Who We Are
What’s New?
Link to: Get in Touch
- Vancouver
- Edmonton
- Calgary
- Regina
- Winnipeg
- Toronto
- Ottawa
- Halifax
If you do a quick Google search for ‘Cyber Security Skills Gap’, you’ll see countless articles on the gap and the enormous need for skilled workers in Cyber Security.
The cyber threat landscape is continuously broadening. While the security tools arsenal is adapting to meet the threats, the people to build, adjust and maintain them aren’t exactly a dime a dozen.
Often there seems to be a bit of a disconnect between what an organization wants and what they need. Many want educational requirements like a Bachelors degree or Masters in Cyber Security for their teams; however, these academic achievements are difficult to find due to the relative newness of the field and academia’s “big wheels turn slowly” bureaucracy. If you find one, undoubtedly they’re committed to the field, but they can be extremely difficult to find. We suggest that what many organizations need is the right person with the proper training and a desire to keep learning.
So who’s the right person? People with the ability connect technology and your business, but also the ability to connect with the people within the organization – suddenly soft skills are the hard skills. We offer that the character of an employee in Cyber Security requires someone who is curious, good at figuring out the problems, and can conduct the detailed analysis that it entails. People who don’t give up until the puzzle is solved. You want people who even question the puzzle itself and can carry concurrent lines of thought. Are the people in your organization already that show incredible aptitude for learning new things quickly? Do they know your business and the business of the clients they’re tasked to?
You may have found your candidate.
When we’re looking for those afore mentioned degrees we want, we may actually need the proficiency gathered in a candidate’s training, often buried in the educational section of their resume. Many of the requirements we seek are gathered through IT specific security training, such as (shameless plug #1) a SANS certified mentor class being offered here at rSolutions: Hacker Tools, Techniques, Exploits and Incident Handling on March 21 through April 11, 2017. Courses like these take people with working knowledge of your systems and business, and transform them into the knowledgeable Cyber Security resources required. Other training is available too through many other organizations and it’s important to note we feel continual training isn’t just a good idea, it’s fundamental. Here at rSolutions we train at a ratio of 3:1 meaning our peeps are training one hour for every three they work.
This keeps rSolutions not only current, but ahead, which is where you need to be. If you want some quick suggestions, here’s our top four training choices, and yes, rSolutions have all these and far more:
In your neck of the woods there may simply be few options for good hires. Your existing staff resources may be too valuable to their current teams to train elsewhere (replacing one problem with another isn’t a good idea). The training required for the resource may be out-of-reach due to time or budget restraints. Lastly, once trained, you’ve created a highly sought after resource and you might want to broker a non-compete clause. We’ve all heard about the “million unfilled InfoSec jobs”, that’s why you read the article this far, and the other side of that is retention of highly skilled resources. So why buy, when you can lease?
At rSolutions (shameless plug #2), we started our business on Cyber Security and have advanced resources that teach the classes and proctor the exams for InfoSec designations. We provide Managed Cyber Security services that have the clearances, industry referrals across every major vertical in business and the business-first focus that can help improve your security posture in the short-term and will even work with you to prepare for the long-term.
Cyber Security is advancing so quickly that it’s a challenge to get a handle on the breadth of the threat landscape, the evolution of threats within that landscape and the proper tools to mitigate them. Outsourcing to a managed security model shifts some of the responsibility for your information security and puts it in the hands of qualified experts, allowing you the time to focus on the business and the day-to-day operational demands of supporting your information infrastructure.
Rick Fink, rSolutions
The cybersecurity talent shortage is something that we repeatedly hear about and see firsthand in our consulting work. According to some sources, there are currently up to 200,000 unfilled security positions in the United States, and an estimated one million open positions globally. By 2019, experts say there could be 1.5 million unfilled cybersecurity jobs. We hear these things in reports from IBM, Symantec and Cisco, to name a few. But, even if you debate the exact number, we still can agree the shortage is real.
Indeed.com recently did a study on two years’ worth of relevant job posting data worldwide, in which Canada is reported. It becomes clear that demand is simply outpacing supply.
The risk in this shortfall in supply is that many companies are finding themselves performing work arounds to their IT security challenges. It’s a race to the basement, which increasingly erodes security teams’ footholds on defence and makes security posture proactivity more and more difficult to attain. In the meantime, the threat landscape is increasing in size as the market for stolen data increases and successful attackers propagate in-step.
In this environment of increasing threats to the organization, decreasing availability of skilled workers and inherent risks to performing workarounds with available resources, an honest question is: Which security tasks and roles can be outsourced?
Whether you are part of a major corporate enterprise or a public-sector organization, it’s hard to probe your own organization for vulnerabilities. Skill and smarts aside, our own connection to the environment may actually impede objective analysis of the security posture. It can be difficult to gain the necessary perspective from inside your organization. Kind of like creating, writing and scoring your own test, if you do well – you wonder, if you do poorly – you wonder.
A proper vulnerability assessment will be performed by a third party and look at network, application, email phishing and social engineering vulnerabilities. It will probe your infrastructure, help you understand your security posture as it currently exists and prioritize actions your team can carry out to make improvements.
These assessments typically follow a quarterly or annual reporting period timeframe and will provide even greater insight over time as Vulnerability Assessment findings are remedied and awareness is created of the things to look for within your unique environment. We regularly recommend annual or bi-annual reporting, as fixes to systems and training of staff can take time and a quarterly measurement may simply be too short a timeframe to see results from the findings of the previous quarter.
Security monitoring is big piece of IT Security success, but is often underachieved due to many factors. The first is the underlying premise of this article – simply too few people to do the jobs required. The other lies in the tools required to do the job. In IT Security there are tools for endpoint protection, email protection, firewalls, privilege access management, mobile device management, security policy management and often there are multiple and overlapping tools used for each piece of the security required for each. This requires security professionals to continually pivot in and out of different security products reporting windows to provide some nebulous understanding of their security posture.
Imagine that you have all these reports from all these different security products and your job is to reconcile and make sense of these reports, but also in real time that allows you understand your organization’s up-to-the-minute security posture. I hope that didn’t conjure an image of a happy and diligent worker, because that peaceful image would be a blatant lie in most cases. The complexity and enormity of the reporting alone doesn’t lend positively to having anything close to real-time understanding, and as we know, our computing environments rely on instantaneous connectivity.
Outsourcing to professionals who can set up your IT Security posture, with single pane of glass reporting is a serious consideration and is available and will provide the quick response times necessary. Now this doesn’t mean your security team will all get the day off, but it may afford them the time to trouble shoot, patch and actually get ahead of the curve in becoming more progressive than defensive.
Often times our application development teams and security teams don’t communicate well. Just because they all fall under the IT banner, don’t assume they share common objectives. Development teams are tasked with developing and updating new and existing software so it performs a business function. For the development team, they are pushed hard to meet taxing deadlines and to get these systems operational as soon as possible.
In their pursuit to economically meet deadlines, at times, they have been known to forklift in code from similar applications or code that performs a similar unique function they require the application to perform. Let’s face it, it’s standard practice. However, in this haste, we can actually open vulnerabilities and import existing vulnerabilities into new applications. It’s not the development team’s job to think about security and this prevailing attitude exists. On the flip side, imagine a developer that tested all their code for security compliance. It’s safe to assume the pace of their work would be somewhat like making an ejector seat reservation.
Your security team will likely lack the time and resources to effectively search for vulnerabilities in newly developed/updated apps. The development team is on a different track and in all likelihood will lack the capability to ensure security compliance. So, the onus falls where? This is where a dedicated security team focused on this one task can help.
