,

Belgian Cyber Security Challenge CTF: A Junior’s View

The Belgian Cyber Security Challenge is a Capture-The-Flag game that’s focused on cybersecurity. The event is organised by Toreon’s friends NVISO.

Timeline:
Wednesday 10 am started my team’s 32 hour adventure; capturing as many flags as we could possibly find.

10:30 am: first blood! After half an hour we already found a first flag that placed us in the top five on the scoreboard.

12:00 am: finally a second flag we could submit to the platform!
As all team members finished working, we gathered on voice chat to discuss strategies and started brainstorming around the challenges. At first sight it seemed like NVISO had stepped up their game, since the challenges last year were not as difficult as in this edition.

6:00 pm: it had been six hours since we last submitted a flag. Other teams caught up with us and we started to lose all hope. But then we started to understand how certain challenges were built and where we should look for the flags.

6:30 pm: new flag, back on track! We were frustrated since a lot of people had found the flag of the so called ‘ModBusted’ challenge, inspired by Industrial Control Systems. Two of our team members had already done some research on ICS-systems in the past but we just couldn’t find that one easy flag that everyone else did.

07:45 pm: Yeahaa! We found it! This flag took us from 61th place all the way back to 22nd! At this point we were so happy and filled with new hope.

09:30 pm: We lost too much time on this one. This was probably the last easy one we found.

11:00 pm: We put our heads together to solve the ‘Whistle’ challenge and – yes! – we were the third ones to solve it. Our first big win: 90 points!

01:45 am: last flag for this session. It took us a while to figure out where the flag was hidden since this was a forensics exercise.

Until 4 am we kept searching but we were all too tired to keep on digging for flags so we took a nap to continue with clear heads the next morning.

11:15 am: submitted the new flag! What’s next? The time is ticking guys! The contest would end in only seven hours. We had to come back to this one ‘XYZ-adventures.com Data Exfiltration’ challenge several times. The organisation provided us with data capture files and we had to find where the flag was hidden in that giant pile of data. One team member found credentials that were sent while capturing the data. With these plain text credentials we could log into his mail account and retrieve a word document from his mailbox.

12:45 pm: The flag was found in the document properties.

05:15 pm: We submitted the flag we just found but we needed to find some others.

06:00 pm: END of competition, Team BlumBlumShub ranked 24th place on the scoreboard.

During the competition we heard only the first eight would qualify to compete in the finals, afterwards we received a mail that said the top fourtyfive can join a second CTF in two weeks and compete for another eight places in the finals.
So stay tuned for more in a few weeks!

,

Why the IT-OT Convergence is all about knowledge sharing

After attending the fifth Cyber and SCADA Security for Oil & Gas Industry conference, it became apparent lots of companies are having a hard time with the mingling of IT staff in the OT/ICS environments; the so-called IT-OT Convergence.

My personal opinion is that the involvement of the IT people in OT environments is a very positive thing, as both typically have their strong points:
– IT environments often have a broader experience of assessing cyber threats and their associated attack vectors as they have long left the ideology where they could protect all information systems by merely ensuring the physical security of the building they are placed in.
– Both IT and OT face increasing numbers of targeted attacks towards their environments, like Zeus, NotPetya, Trisis, BlackEnergy…
– Lots of IT-targeted attacks created collateral damage in the OT environments due to the type of malware and their attack vectors (e.g. the numerous ransomware attacks that were seen on SCADA and ICS systems, which were spread by infected USB devices or just because the system had direct internet access).
– OT people often have far more experience in risk and safety analysis, as they have been doing it for the better part of a century.

When combining these strong points, we might just create an acceleration in the ever-so-slow development cycle of the OT environments. However, we must also keep a few important things in mind:
– OT and IT have very different goals regarding what they want to protect from cyber-attacks. IT is typically all about confidentiality and privacy, where the OT environment is all about (personal) safety, reliability and availability.
– Some technologies in IT seem like a good fit for particular problems within OT, but they might break more than they fix. OT environments often contain legacy systems dating from the eighties or even before, using proprietary protocols and might even be retrofitted to be able to communicate over IP networks. Some automated network scans could e.g. break an older RTU by just trying to ping it.

With OT environments undergoing a skill drain, there are important challenges ahead that might require innovative approaches and efficiency gains.

I would strongly advise to keep putting the IT people in OT environments and vice versa, but solely to act as advisors to one another. Both have years or even decades of experience in their respective areas and now that they are facing similar challenges, time has come to join forces and go for a safer tomorrow!

, ,

Using ‘Embrace Cybersecurity’ to check on security progress

In a previous blog posts (Business and IT aligned with Cybersecurity and Baselining Cybersecurity), I introduced our ‘Embrace Cybersecurity’ (EC) model for gathering security requirements that can be used to create an information security policy.

