Share this page!

Robᵉʳᵗ Graham😷, provocateur Profile picture
Twitter logo
1 Jun, 13 tweets, 2 min read
Ransomware is an 'existential threat' to business. What's your plan to respond to it? Wrong answers include "we are prepared" and "doing better at cybersecurity basics".
I mention this because I read a lot of op-eds by infosec types that claim that ransomware demonstrates the need to for better cybersecurity. I disagree. I think we need to actually pay attention to the specifics how ransomware attacks work, and address those specifics.
Anybody says "we need to take it seriously", about any topic. Here's my take on the Israel-Palestinian crisis: "The recent rocket attacks by Hamas and Israel's response demonstrate how the United States needs to take this conflict more seriously". See how it works?
Every ransomware attack I've analyzed, going back years, has exploited "Windows networking" to move laterally in the network, usually gaining domain admin privileges to take down the entire network.
Thus, just hire pentesters skilled at getting domain admin (e.g. using mimikatz or something), given them a typical employee desktop, and document exactly how they get domain admin.
Now look at how you've setup your domain privileges. Notice how your offsite backup data center has trust relationships with the main domain? That falls easily to ransomware attackers.
I mean, good job, you've protected your business from a terrorist bombing your headquarters, but you disaster recovery still falls victim to ransomware.
Active Directory puts all your eggs into a single basket. It's the ventilation shaft in your Death Star. A single enemy X-wing fighter can fly in past your devices and lob a single shot to blow the entire thing up.
As a pentester, I just know how everybody I've seen does Active Directory wrong. However, I'm ignorant in that I don't know how to do it right, how to fix things to make the network resistant to attacks.
By the way, "least privilege" does not help nearly as much as you think. I can take whatever privileges I have and use them to elevate myself to the next level of privileges in Windows.
I mean, yes, do it, the fewer privileges admins have, the better. It's just that when setting up trust relationships between domains, don't assume "least privilege" will save you.
I assume trust relationships like this -- done in such a way that there is no bridge from one account to those in places like backup domains.
This is how backup works at home. I have a separate Linux server with snapshots that I have to login locally to administer. Short of an 0day in it's SMB stack (which happen) it's not getting hit by ransomware.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham😷, provocateur

Robᵉʳᵗ Graham😷, provocateur Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham😷, provocateur Profile picture
3 Jun
So I'm reading the CFAA decision. I want to point out yet again that the "mens rea" requirement in the CFAA is bullshit. It doesn't mean the perp knew they were unauthorized, it means a reasonable person in the perp's place would've known they were unauthorized. Image
I can appreciate that in most crimes, this is the reasonable approach.

It's just that in computer crimes, it's not. People have wildly different understands how computers work, and thus, different understands about what's authorized.
Most people are unintimidated by the URL bar in the browser and have never edited the URL in their lives. Thus, reasonable people assume that if you couldn't have accessed a resource without editing the URL, then it was unauthorized.
Read 15 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
3 Jun
I'm somebody who actually likes the Federalist Society. How can it not vigorously defend the free speech rights of this student for what's obviously satire????? What part of "free speech" are people not understanding any more?
I mean, saner heads eventually prevailed, but still, it's something the Federalist Society should still respond to and admit their error.
FIRE has a better article with links to the original email and the complaint.
thefire.org/law-students-g…
Read 5 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
2 Jun
I disagree with the answer.

The correct answer is that THIS IS FREAKIN' KERCKHOFF'S PRINCIPLE FROM 1880!!!!!!! Seriously, at some point we have to point out YOUR CONCERN WAS ADDRESSED OVER 100 YEARS AGO!!!!
Yes, yes, we can't apply this principle has a clichéd response to every question (as some people do). But at the same time, we can apply it where it's clearly appropriate, such as in this case.
The naive believe we need to hide the details of how things work, in the name of security, so that the attacker doesn't know the details.
Read 13 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
29 May
Again: There's no evidence this was a "supply chain" attack.

In the case of Solar Winds, hackers hacked into Solar Winds, and thus, their customers.

In the current story, there's no evidence they hacked into Constant Contact, but instead, hacked the customer.
There are three possibilities:
1. they hacked Constant Contact and can use any account there
2. they hacked USAID and can use any service for which USAID has an account
3. they hacked just the USAID account at Constant Contact (e.g. from "credential stuffing")
Possibility #1 would be a supply-chain attack like Solar Winds.
Possibility #2 would be an attack against the US government, like against OPM
Possibility #3 is just a common thing teenager hackers do and is relatively silly
Read 5 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
29 May
As far as I can tell from the publicly available information, the SVR hackers did not hack into either the USAID organization nor into Constant Contact "systems" as the NYTimes claims in this story.
The hackers appear to have used the USAID.gov's account at Constant Contact, a mass emailing firm. This implies neither a hack of USAID nor of Constant Contact -- only a hack of the password used by somebody at USAID to log into Constant Contact.
Password reuse is a chronic problem. If "ashainfo.gov" used the same password for Constant Contact as they used for "canva.com", then we see how this "hack" happened. It's an extremely common, easy attack, and does not represent an "escalation".
Read 6 tweets
Robᵉʳᵗ Graham😷, provocateur Profile picture
27 May
You know how they blew up the second Death Star exploiting the same failure as the first? It's because the Empire reacted like this to the first one that blue up: "Let's ignore that vent and apply bureaucracy to the problem".
Every ransomware I've seen leverages the fact that it's easy to get "domain admin" then own the entire enterprise. Centralizing everything with "Active Directory" is the ventilation shaft of modern Death Stars.
If you look at case studies that look step-by-step how ransomware hackers worked, such as spreading laterally with Mimikatz, then compare these to the cybersecurity guidelines for pipeline operators, you see they aren't related to each other.
tsa.gov/sites/default/…
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ErrataRob has new unrolls!

Check out other threads from @ErrataRob!

Read all threads by @ErrataRob

:(