Nothing Special   »   [go: up one dir, main page]

Dailydave mailing list archives

Old Infosec Talks: Metlstorm's Take on Hacky Hacking


From: Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>
Date: Thu, 31 Oct 2024 06:53:48 -0400

The Anatomy of Compromise

One of my demented hobbies is watching old infosec talks and then seeing
how well they hold up to modern times. Recently I excavated Metlstorm's
2017 BSides Canberra
<https://www.youtube.com/watch?v=OjgvP9UB9GI&list=TLGGvAY1CcIr-AcyNjEwMjAyNA>
talk on "How people get hacked" - a pretty generic topic that gives a lot
of room for opinion, and one a lot of people have opined on, but the talk
itself has a lot of original things to say. In particular, there's a huge
disconnect between how people get hacked and how defenders and policy
makers think people get hacked and choose to defend against them - which
anyone on this list already knows - I think we are all aware that defensive
strategies in cyber are rarely based on available data.
[image: image.png]


The Three-Act Play of Compromise

Here is how people get hacked, according to Metlstorm:


   1. Find something with 1FA and crack it open (or just phish the creds)
   (Everything in "Secure By Design" is meant to address this part of the
   problem)
   2. Get Domain Admin and hang onto it
   3. Watch the person who does the important stuff (like SWIFT transfers)
   and secretly do their job for them

Metlstorm goes into the Active Directory hacking that we all know and love
in great detail. His toolbox from 2017 (Kerberoasting, Group Policy files,
password spraying, etc.) is still largely relevant today, despite Dwizzle's
best work - and points out that removing an attacker that has once had
domain admin is practically impossible even though we all pretend it is to
the SEC (a painful truth we don't deal with at all in industry, unless Wiz
has a product line here I don't know about).

But the pattern he's really describing is the understanding that individual
vulnerabilities and Active Directory "features" are as relevant to systemic
compromise as individual genes are to having an arm with five wiggly bits
at the end. Metlstorm picks on Active Directory and its cousin Sharepoint
quite a bit, but his point is not that we should blame Active Directory so
much as ourselves - we all installed something huge and complex we didn't
understand and then put the keys to our kingdoms in it.

Partially he doesn't blame AD because Metlstorm, even before the SolarWinds
and Kaseya compromises happened, was obsessed with supply chain weaknesses
- or rather he clearly looks at it not as a supply chain but a supply web,
where compromise propagates through trust relationships like signals
through a neural network.

And this is where Metlstorm's talk becomes particularly interesting in
retrospect. While we were all obsessing over Domain Admin and Exchange bugs
in 2017, he was pointing at MSPs and software providers saying "that's
where the real action is." In the years since, we've seen exactly this
pattern play out in increasingly sophisticated ways:

   - SolarWinds and Kaseya (2020-2021) showed us what happens when
   attackers compromise either a build pipeline or an MSP's distribution system
   - Recent MSSP breaches that none of us will ever hear about unless the
   GCSB decides to write them up

Each of these compromises followed Metlstorm's basic thesis: why hack 1000
companies when you can hack the one company they all trust? The attackers
don't see individual organizations - they see connection points, trust
relationships, and privileged channels that can be repurposed. Seven years
later, this view has proven devastatingly accurate.

Metlstorm calls himself an "operational hacker" - different from your Brett
Moore style "Research Hacker" who's all about finding bugs and writing
shellcode and various useless stuff like that. For him, operational hacking
is about systems thinking: what does each compromise actually get you? And
this, as it turns out, is what the talk is really about.


Digital Ecosystems
[image: image.png]

Using New Zealand as his laboratory, Metlstorm somewhat cheekily shows us
organizations not as isolated entities but as nodes in a vast supply web:

   - Managed service providers spreading their digital mycelia through
   thousands of organizations
   - "Liz in accounts payable" unknowingly holding the keys to national
   security
   - Domain registrars running code old enough to be geological

This is one of the strengths of the talk - it is backed up by specifics. It
is not a vague thought-piece. He takes shots at the whole "I hunt
sysadmins" approach as thinking too small! Why hunt sysadmins when you can
hunt their managed service providers who already have domain admin? Or,
hunt the providers of those providers. It's like a food web of sysadmins.

His best examples are massive US companies (NYT, f.e.) that got owned
through tiny companies in NZ- big for NZ standards maybe, but microscopic
globally.
The Observer Effect

What Metlstorm as an attacker sees everywhere he looks is large systems
that are "commercially untestable" - creating a fundamental disconnect
between risk and reality. When you outsource your domain admin to a global
megacorp (or your local Kiwi-buds), you create a quantum state of security
- simultaneously compromised and secure until someone attempts to measure
it.

You:

   - Can't test their security
   - May not know if they're compromised
   - Certainly can't perform incident response
   - But get a lovely compliance certificate to frame

Recent compromises prove what Metlstorm saw in 2017: while defenders obsess
over hardening their membranes via the magic of secure by design (or paying
"$6 a month for MFA"), attackers traverse the supply web and pick on
whatever provider seems easiest to own.

The reality is that no organization exists in isolation any more than a
neuron functions alone. Your security isn't just your controls - it's every
provider, vendor, and service in your supply web, each one a potential
firing synapse of compromise.

*Solutions*
[image: image.png]

He rightfully calls out that we will not solve these problems. So an A for
Accuracy. Very fun talk, worth your time, highly recommended, 10/10 would
listen to again in the car on the way to a house built at sea level in a
hurricane zone.


-dave

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org

Current thread: