There are so many maturity models that help us evaluate, assess, and benchmark the effectiveness of our security programs.
Maturity Models, by nature, are structured at various levels for continuous improvement. Hence, these further help in “suggesting/recommending” directions to what capabilities or improvements are needed to improve the performance of these security programs.
Sharing some of the maturity models for reference:
Microsoft has released an open-source cyberattack simulator that allows security researchers and data scientists to create simulated network environments and see how they fare against AI-controlled cyber agents.
This simulator is being released as an open-source project named ‘CyberBattleSim‘ built using a Python-based Open AI Gym interface.
The Microsoft 365 Defender Research team created CyberBattleSim to model how a threat actor spreads laterally through a network after its initial compromise.
“The environment consists of a network of computer nodes. It is parameterized by a fixed network topology and a set of predefined vulnerabilities that an agent can exploit to laterally move through the network.”
“The simulated attacker’s goal is to take ownership of some portion of the network by exploiting these planted vulnerabilities. While the simulated attacker moves through the network, a defender agent watches the network activity to detect the presence of the attacker and contain the attack,” the Microsoft 365 Defender Research Team explains in a new blog post.
To build their simulated environment, researchers will create various nodes on the network and indicate that services are running on each node, their vulnerabilities, and how the device is protected.
Automated cyber agents (threat actors) are then deployed in the environment, where they randomly select actions to perform against the various nodes to take control over them.
Allot of customers ask; “Can you detect Zero-days”, most Cyber vendors, will give you a marketing answer, and really, that is a simple question to a exhaustive topic. But, the reality is, that detecting zero-days is near impossible. However, this video is the first, I’ve seen that get close to detecting zero-days. Using a very funky tool to detect a BROP attack, or any other kind of buffer-overflow attack. ZeroDetect – https://github.com/polyverse/zerotect
“Hafnium,” Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github
Microsoft owns GitHub, the Hafnium Exploit code has been now shutdown on GitHub, but it’s important to understand, the code is now still available on the internet.
While Github has shut it down and will stop rapid improvement of this this PoC exploit via GitHub.
It is still available for anyone with basic internet search skills and obviously for any motivated threat actor, they would be actively exploiting this as soon as the CVE was released.
I was able to find the Exploit code easily.
quick one liner to check for RCE (u might need to change the IIS path on some systems) is: findstr /snip /c:”ResetOABVirtualDirectory” C:\inetpub\logs\LogFiles\*.log
On March 02, 2021 Microsoft published a detailed report outlining four previously unknown “Zero Day” vulnerabilities in Microsoft Exchange Server. The attack, launched by Hafnium, targeted these vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) which allowed state sponsored threat actors to exploit Internet facing Exchange servers, gaining access to access to internal systems (Microsoft , 2021). This threat is high and is estimated to affect over 30,000 businesses worldwide. The attack chain is illustrated below:
On March 10, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), issued a joint advisory addressing the disclosed vulnerabilities in Microsoft Exchange Server (Cybersecurity & Infastructure Security Agency, 2021). CISA and FBI assessed that the threat actors could exploit these vulnerabilities collectively tracked as ProxyLogon, to compromise networks, steal information, encrypt data for ransom, execute destructive attacks, and/or sell access to compromised networks on the Dark Web.The patches for these vulnerabilities were released on March 8th, 2021. All security leaders should immediately address this incident by working with their IT teams to make sure this risk is contained, and the appropriate actions taken. Below are the recommended steps:
Ensure the patches have been applied ASAP to the Exchange Server environment.
If you are unable to apply updates for whatever reason please follow the Microsoft alternative mitigations (Microsoft Security Response Center, 2021) steps in the interim.
Make sure your SEIM threat intelligence engine has been updated with current IOCs and the UEBA algorithms have been updated.
Check for compromised On-Premises Exchange Servers. Microsoft published ‘Check My OWA’ tool to check Exchange Servers with Outlook Web Access (OWA) enabled.
Analyze your Exchange Server logs to identify any potential compromise. Microsoft published an updated PowerShell script named “Test-ProxyLogon.ps1” (available on Microsoft’s official GitHub page) that scans Microsoft Exchange log files for indicators of compromise (IOCs) associated with the exploited vulnerabilities.