Whether your security monitoring is outsourced or on-premises, once it finds an incident is where the rubber meets the road. Sure, you can prepare for the immediacy and importance of a security incident, knowing that your resources are positioned well to respond, knowing who will start the chain of notification for internal and external audiences (and know the new policy and legislative requirements too) and so on. Yes, in some cases your team might be well suited to respond. But, if you stand-up right now and walk out to your in/out board you’ll find one or two key resources away, on training, away from their desk, or in a meeting. That’s just life and the point is that we tend to think idealistically in resource allocation around a crisis, not that we’ll be ill-equipped in some way. And, if you’ve ever been in midst of a major security incident, even with a highly-prepared and competent team, the challenge is all about the readiness of the people who were there at the time. When we think about it, it’s a slim entry vector that will either allow us to descend safely back to earth or bounce off the atmosphere into oblivion, so establishing a good relationship with a IT Security firm that specializes in incident response and forensics is wise. Because it allows for a bit more wiggle room in that re-entry vector for better odds of a safe landing.
Training is becoming or will be a requirement of policy compliance, insurability requirements, or just plain-old sound business risk management. Security training takes a variety of forms and there are a few choices and a few more products on the market that provide out-of-the-box security awareness content for your organization’s customization. It is our assertion that targeted, meaningful training helps raise the profile of security threats to wider audience beyond the IT silo. When those messages are communicated outside of IT, everyone wins, as the challenges and threats to the organization get more attention. This can contribute positively to more than just awareness and contribute positively to the bottom line.
As we grapple with the widening threat landscape and an unnatural pace of evolution of threats on that landscape, we are met with fewer resources to choose from to keep us safe from harm. Outsourcing your security services to a fully or partially managed IT Security solution may just be the wise way to go, heck, soon enough, it may be the only way to go.
My how time flies.
It seems like only yesterday I was fortunate to be asked by the one and only Mr. Ed Skoudis (thank you, thank you) to write a post for SANS PenTesting blog “Got Meterpreter? Pivot!“, but it has been almost five years. In our industry, the only thing constant is change so let’s revisit this topic to see what has changed.
Once again, we will start with the same scenario:
We have a Metasploit Meterpreter shell with Admin/System privileges on an in-scope target Windows box. We will call this system X and it is in the DMZ. Do the root dance, pillage the heck out of it and get ready to pivot!
There are many ways to leverage the exploited system to discover, scan, and pivot to other devices in the target network. This article will discuss some ways to leverage the Metasploit Framework (https://www.metasploit.com/) (hereafter referred to as Metasploit) to accomplish various kinds of pivots, although there will be some non-Metasploit tips scattered throughout as well. Where a technique from the previous post is still valid, it will be referenced. Our test system, X, uses a dual-homed network, one network connected to the 172.16.33.x DMZ network and one connected to the 192.168.100.x internal network. The same techniques described below can be used for VLANs or physically separate networks that have paths to route to different networks.
Let’s go.
Watching the network interactions between devices is still one of my favourite ways to learn who, what, when and why an exploited system communicates with others on the network.
Meterpreter still has the sniffer module discussed in the last post available. In fact it has been updated with x64 support since then. However, rather than rehash sniffer, we will use the Packet Recorder sniffer extension written by Carlos Perez.
Packet Recorder uses sniffer, but makes it even easier. Start by executing the command run packetrecorder –li in the Meterpreter session to list out the available network interfaces, then execute the command run packetrecorder –i 3. To end the capture, carefully press CTRL-C then open up the capture and look for interesting info. The example below shows the entire process.
For some reason when writing the post in 2012, I didn’t mention the built in netsh capability so let me correct that oversight now. The netsh trace command can be used. There are all sorts of filters that can be used but a simple method is just to use the IPv4.Address as shown below.
This capture is saved in ETL format and can be viewed using Microsoft Message Analyzer. You can also convert the ETL capture to PCAP format with a couple of PowerShell commands. See the Internet Storm Center post in the references for more details.
There are more than 250 post exploitation modules currently available in Metasploit. A lot of them are used to gather info from the exploited system and a few of these are very useful in a pivoting situation.
A couple of good ones, again compliments of Carlos Perez, which can be used to determine what other systems are on the network are post/windows/gather/arpscanner and post/multi/gather/pingsweep.
As illustrated above, these scans identified a few systems we can potentially pivot to.