Using this method makes it easy to then also follow up on progress. We can do this by creating the right KPIs. From the question ‘How do we meet the goals we chose to aim for?’, we can also define the KPIs. In the EC model this is represented by the ‘Keyword’ cards.

The Toreon security expert drills down on the chosen keyword to define the right metrics. These metrics become the KPIs to measure the security controls put in place.

However, reporting is not enough. The output of the EC model needs to be translated into the right management practices. How this is done, will be discussed in another blog post.

During the adoption of the information security policy, you might come across a misalignment between what the business and IT want as goals. Another blog post will detail how to identify this misalignment and how to get everyone on the same page.

This is key for a functional information security policy.

, ,

Business and IT aligned with cybersecurity

The owner of information

In today’s organisation, information is primarily managed and processed by IT. The IT department is very often also made responsible for securing the information in the systems that the business uses. Reports of recent cybersecurity incidents tell us this is definitely not right and recent legislations like the GDPR agree.
A holistic information security policy needs to start with the owners of the information, the business. They have to tell you what is important to the business; what needs to be protected. Then business and IT need to be aligned with those requirements. We can do this by helping them use the same frameworks and language.

Gathering security requirements

The challenge of gathering requirements lies in:

  • getting agreement on the goals of IT and business.
  • using and combining different IT and security frameworks like COBIT, ISO 2700K, SABSA to define and align those goals.
  • bridging the different vocabularies in IT and Business so both clearly understand the goals you want to achieve with your information security policy.

 

To get this done, we at Toreon created the ‘Embrace Cybersecurity’ approach. This approach helps IT and business to come together to figure out the cybersecurity objectives of the organisation, how they want to achieve them and also which risks they face in order to achieve them.

This information is gathered in workshops that are supported by playing cards, themed: ‘Enterprise goals’, ‘IT goals’, ‘Keywords’, ‘Risks’ and ‘Actors’. The cards help collect information from the different departments in the organisation about what they see as goals, how IT should work and what security risks there might be.

The output is then combined in the overall risk register, so mitigation actions based on ISO 27001 standard can be defined. These mitigation actions lead to the creation of the information security policy that is both aligned with business and IT.

Theory and expertise behind ‘Embrace Cybersecurity’

The Embrace Cybersecurity approach uses the frameworks COBIT 5, ISO 27000, SABSA and the expertise of the Toreon security experts is glue that brings it all together. This seems like a lot of  different frameworks and you might wonder how they can be combined to deliver actionable results. We dissected the different frameworks picked only those aspects that work best to gather the most complete and correct information. And of course this includes using the correct vocabulary for both business and IT.

Reference for the owner of information.

7 ways to secure your Microsoft network for free

Cybersecurity is a hot topic. The rules are getting increasingly strict – look at the GDPR – and attackers are becoming ever more inventive. So robust protection is vital. Luckily, an acceptable level of protection doesn’t need to cost very much. If you use Microsoft, you have access to all kinds of free tools included in the existing Windows licences. Here are seven ways to secure your network for free:

  1. Windows Event Forwarding

By gathering useful logs from workstations and servers on a central collection server, you increase visibility on these machines. This enables you to detect attackers. This function, ‘Windows Event Forwarding’ (WEF), does not require an extra licence, making it a free alternative to other log centralisation solutions. By combining this with a free log analysis tool such as ELK, you can create a powerful solution to detect attacks while they happen and collect evidence after an incident. There is one drawback, WEF is limited to Microsoft platforms.

  1. Privileged Access Workstations

Securing administrative IT tasks is one of the most important mainstays of a secure IT environment. A new solution – Privileged Access Workstations – is available in Windows 10 Enterprise. PAWs provide extra protection against attacks for workstations that are used for privileged access. There are no extra licences needed, so this tool is also completely free.

  1. Local Administrator Password Solution

In most business environments, the built-in local administrator account remains active on all workstations so that it’s possible to have emergency access at any time even when the Windows domain is not available or reachable. In many cases, this local account has the same password on all the workstations. That is practical until the password is leaked and attackers suddenly have access to all your workstations. Enterprise password managers may provide a solution here, but they often require extra equipment or paid licences from external software vendors. The built-in Local Administrator Password Solution offered by Microsoft stores the password in an active directory. These passwords can be generated automatically and at random, and are only accessible by authorised persons.

  1. Hard disk encryption: BitLocker

Many companies are embracing remote working and the BYOD principle. As a result, laptops, tablets and smartphones with sensitive information are more frequently outside the familiar business environment. When a laptop is stolen, the thief also has access to all the information saved on the local hard disk. Microsoft has a solution for this. BitLocker encrypts the hard drive with full disk encryption. External media can also be encrypted in the same way. This solution is included in the licences for Windows Professional and Enterprise. Moreover, key management can be centralised in a business environment so that an administrator can still decrypt the information if the user loses their key.

