I’ll be joined by guest commentator Terry Cutler of Montreal’s Cyology Labs to discuss some of the news from the past seven days.
Howard: We’re going to talk about a couple of other stories that I came across. Researchers at Crowdstrike issued their annual global threat report this week and among the findings: It took hackers an average of an hour and 38 minutes to move from an initially compromised device to another one and that basically means it defenders have about 90 minutes detect and stop an intruder on the first computer server or domain controller they crack. What do you think of this.
Terry Cutler: 90 minutes is a very long time. And here’s the issue I see often: Most companies don’t have proper detection technology in place to find a hacker in there. I’ll give you an example: I run into this exact challenge when I get hired to do penetration tests. The first thing we do is run a vulnerability scan to see what’s vulnerable in there, and run some exploitation tools after that to see what we can compromise. And during that whole scan nobody knows we’re in there. We’re not even being quiet about it. They [defenders] don’t have any sensors to say, ‘You know there’s an attack happening here.’ Once we [the testers] compromise a machine we’re able to deploy an agent, so we use professional tools to help speed up our work. We become a system level service, and from there we can actually do what’s called a migrate process, which allows us to hide our process from the hacked agent into let’s say svc host, which is a legitimate Windows process. So now when the [defence] investigators go and look, we’re hidden within a legit process.
On top of that our tools communicate back to us in an encrypted fashion so they can’t intercept our transmission. Now we can do a pass the hash. This is an attack where you can use the [credential] information and pass it off to a server. It could log me in as you without ever knowing the password. We can also do what’s called an agent pivot where we make it look like another machine is actually attacking the network and not the one I’m in.