Routing is even easier then it was in 2012. From within your Meterpreter session simply type run autoroute –s subnet, then ctrl-z to go back to the Metasploit console and use the new route with some of the auxiliary TCP based scan modules and if we find something juicy, even exploit through the autoroute. The example below shows using our exploited system as route to identify listening ports from the systems discovered during the ping_sweep.
PORTFWD, SOCKS proxy and SSH Tunnelling illustrated in the previous post still works well. If you haven’t used them yet, you should. Re-read the post and setup a test lab to ensure you see it in action. You won’t regret it.
One new development since that post is the addition of PowerShell version of SSH. Personally, I have only done limited tunnelling testing with the Microsoft backed version https://github.com/PowerShell/Win32-OpenSSH. If you have had some successes or challenges using PowerShell implementations of SSH for pivoting I would love to see them in the comments below.
Unfortunately, it appears that the module MSFMap by SecureState is no longer working in the current versions of Metasploit. All is not lost, though. There have been some very handy additions to Meterpreter that we can use in its place.
There are many ways to get a PowerShell session with Metasploit. One of the easiest is to use an existing session to create a PowerShell session. Background the existing session and do the following run the module exploit/windows/local/payload_inject with the Windows/powershell_reverse_tcp payload as shown below.
From here you can run (almost) any PowerShell module. In the example below, a PowerShell script, Invoke-TSPingSweep, which was modified a bit to make it more display friendly, was uploaded via Meterpreter, imported and then executed.
Note that some scripts will behave differently when run in the injected session. In particular watch our for scripts that use out-host and some that do not handle network connection timeouts will return big ugly errors like this one below, but will typically continue.
Another new addition is the ability to run Python directly in a Meterpreter session!!
This ability is still being developed and currently, there are some technical issues that limit some of the usefulness, for instance you can’t have the Python script run in the background (https://github.com/rapid7/metasploit-framework/issues/6369). Still, this is an great addition and one that certainly will be useful when pivoting.
Imagine being able to easily use your favourite Python code from Black Hat Python, Violent Python or the SANS Security 573 class. Wonderful!
As briefly shown above, PowerShell is a very powerful tool for the penetration tester and can be especially handy for post exploitation activities. All the automated penetration testing programs provide PowerShell modules and a lot of very good work is being done on utilizing PowerShell for both defense and offense. Immunity has a nice video showing off some pointy clicky PowerShell interactions here https://vimeo.com/140723133, although that guys voice drives me crazy.
PowerShell remoting may not always be enabled, but if it is, it can be a quick way to pivot around a network. From an existing PowerShell session run the command New-PSSession –ComputerName abc.fg.hi then to interact with the shell run the command Enter-PSSession X.
I don’t see any slowdown in the opportunities to pivot through the network anytime in the near future. Do you have a favourite I haven’t mentioned? If so, please share it in the comments.
Thank you for your time
Cliff
What good is all the effort you put into bolstering your company’s IT Security posture if your end users continually pipe a new stream of ever-evolving threats directly into your environment?
Sure, the robustness of your security controls gets a steady work-out, but we assert that adding a little awareness of security can go a long way. Even a nominal awareness program holds the potential to reduce the scope and severity of risks to your environment; so you can focus your time, money and effort to bolstering your security posture instead of the hand-to-mouth servicing of one-off security threats.
You likely you have read The Art of Deception by Kevin D. Mitnick (and William L. Simon) (if not, you should) and know that all the work that goes into building a robust security posture doesn’t mean squat if your end users are clicking on every attachment and bad link they come across.
In Mitnick’s words, “…the human factor is truly security’s weakest link.” Try as we might, we can’t solve every problem with a blinky light.
So you might be thinking, “how do I create (or improve) a culture of security at my company?” Many of the clients we serve at rSolutions are larger enterprises and have both external and internal communications departments, so we preface this advice under the assumption you’ll be working with a communications team, but we also provide this advice so it is large enough in scope so any sized company can derive some benefit.