Organizations should load Microsoft Support Emergency Response Tool (MSERT) against their Exchange Servers to detect and remove potential web shells. Microsoft has released a new (March 08, 2021) update to the Microsoft Safety Scanner (MSERT)
If you confirm you have been compromised, please follow the Cybersecurity & Infrastructure Security Agency (Cybersecurity & Infrastructure Security Agency, 2021) Alert (AA21-062A) Below is the MITRE ATT&CK techniques observed for the Microsoft Exchange Server attack.
ArcSight Threat Intelligence engine was updated on March 03, 2021. If you need assistance or want to take advantage of free tools Micro Focus has available please see our MITRE ATT&CK® navigator for Micro Focus Products and click “Exploit Public.”
Cyber Treat Intelligence Research – Can you nmap a Country for research?
It should be common knowledge, that you are not allowed to run reconnaissance (e.g. nmap) against any companies public internet IP addresses, especially a government agency, without an engagement and prior written permission.
Running a port scan is like rattling the windows to see which ones are unlocked.
In a similar vein, if Google maps drive past a Defence site and takes photos, is that liable, isn’t that the same reconnaissance?
As an example, It’s also possible to conduct Microsoft exchange reconnaissance without sending any attack traffic? (version fingerprinting).
There are existing services such as SHODAN, that can be used for research and exploiting.
I see allot of Cyber researchers, posting articles about, vulnerabilities that exists based on a Country. Obviously, these research ran, some sort of scan, so is this legal or illegal, are you allowed to do this? Can you nmap a whole Australian Country IP address range? This is the question, I am explore in this article?
Part 10.7—Computer offences of criminal code act 1995 for federal stuff
this bit rules:
(7) A person may be found guilty of an offence against this section even if committing the serious offence is impossible.
(8) It is not an offence to attempt to commit an offence against this section.
478.1 Unauthorised access to, or modification of, restricted data
(1) A person commits an offence if:
(a) the person causes any unauthorised access to, or modification of, restricted data; and
(b) the person intends to cause the access or modification; and
(c) the person knows that the access or modification is unauthorised.
Penalty: 2 years imprisonment.
(3) In this section:
restricted data means data:
(a) held in a computer; and
(b) to which access is restricted by an access control system associated with a function of the computer.
where the definition of restricted explicitly says an ACS must be in use to protect the data. So technically, if there is anti-port scanning tech on the machine, you are accessing restricted data by obtaining a list of ports.
478.3 Possession or control of data with intent to commit a computer offence
(1) A person commits an offence if:
(a) the person has possession or control of data; and
(b) the person has that possession or control with the intention that the data be used, by the person or another person, in:
(i) committing an offence against Division 477; or
(ii) facilitating the commission of such an offence.
Penalty: 3 years imprisonment.
(2) A person may be found guilty of an offence against this section even if committing the offence against Division 477 is impossible.
No offence of attempt
(3) It is not an offence to attempt to commit an offence against this section.
so if you're port scanning/banner grabbing exchange, and someone uses that data for crimes, you're gonna have a bad time
it's vague enough that you could probably get got for it, but port scans/public trawling sounds like it's ok at a federal level at least
looks like i missed most of the juicy parts of this convo, but i have some relevant 2c.i can assure you that people in government feels very strongly that port scanning could be construed as crime. in 2017 (after getting appropriate permission) i scanned the whole *.wa.gov.au space which formed this article: https://www.itnews.com.au/news/finding-security-holes-in-wa-govt-through-open-source-intel-461496 after-which we did it again against *.gov.au with appropriate permission, but shit hit the fan real quick. people in govt accused us of crimes - arguing we didn’t have appropriate permission - didn’t have buy in from all the departments - etc. we had to scrap the whole research. it was pretty hairy at one point there.
FWIW we didn’t do any portscanning either, just relied on third-parties like shodan etc for those results
it was a very hands off exercise
people in government feel very strongly that port scanning could be a crime"people in government feel anything that isn't inside their policies & procedures that they don't understand is a crime, tbfh. but uh them feeling it is a crime doesn't make it a crime