Not too bad. I caught it with my boot, figuring my foot will heal faster than the bike. So, it was fine, and I was wearing steel toe boots.
Brown: I can't top that. I'm sorry.
Beardsley: No, invest in Halloween makeup. So, bloody yourself up and walk into any building you like.
Brown: I had never thought of that.
Beardsley: And that's kind of the thing, right? This is the weakness of human hacking -- that people want to be helpful. And, in general, they want to be helpful, so that's why we always talk about not letting people tailgate behind them. It's really uncomfortable unless and until you make it fun and you can gamify it. You can just have the corporate culture of, 'No, dude, you have to have your badge. You have to have your badge, and if you don't have your badge, then you've got to talk to the guy over here with the badge.'
So, how does showing up with an injury compare to walking around with a clipboard, because that always used to work?
Beardsley: Clipboard and hard hats work pretty well, just like claiming that you're from IT tends to work pretty well. 'Oh, I got to fix this one thing.' So, typically, it's being friendly, making eye contact, doing all the things, needing help. Or if that's not working, there are tons of techniques. You can appeal to authority. You could say, 'Look, I'm from the CEO's office. We need to get this done right now. And, no, I don't have time for all your sign-offs. Please let me in the data center.'
Is there anything that doesn't work that used to work? Are people getting any smarter about defending?
Beardsley: I want to think they are. I think for response rates to your basic phishing attacks, if you drill your constituency on phishing by doing it -- and, again, you can be playful about the shaming part of it, but actually shaming them -- then that will tend to knock down the response rates the next time you do it. Once you get that culture going -- that I would prefer not to get busted by my red team -- it does help some, but then you'll hit a wall. You're going to hit a wall there, because the attacker only needs to be right once. The defender has to be right all the time.
Brown: Right. But you can instill a culture where people feel informed and educated about what attackers do. I had one example. I worked at a previous company that was very into design and color palettes, and each season had its own color palette. And we had talked a lot about setting up fake websites and how companies would try and set up one that looks similar to your bank, and they'll try and trick you.
And I got a panic call at 9 p.m. one night from one of the ladies on our design team. And she had tried to go to an internal website and got a 404 error. And she called me panicked because it was using the color palette from two seasons ago. And she was pretty sure that they would have changed it, and she thinks that it was fake because it was an old color palette. And it was somebody that had just not updated it, but that was a big win for me. I said, 'Hey, good catch. We will look into that right now.'
Beardsley: You have to treat it as an organization. To some extent, everyone is on your security team. You do have to farm that out, and so there is that trust. You need the people to trust you to the point where they feel like they can report things, that they can notice things. And it's hard. It is hard. We do training on that at Rapid7; we offer that with basically everybody up and down your organization of how to build good relationships with the security team, and how the security team can build good relationships with everyone else, and get that going because you can't take it too far. If all of your employees are living in mortal fear of the red team, they won't help the red team ever when they actually need help.
Brown: As in, 'No, I'm not holding that door. That's a fake injury, Tod.'
Stay tuned for part two of this interview with Rapid 7's Tod Beardsley and Rebekah Brown.
Find out more about what Brian Krebs revealed about the creator of the Mirai botnet
Learn about the Federal Trade Commission's demand for more secure routers in wake of Mirai botnet attacks
Read about predictions for security in the internet of things for 2017