Philly Bsides 2023
BSidesPhilly 2023 was hosted at Netrality Datacenter in Philadelphia. All participants of the conference were given headphones where they would switch from red/blue station based on which track they were at to hear the presentor. The conference started with the keynote on Cybersecurity State of the Union from IBM which summarized the attacks based on sectors and the techniques used by threat actors. The initial talks were all about generative AI and how the industry is going to grapple with the tools being available to everybody.
GenAI for Threat Modeling
The first talk was about using generative AI for threat modeling. Some of the use cases can be -
- LLM can generate DFD based on diagrams or description.
- LLM can provide textual description of the architectural description.
- Gen AI can reduce repetative tasks of traiging threats and can provide an explanation of the threat which just needs a polish from the analyst.
- Contextualization a generic threat by pasting the code and asking GenAI to provide vulnerabilities in the code or even the general context about the code.
- PYTM produced reports on ChatGPT help out provide the generalized report but it is only giving the general idea which would be a good starting point for a Modeler to start from but cannot be used as is.
- STRIDE-GPT helps generate threat model with caveats though.
I use my anxiety to pwn companies, and you can too!
@shhani-prutchi
Interesting talk, some of the key takeaways are listed below.
Formal Threat Modeling - Shostack’s four questions framework for threat modeling (shostack.org) -
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
- Trust boundaries would be where the threats would be
- STRIDE Framework for identifying these threats
- For each threat we identify we will find mitigations for them
- Previous threat models stay in rotationas it is built upon based onthe functionality being added to the application and needs to be updated accordingly.
Informal Threat Modeling - Ask the question - What could go wrong that could go wrong for the client?
- It is impossible to enumerate all threats against a system
- Threat prioritization is usually linked to impact (Risk Severity Categorization, Impact to Business, Impact to Reputation)
- Threat modeling without context spirals out of control very quickly
Leveraing threat modeling to identify rabbit holes to dive into, pivot points and escalation points.
Case Study
- User Enumeration
Threat modeling to prioritize test cases
- Consider application sensitivity
- Reputational impact can be security problem (Where the account can be found)
- “What could I use this for?” (For blackmail? Used to leverage access into corporate accounts)
- Identifying interesting functionality
- Understand application’s functionality (Try to understand the functionality to find the underlying hidden architecture that would be supporting the application. Web Server supporting an application, database/cache for less quering.)
- Input handling, data processing, search, etc
- Applications have supporting infrastructure
- What components can be targeted?
- How we get infrastructure details
- Banner information disclosure, detailed error messages, stack traces, etc.
- Understand application’s functionality (Try to understand the functionality to find the underlying hidden architecture that would be supporting the application. Web Server supporting an application, database/cache for less quering.)
- Threat Modeling to pivot
- Consider shared resources
- The same authentication token may be used for multiple systems (Internal tooling has laxed securty because employees are trusted actors in general sense. Does an internal application reuse tokens for access which can be sent to other destinations?)
- Internal security practices may be weaker
- Employees may experience privilege creep Access Control may not be as strict
- Consider shared resources
- Authentication Integration - Threat modeling to calculate Severity
- Consider application use case
- What does this integration control?
- What information is accessed?
- “What can go wrong?”
- What functionality could be bypassed?
- Would skipping business logic impact what a user can access?
- Consider application use case
- Home Security - Threat modeling to select controls
- Consider the threat actors relevant to the business
- Are there frequent robberies in my area?
- Am I likely to be targeted by a professional?
- What am I worried about going wrong?
- What am I protecting?
- Am I looking for coverage when I’m home, or away?
- Context is key to identifying realistic controls
- Consider the threat actors relevant to the business
Informal Threat Modeling is a powerful tool to focus your efforts, prioritize your test plans and calibrate finding impact.
Stacked & Hacked: Crafting the Ultimate COTS Response Arsenal
This talk is about the power of Commercial Off-The-Shelf (COTS) tools and assembling a potent incident response stack.
IR Strategy - Minimize financial impact Minimize business interruption Avoid bad press Avoid litigation Confidentiality of intellectual property Privacy regulations Prosecute
IR Challenge - Rapid response Rapid recovery Minimal negative financial impact Minimal negative public relations impact Reduced future risk Forensic information should be kept for lessons learned and improve controls later and not to the same state just before the incident.
IR Process NIST 800-61 Preparation > Detection & Analysis > Containment, Eradication & Recovery > Post - Incident Activity
Some of the commercial tool mentioned by the speaker - Forensic Collectors: Rapid7. Velociraptor Log Analysis Tools: Hayabusa, Zircolite, Timeline Explorer, EvtxEcmd, Chainsaw Network Analysis Tools: Arkime, Security Onion, Wireshark Disk Forensics: Forensic Toolkit (FTK), Encase, The Sleuth Kit (TSK), Autopsy
- Binalyze (DFIR Off the shelf to manage the incident)
- ThreatLocker (Host based firewall that allows custom policies and custom ACLs, good option for containment)
- Cyngular ClouDFIR is a DFIR platform for all cloud resources
The power and perils of binary emulation for malware analysis
Anuj Soni (Principal Threat Researcher)
Malware that implements custom encryption or obfuscation algorithms like stacked strings cannot be extracted using tools like Ghidra/IDA Pro. Stealthy malware can behave differently when launched in a VM/Sandbox to stay hidden, which makes it difficult to find the malware’s functionality for Virus Total/CrowdStrike like sandboxes.
Options to deobfuscate - custom deobfuscation code can be written but it would be time consuming and might only work with base64 and not custom encryption, execute the malware in Linux and view memory but that would just show us one decision path
Binary emulators, which simulate the execution of instructions or an entire program, provide a compelling solution for automating the deobfuscation of code and data during malware analysis. Emulation can provide us the decoded strings without knowing the encryption algorithm and can also sidestep protections against sandboxes in the malware.
Unicorn is a Multiplatform CPU Emulator framework which emulates instructions and isn’t aware about the OS or File Type. Unicorn is the foundation of multiple Binary Emulation tools. For disrupting Qakbot Malware FBI used emulation malware analysis techniques to decode it.
Binary Emulation Frameworks – Speakeasy (Mandiant), Qiling and dumpulator. Speakeasy and Qiling do API Emulation whereas dumpulator does Syscall emulation.
Beacon Object Files we observed in the Red Team, by using any of these Emulation Framework we would be able to identify executable code in memory and dump that content to disk .
Caveats with Binary Emulation are only limited access to resources/APIs within an OS, slower performance than executing on an VM, Manual analysis required to target execution of functions and instructions.
Blackberry Security Research Blog
RPC Filter? I hardly know her!
Evan Perotti (Lead Scientist @ SRA)
This talk explores protection against a Windows lateral movement technique using RPC filtering which is a Windows native mechanism for preventing RPC connections based on custom rules.
RPC (Remote Procedure Call) provides a client-server mechanism for inter process communication between local and remote systems. Remote RPC connections happen commonly via TCP and SMB named pipes.
RPC are often not documented well so to find interface/procedures available use RPC Investigator by Trail of Bits
If you run ‘psexec -i \target cmd’, PsExec extracts an embedded service called Psexesvc And copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API which has a remote interface to start the Psexesvc service on the remote system.
RPC Filters use the Windows Filtering Platform (WFP) and can be used to block/audit/allow RPC connections Blocks prevent the entire RPC interface from running
RPC filters stored in the registry
Implementation shortcomings and hacky workarounds
Example -
Thoughts
Overall it was an interesting conference, the locksmith table was a first for me. The headsets had a cracking sound which was quite distracting. Some of the talks were very insightful and getting to network with these speakers was a plus.
