This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9^th NCCDC competition.   It was actually my 2^nd year on the Red Team and 4^th year to attend in total (I judged in 2010 and 2011).  McAfee is actually a perpetual sponsor of this event.  That being said, I have my own selfish agenda when I attend.

Joining in as part of the Red Team is, by far, on of the most educational experiences I could possibly put myself in.   Not only are you tossed into a room w/ folks like Mubix, Vyrus, Raphael Mudge, and others – but also you are on a limited schedule and from the time that the competition starts it’s heated and non-stop.

The general strategy this year was to lay down all our toys and persistence (backdoors, beacons, RATs and other tools) on Day 1.   We made very little noise, hoping that the competing teams would gain a false sense of confidence and not notice our presence on their systems.   This way on Day 2 when the chaos commences, and the teams choose to just ‘restore from backup’ or ‘revert snapshots’ and the like, they end up restoring all our persistent tools and we retain access and ownership.

DarkComet Client Console

And . . . .. . It worked!

Different individuals on the Red Team had their unique tools and methods to gain and retain access and unset the teams’ activities.   As the McAfee guy, I choose to rely on some old, tried and true (and very accessible RATs).  Most of my activities centered on the use of DarkComet and, to a far lesser degree, DNA.

RAT Remote Process View

My philosophy was driven by two primacy goals.   First, I know these things work realllllllllly well.  And with these RATs on the box, I can control and own everything.  Second, and possibly more interesting, is that if these tools work, I know that the teams are not putting any effort into installing/deploying even the most basic endpoint/host-based AV solutions.   This is especially intriguing because, as a sponsor, McAfee provided the competition with our software.   I purposely did NOT do any crypting/packing/obfuscation on the RATs I generated.   I know that McAfee (and just about all other) vendors DID detect these things.  Yet, I still managed to install and persist on most of the hosts that I deployed to (deployed via Cobalt Strike btw).

When the competition was over, I chatted with a few competitors, and mentioned this fact.  I immediately saw the gears start turning.  I could tell they had a real “Ahhhh we should have done that” moment.  Not to mention, that McAfee (and others) detect meterpreter/MSF listeners and Trojans as malware/PUPs.  Those could have been curtailed as well.

Each year, the teams have to setup, maintain, and safeguard an environment for a faux company/entity.  This year the teams were tasked with tasked with the environment of a Correctional Institute.   This includes databases for tracking the whereabouts of prisoners, an e-commerce site for a prisoner commissary, and more.  From the Red Team perspective, this gives us some of our big bets for getting points deducted from the teams.   For example if you kill/mangle/destroy the database for tracking prisoner and personnel, that’s one of the high point items.   After all, they don’t want an IT issue to allow prisoners to go unaccounted for or escape, etc.   Other hot items include public web site defacement and acquisition of PII (personally identifiable information).  For added fun, many of us defaced the web sites by posting the company’s PII for all to see.

Defaced with PII

All and all it was a fantastic experience.   I look forward to future activities with this competition.

UTSA shot a documentary this year.  I’ll post details on that once it’s released.    However, if you’d like to get some really detailed info, Hak5 released a documentary filmed at the 2012 event.   It features great interviews and ‘behind the scenes’ Red Team action.   I’m not interviewed, but you can see the top of my head in a couple shots!!

Hak5 Doc – Jim’s Head

2012 Hak5 Documentary

Additional Blogs on NCCDC 2013

• David Cowen - http://mcaf.ee/wid10
• Raphael Mudge - http://mcaf.ee/ageor
• Alex Levinson - http://mcaf.ee/limh1

NCCDC 2013 Red Team Brief - http://mcaf.ee/uodvk

Bonus:   We recently did our 2^nd AudioParasitics episode with the great Raphael Mudge.   This time we have a full and glorious video demo of Cobalt Strike in action.  We actually walk though scenarios and give you details on how some of these Red Team activities actually occur.

AudioParasitics Episode 141 (video) - http://mcaf.ee/gep69

—————————————————-

The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.