Communications teams are likely largely unaware of all the efforts that go into making a company’s security posture as tight as possible. An overview of the number of threats handled over a defined set of time will help show what you’re dealing with and how more awareness can help. Provide the history and evolution of the problem you are trying to solve as well as some examples of what could happen, and has happened to other companies, that have fallen victim to the threats you outline (consequences). Do not include any FUD facts. Stick to the true facts. This will help build context for the problem with a non-technical audience that can help you reduce your time in incidence response. Consider bringing the CTO or CISO around as a champion so you have the support from the top to the bottom.
Well, everybody needs to know about security, you say. That is very true, but we suggest you approach it like you would eat an elephant; one bite at a time. The likelihood of success increases if you start on a smaller test group, ironing out what works and what doesn’t, before spending the time, money and resources on a corporate wide awareness program. Consider a test group of your greatest offenders. You likely have the data to present the case. Have you talked to them about why they keep falling into the same traps? Do you have data that supports which user groups are the greatest offenders or at the very least an anecdotal indication of who the greatest offenders are? Package this information to build profiles of these audiences so you approach the communications team with a target audience. An audience you can measure against your actions.
I wish they’d just:
Yours might be the same, or maybe they are different. Whatever they are, be sure to target your lowest hanging fruit. The idea is that if we want to make a more cultural workplace change, we need to start somewhere basic, then as you move forward on a continuum you can address more detailed subject matter over time. Try to keep in mind that cultural change is a big wheel that turns slowly, so start with your highest payoff activities balanced against the concepts that are easiest to grasp for non-technical people outside the IT silo. Consider focusing on what messages will bear the most fruit if scaled up for the entire organization.
Being in IT Security gives you visibility into where your users get their information and the kind of information they access. Basically, where they are hanging out and what they’re doing there. Keep an eye out for trends and patterns (like you’re not already) to find places of higher traffic. Where are the people you are trying to reach getting information, for their work and not-so-work related information needs?
Where do the people you’re trying to reach keep messing up? Is it around use of a certain application(s), network destination or internet? Just like our kids, we often have to catch them messing up or remind them of a rule when we notice they’re about to do something bad to ensure they are changing behaviour. It’s not that your fellow professionals in your organization are children, its just that many still view IT Security to be IT Security’s problem. They may not realize how their behaviour is a danger to the business. So your audiences need to be informed and re-informed of the rules, consequences and potential pitfalls in the places threat is most prevalent.
Our primitive human mind is programmed to be on the look-out for things that are new, different, or may pose a threat on a level of our baser animal instincts. Keep your messages consistent around a central theme of complementary messages or a single message. But keep the delivery of that message dynamic and changing. As we are trying to secure a digital environment, it makes some sense to keep our messages to that space, but the human mind requires similar or complementary messages presented in different ways to break through to our consciousness. Using analogies from outside of the digital space can increase chances that you’ll reach desired outcomes.
Consider putting some of your budget aside to address this with a professional. Many marketing and communication efforts stall when the responsibility for who’s going to pay starts becoming the issue. Consider cost sharing or proportional funding of these efforts going in, so there is a partnership developed and there is common understanding of the resources available to reach the audiences. Strategists, designers, production and placement aren’t always cheap, but there are ways to respect costs in-step with the desired outcomes. Having understanding of the budget going in helps save more time and effort in the long run.
Validate the actions carried out with the desired response through your measurement of the intended outcomes against the info and metrics you collected to frame the issue earlier. We’re not talking about seeing drastic up-ticks in security compliance moments after putting up a poster in the staff lunchroom, but try to look for behavioural changes. If you’ve started with your worst offenders, is there a change in the number of incidents? Is there lower instances of help desk calls, has their network reliability improved? Ultimately, have your efforts delivered the fruit you expected or want? If so, you’re on the right track. If not, you may need more information from your targets and understanding of which messages failed. It’s important to note that humans aren’t as easy to diagnose as systems, they may not perform as expected if something rubs them the wrong way or is placed somewhere they can’t see it.
For more information on building IT Security awareness for your organization, we’re rSolutions and we have access to the professionals that can help.
Splunk is everywhere! Splunk’s Robert Ma talks about how companies are using Splunk software to detect and prevent insider threats.