  1. Secure Boot

Physical access to workstations can be even further protected with Secure Boot. This prevents hackers from installing infected firmware on the system, which can cause damage before the operating system is even loaded.

  1. Device Guard

New types of malware are appearing every day, which means that the traditional signature-based detection is no longer enough. Using techniques like polymorphism it is child’s play to get around traditional anti-virus detection. Device Guard is a combination of technologies that ensure that only trusted applications can be run on the system, and it is included in the licences for Windows 10 and Windows Server 2016. Code integrity policies block programs that do not have a digital signature from the developer or whose digital signature is not on the list of permitted applications. This ensures that only reliable software can run on the system and malware can’t get a foothold.

  1. Credential Guard

Credential Guard uses virtualisation techniques for extra protection of the passwords and access tokens that are stored in memory. This is information that attackers are looking for when they take over a system and want to move laterally on the network. Credential Guard makes it more difficult for attackers to find and use credentials and hashes in memory. Without this information, the attacker is more easily contained on a single system.

Interested to learn more? Get in touch.

React to incidents in an organised way by using the Playbook model

Imagine that someone detects a breach in one of your systems. How would you react? Would you dig into a all of your network and host logs immediately? Or would you contain the situation first, by disconnecting the machine(s) from the network?

Actually, you shouldn’t just start thinking about these questions when the incident has already occurred. Incident response procedures should be described in a standardised way and your team should be able to use them without hesitation.

Simply said: you need an Incident Response Playbook.

How the Playbook works

The Playbook collects ‘plays’. Each play contains a list of actions that are needed to accomplish an incident response task. Plays are extremely useful. They aren’t just a lot of complex queries of code to detect whatever ‘bad stuff’ hit you. In your plays, you will find fully documented prescriptive procedures. They allow you to find – and act upon – undesired activity in a structured way.

Every play contains a set of sections:

  • Report ID and title: with a specific structure, you indicate the data source, the type of report – such as ‘investigative’ or ‘containment’ – and the title.
  • Objective statement: here you describe the ‘what’ and ‘why’ of a play. This should provide background information and reasoning on why the play exists. Don’t give too many specifics, this should be high-level.
  • Scope and applicability: describe who should run the playbook and when or how often.
  • Methodology and procedures: this is the ‘meat’ of the play; here you describe the procedures in detail.

Every Playbook counters a different threat. A playbook can handle malware traffic, phishing, ransomware and many more situations.

The Playbook follows your way

The biggest benefit of the Playbook is its flexibility. It is not a rigid framework? It has an open-ended nature of play objectives. This allows your security experts to explore different ways of achieving their objectives.

Need a hand setting up a Playbook? Feel free to contact me for assistance.

Why I’m happy to help the CCB

As you may know, the CCB (Center for Cybersecurity Belgium) is working on a vulnerability disclosure policy. It is meant to be an enabler for ethical hacking in Belgium. Organisations embracing and publishing such a policy can allow (external) ethical hackers to verify and test their security posture and to disclose any issues found, in a coordinated and responsible way.

Note that hacking, hacking tool possession and such are illegal in Belgium. The new rule will be that an allowance can be granted by the company who is the hacking target. This can be based on a contract (for professional companies) or a vulnerability disclosure policy (like the one the CCB will propose).

The CCB wants to make sure that the advice responds to the needs of security researchers and professionals. So they invited a number of people who are involved daily with ethical hacking and who know about responsible disclosure, to participate. Such as yours truly.

It’s too soon to talk about the outcome of the discussions with the CCB, but the policy itself is definitely something we are all looking forward to. We are very hopeful that the inclusion of professionals in the conversation will improve the chances that the policy will add value and clarity to the current murky legal situation of ethical hackers. And that is what everyone active in cybersecurity and ethical hacking has been longing for: clear legal limits within which one can act without risking prosecution.

A disclosure policy would state, among other things, how ethical hackers can disclose vulnerabilities to the company in a correct way, what the do’s and don’ts are for ethical hackers when probing their targets, basically what the acceptable boundaries are for hacking that specific organisation. If the hackers play by those rules, they can’t be prosecuted for their security research at that organisation.

What would you like to add to such a policy? Any advice? Looking forward to reading it in the comments.

, ,

The youth is out there…

Have you read the research from Kaspersky Lab, on how a lack of guidance for youth results in their temptation to exacerbate cyber-crime instead of preventing it? At Toreon, we didn’t need an extensive and expensive study to realise that youth is the future and that the interest for IT and cybersecurity can’t be sparked young enough. That is why, at the end of the Cyber Security Awareness Month and in collaboration with BruCON, we met up with kids and students to teach them about IT, hacking and cybersecurity.