And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.

This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.

This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).

Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:

It's Open!

This situation very quick leads to an intruder’s trying to login via brute force, or trying something new (like the flaw described in MS12-020) !

It Actually Works!!!!!

So, what can you do to protect your environment?

McAfee, Microsoft, and others firmly recommend that you prioritize the deployment of the MS12-020 update.

Other steps:

• RDP is typically disabled by default. If there is any doubt, investigate and confirm in your environment whether and where it running.
• In Windows Vista or later, enable Network Level Authentication (NLM)
• Even if you have NLM enabled, the flaw can be exploited if the attacker can gain authentication. This means you should verify strong (nondefault, sufficiently complex) user/password combinations.

Resources

• CVE-2012-0002: A closer look at MS12-020′s critical issue
• Microsoft Security Bulletin MS12-020
• McAfee Vulnerability Manager

McAfee Coverage Data

Coverage exists in:

• McAfee Vulnerability Manager (FSL release): 3/13
• McAfee Network Security Platform (Sig release): 3/13
• McAfee Remediation Manager (V-Flash): 3/13
• McAfee DATs (partial coverage, for known PoC code, is provided as “Exploit-CVE2012-0002″ in the 6652 DATs): 3/17

CVSS: (AV:N/AC:M/Au:N/C:C/I:C/A:C)(E:POC/RL:OF/RC:C)

——————- UPDATES ———————————

March 15: McAfee Labs has observed in-the-wild proof-of-concept code targeting this vulnerability. There are a few varied samples that we are both monitoring and analyzing. At this time the coverage/mitigation data already in this post is still valid.

We are continuing to monitor this situation and will provide updates as needed. An updated MTIS Security Advisory has been sent to subscribers.

To stay up to date on these and other critical security events, please subscribe to our McAfee Threat Intelligence Alerts.

March 16: The last 24 hours have been a virtual flood of proof of concept (PoC) and exploit details. Some of these are reliable; some are not.

• This flaw was actually discovered by Luigi Auriemma in May 2011
• There are numerous fake code examples and scripts on Pastebin and similar sites. As is typical, links to these fakes are advertised all over Twitter, etc.
• The code examples/PoCs that are valid can successfully crash the RDP service, but do not move beyond that (to code execution or to allow for the possibility of code execution)

Associated malware samples and events can be traced back several years, and multiple platforms were targeted. To this day many remain affected or infected and are still open to compromise.

The amount of helpful data around this issue is plentiful. Even the FBI has provided a tool to check whether your host/IP is affected.

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

So, fast-forward to the present: Within McAfee Labs we have been flooded with queries (forgive the DNS pun) on what will happen on March 8, and what other impacts might ripple through our environments as the FBI takes the next steps toward concluding Operation Ghost Click.

The Good News!

On March 5, a U.S. District Court in New York signed an order to extend the March 8 deadline to July 9.

This extension will allow all affected entities to continue to track down and remediate against hosts that are still compromised. Current data indicates that there are still several million infected or affected hosts worldwide.

Also, as a handy reminder, the offensive Netblocks are well documented:

• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

To learn more about how to maintain your online connection and to protect against this malware family, read our new Threat Advisory:

https://kc.mcafee.com/corporate/index?page=content&id=PD23652

For McAfee Customers: Detection for associated malware is provided under the DNSChanger Trojan family.

For example: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=141841

Other Resources:

• McAfee Labs Security Advisory MTIS11-219
• McAfee Labs Threat Advisory on DNSChanger
• McAfee Labs DNSChanger Description Search
• The FBI’s DNSChanger Malware
• United States District Court Southern District of New York Post-Indictment Protective Order extending the March 8 date. (Click on image to expand.)
  

  Court-ordered date extension

Malware

The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The cumulative number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with Android firmly fixed as the largest target for writers of mobile malware.

Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.

Web Threats

In the third quarter McAfee Labs recorded an average of 6,500 new bad sites per day; this figure shot up to 9,300 sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were malicious. This brings the total of active malicious URLs to more than 700,000.
The vast majority of new malicious sites are located in the United States, followed by the Netherlands, Canada, South Korea and Germany. Overall, North America housed the largest amount of servers hosting malicious content, at more than 73 percent, followed by Europe-Middle East at more than 17 percent and Asia Pacific at 7 percent.
Spam

At the end of 2011, global spam reached its lowest point in years, especially in areas such as the United Kingdom, Brazil, Argentina and South Korea. Despite the drop in global levels, McAfee Labs found that the present spearphishing and spam are highly sophisticated.

Overall botnet growth rebounded in November and December after falling since August, with Brazil, Columbia, India, Spain and the United States all seeing significant increases. Germany, Indonesia and Russia declined. Of the botnets, Cutwail continues to reign supreme, while Lethic has been on a steady decline since last quarter. Grum made a significant comeback after a long decline, surpassing Bobax and Lethic by the end of Q4.

Data Breaches

The number of reports of data breaches via hacking, malware, fraud and insiders more than doubled since 2009, according to privacyrights.org, with more than 40 breaches publicly reported this quarter alone. The leading network threat this quarter came via vulnerabilities in Microsoft Windows remote procedure calls. This was followed closely by SQL injection and cross-site scripting attacks. These remote attacks can be launched at selected targets around the globe.

Download McAfee’s Threats Report: Fourth Quarter 2011.

According to Chris Noel, SVP of Product Management at ANXeBusiness, “security policies communicate organizational culture, set expectations and boundaries, define risk appetites, and establish a legal duty of care.”  Unfortunately, a role-based, functional understanding of security policies is uncommon. So how do we take security policies out of the proverbial glove compartment?  The following tips are based on “Eight Ways to Communicate Your Strategy More Effectively” by Georgia Everse.

Share the spirit of the policies

One of the biggest questions I’ve received when drafting security policies is “why does this matter to me?”  By virtue of their role in the compliance process, most policies share a lexicon only familiar to upper management. The core significance of the policy – the lead story – is often buried.

Eager to capitalize on the investment made in policy creation, one of my clients organized stakeholders from all its functional units to create a messaging strategy that would personalize these documents.  The message described the impact of these policies on the company’s ethos rather than regulatory requirements.  This approach demonstrated awareness and respect for the roles comprising the corporate culture.

Use customer feedback to evolve the policies

Successful companies evolve in response to market forces and customer feedback. Similarly, security policies should be updated to reflect changes in the threat landscape and the organization. This can be done by recruiting the managers of all business units in gathering feedback from their reports.  Once collected, the information can be analyzed and integrated into the existing policies.  Leveraging this feedback appropriately maintains the relevance of the policy content.

Use the right communication framework

Everse emphasizes that “not all messages are created equal.  They need to be prioritized and sequenced based on their purpose.”  Some of my clients have treated policy training like a final’s night cram session.  The outcome usually creates two camps in the organization; one that understands the letter of the law but not its spirit and those who quickly forget what they learned out of frustration with the process.  Policy messaging should model the processes through which other elements of organizational culture are communicated.

Inspire

A policy message that is relevant to the organization, its staff and its customers will inspire confidence.  The message should be supported by the actions of those who promote it.

Educate

Policy awareness is not enough to trump a culture that does not support the policies.  By focusing on the benefits of individuals, and to the groups with whom they affiliate, the organization can leverage cultural influence.

Reinforce

Contemporary policy training uses an annual reinforcement schedule that tends to build a “checklist” mentality among stakeholders.  Organizations that socialize their policies through case studies that illustrate their value have the greatest success.   For example, one of my non-profit clients includes customer-interaction success stories that link back to their security policies as part of their employee newsletter.

Build alliances to support the policies

Upper-management support is not enough.  Many of my policy development engagements have revealed office politics with players across the organizational chart.  At a healthcare organization in Southern Texas, for example, some of the executive assistants wielded significant influence in how policies were perceived by employees in their functional areas.  Policy marketing should use a viral model, using the influence of these individuals to stimulate dialogues around policy success stories.