Hak4Kidz
During the second Hak4Kidz Belgium event, BruCON invited children and youngsters between 7 and 15 for Hak4Kidz Belgium. Six Toreon volunteers assisted in teaching how much fun IT and science are. The event was fully booked in no time.

A few of the things that the children learned:

  • Issues as a fun puzzle waiting to be solved
  • Failure means you get to try again
  • By sharing knowledge, you can focus on solving new problems instead of solving resolved issues over and over again.

slack-for-ios-upload-2 slack-for-ios-upload-1 14917096_10154698227818734_110096449645637643_o 14917084_10154698227018734_4754124548059580092_o 14883569_10154698226353734_5182076026402427068_o14714871_10154698227433734_6605774733114813769_o

Student CTF
During the Student CTF, we took it to the next level. For most CTF’s the gap between the skillsets needed and those taught in school is too large, making it impossible for students to participate. That’s why we created 39 challenges for some hundred students of both specialised and less specialised fields of study, from the University of Ghent and HOWEST. We didn’t expect them to just solve the challenges, but started with introductions on SQL Injection, Traffic analysis, Android reverse engineering and gave lots of tips and tricks.

brucon_ctf3 brucon_ctf

We learned a lot too!
The children and students were not the only ones who learned a lot during these days. We were able to reaffirm how important it is to reach and guide youth in time, but most of all: what an incredible amount of talent is getting ready to enter the real world. The winning team of the Student CTF was even able to solve 36 of the 39 challenges!

What do you think? Did we teach the right things? Would you handle it differently? Or are you interested in a next edition of one of these events? You can let us know in the comments!

4 pitfalls to avoid when building a CSOC

Setting up a new Cyber Security Operations Center (CSOC) within your organisation is a big step in increasing your incident monitoring and response efficiency, providing you can avoid the following mistakes:

1.        Putting technology before people and processes

We’ve all been there: new technology is released that is promising you and your CSOC team the world: better detection rates, less false positives, more visibility, better intelligence, etc… You’ve seen the demos, did the Proof of Concepts and you feel convinced and ready to buy…

But first also consider the operational cost of running and maintaining the new solution.

Don’t get me wrong: technologies like SIEM, Breach Detection, Advanced Endpoint Protection and Live Forensics can help your organisation quickly and efficiently detect, block, analyse and remediate attacks, but they also require:

  • Sufficient CSOC personnel with the correct skill-set and free time to use the solution, interpret the results and update the rule-sets, filters and Indicators of Compromise.
  • Sufficient CSOC and IT personnel to handle the extra events generated by new technology.
  • Sufficiently documented CSOC processes regarding incident detection, management and response.

Without these key resources, your new investment will not provide you with the expected results.

2        Doing too many things at once
Most organisations have a limited budget and limited resources assigned to CSOC activities. Most CSOCs perform some form of incident monitoring, analysis and remediation tasks. Other tasks like manual intelligence gathering and advanced malware analysis can also be helpful to detect and respond to very advanced attacks, but these require a lot of resources or require people with a very specific (read: expensive) skillset. It might not be realistic to incorporate these tasks in your CSOC’s daily activities, without sacrificing some of the more “basic” capacities.

However, most of these “advanced capacities” can be outsourced or automated in one way or another, eliminating the need for specific CSOC personnel to execute this task. For intelligence gathering, there are free and commercial threat intelligence feeds you can hook up to your SIEM. For automated malware analysis there are free sandboxing solutions like malwr.org and Cuckoo. For manual in-depth malware analysis, it might make more sense to hire an external malware analysis resource when you need it.

What your CSOC does internally and what will be outsourced or automated will depend on the budget, the maturity level of your organisation and the skill set of your CSOC staff.

3.        Starting without corporate buy-in

Your CSOC needs executive support to be able to do its job properly. Endless discussion can arise about what the CSOC is or isn’t authorised to do, especially when a major incident occurs. A good example is whether or not it is allowed to disconnect an infected machine from the corporate network.

You can prevent this from happening by creating a CSOC charter, which is basically a policy stating what tasks the CSOC is authorised to do and the resources and efforts that are expected from the other departments. This document should be formally approved by the top-level executives.

4.        Lacking a playbook
All tasks within the security incident handling process should be formally documented beforehand. Don’t fall in the trap of starting to document only when an incident arrives!

There have to be step-by-step guides on how to perform incident response tasks for your team, for example how to detect C&C connections using a SIEM or how to perform a reinstallation of an infected workstation. A good format to use for this type of documentation is the incident response playbook.