Optimal utilization of security policies relies on the audience for which they are created.  Policy creation and marketing must recognize and capitalize on organizational culture to promote its value proposition.  People can be the strongest link in the security chain.

For more insight from the world of enterprise security, be sure to follow @McAfeeBusiness  on Twitter for future updates.

McAfee Virtual Patching for Databases—This technology solution protects unpatched databases against known threats and all databases from common hacker techniques, without the need to modify the database or bring the database down to patch.  Utilizing a memory-based sensor, the system detects attempts to exploit these vulnerabilities, and can then issue alerts in real-time or terminate the offending session.

McAfee Security Scanner for Databases—This client-based vulnerability assessment solution complements the previously-released McAfee Vulnerability Manager for Databases and addresses the specific needs of penetration testers, auditors, consultants and Systems Integrators.  Enterprises will likely prefer the feature set of Vulnerability Manager for Databases in achieving continuous compliance objectives.

McAfee Database User Identifier— Many compliance regulations require full accountability for who did what in the database, but this detail can be lost when applications connect to the database on behalf of multiple users.   As an add-on to the McAfee Database Activity Monitoring solution Database User Identifier traces the identities of specific users as they access the database from applications using pooled connections, in order to meet audit requirements.

The addition of these three new products to McAfee’s arsenal of database security solutions provides enterprises with a strong defense against damaging database breaches. If you are developing a comprehensive security strategy for your sensitive data, the McAfee Database Security solutions can deliver the combination of visibility and policy enforcement to best meet your needs.

According to Ericsson, there will be 50 billion IP-connected devices by 2020, up from 1 billion just a year ago. These are not just the omnipresent gadgets everyone is familiar with. A bigger share is made up of the proliferation of what the industry calls embedded devices; these are often single-purpose devices such as cash registers, airport check-in kiosks, medical devices, access card readers, manufacturing equipment, programmable logic controllers, industrial control systems and much more that is now being connected. As history has proven, security is an afterthought for most manufacturers. All these devices need proper security and management that is built in from day one.

At McAfee we protect the digital world, including this emerging class of embedded devices. As we go about doing this, we have moved to a fresh, proactive strategy. The scale and sophistication of recent cyberattacks prove that the traditional reactive model is no longer adequate – and quite frankly, irresponsible. Security strategy for any piece of technology should evolve at the same or greater pace as a hacker’s attacks.

We recently assembled a team of elite experts dubbed TRACE for Threat Research and Counterintelligence Experts, who can think like criminal hackers. McAfee now has the ability to conduct deep-dive threat research into hitherto-unknown areas such as embedded devices. Our team of elite white hat hackers will be probing for unexpected vulnerabilities, giving us valuable insight into how a “black hat” hacker thinks, with the ultimate goal of uncovering the problems before the black hat hackers do and provide protection.

Armed with this knowledge, companies have a better chance of withstanding any future malicious cyber attacks on valuable assets, whether that asset is as large as a nuclear power plant or as small as an embedded heart pacemaker. Our TRACE team has helped us put together a new series of Hacking Exposed webinars on hacking embedded devices. Be sure to join those.

So what exactly does 99.9% uptime mean?   In the case of a website it means it should not be down for more than a total of 43.2 minute a month (the total number of minute in a month is about 43200).  And, most agree that the biggest cause of unplanned downtime is unplanned change   -whether for maintenance, troubleshooting, error, hardware-related or malware.

I spent Saturday morning catching up on reading and another favorite pastime, shopping from the comfort of my couch.   I’ve realized how much my online shopping expectations like that of many consumers are increasingly being shaped by the immediacy of the information on the web.   I have come to expect that I can purchase most items within a few minutes of wanting to own a particular item. However, this Saturday morning the website of one of the online retailers I regularly shop at was down.  Judging from the number of tweets on the subject I wasn’t the only one who was inconvenienced and it appeared their website had been down for some hours.

I wonder how much business that cost them.  And, how many will now look elsewhere the next time they shop? Downtime costs vary widely by industry, application, and organization, but it has been estimated to be as high as $1M per hour. There is a direct correlation between ensuring maximum network and server uptime and the quality of the consumer experience.

While other factors could have led to this particular website outage, the time is ripe for datacenter operations and security teams to take steps to improve the uptime experience for their consumers. A good starting point is by implementing security policies, processes and solutions that provide increased and real-time visibility and control in the data center.  Ensuring proactive threat protection and shielding against application exploits is a must.   Establishing trust zones with control over the types of traffic allowed coupled with strong change management controls and separation of duties is another step to ensuring a more robust data center and mitigating unnecessary downtime.

I have started to see strong interest in the McAfee DLP, Database Protection and Encryption technologies because there are more customers worried about the protection of their intellectual property than ever before.  Because of the increased competitive nature of the security business staying ahead of the competition is more critical than ever.  But in today’s world, businesses have more to worry about than just about the outside threat; there is also the threat within.  There have been more and more examples of internal employees selling intellectual property to competitors or taking the information with them when they go work for one. 

In the past, the interest in data protection technologies was mainly from companies who had information that was regulated and had to be controlled by law but today many businesses are realising that is just as important, if not more important, to protect their intellectual property.  I met with a very large automobile manufacturer that was worried that their engine and design plans were at risk so they wanted to make sure they had technology like McAfee Data Loss Prevention to ensure their future plans were protected and couldn’t be shared beyond the company walls.  I think companies have become more concerned because of the recent high profile data loss incidents in France and the UK and also because of the threat to their brands with the increase of Wikileak type losses.  One of the biggest targets for theft is information stored in company databases where much of the businesses critical information is kept.  McAfee recently acquired Sentrigo and now offers  marketleading database protection, compliance and monitoring.

Another trend I am seeing from many customers, large and small, is that they are seriously looking to outsource to the cloud to cut down costs and improve availability.  However, they all worry about the security of the cloud and how they can securely transfer critical information to and from it.  Until very recently the “Crown Jewels” of a company’s intellectual property was all stored within the castle walls of the business but this has changed quickly with globalisation, virtualisation and increased use of cloud applications.  Now much of that intellectual property is stored in the cloud where the business may not understand if that data is secure.  McAfee have just launched our Cloud Security Platform that helps businesses build a secure bridge to the cloud and insure that their data is safe when using cloud-based technologies.

Lastly, when I talk to partners they tell me they are looking for a partner who is focused on increasing their channel profitability.  McAfee has heard this from our largest partners too and have introduced a few new programs to really drive our reseller profits.  Additionally our partners are looking to provide a services portfolio that they can offer their customers based on McAfee solutions so we are putting a big focus on delivering these services to our partner base.  There will be some exciting announcements in the coming months giving more details on these programs.  At McAfee we really want to improve our engagement and support our committed partners with more opportunities.  Our goal is to be the best security vendor in the industry offering the best portfolio, best services and paying well for performance.  Any partner interested should visit our partner area on www.mcafee.com.

Regards,

Gert-Jan

McAfee has created solutions specifically to address the needs of organizations with limited IT security resources. Too often every mandate seems to have a technical point solution and independent control. Complexity can be eliminated through a connected framework across all security products. One solution in particular, our cloud-based Security-as-a-Service (Security SaaS) enables rapid deployment, easy operation and is well-suited for businesses with few IT resources. If you want security, but just don’t want to live and breath it, check out my  full editorial brief on solutions for SMBs.

Be sure to join us tomorrow at 11am PT. We’re eager to hear your thoughts on how to keep security a priority when IT resources are limited. If you have questions/comments before tomorrow, feel free to tweet @McAfeeBusiness using the #SecChat hashtag. To participate, simply follow #SecChat on search.twitter.com or your Twitter client.