Do you want to learn how to ‘Blue Team’​? Start with “Time Based Security”​.

Also available on LinkedIn

“We’ve been looking at security the wrong way […] Fortress Mentality insists that building tall electronic walls is how to keep the bad guys out. That method hasn’t worked for 5000 years of warfare, so why should it work for computer security? It can’t and it doesn’t.” — Winn Schwartau.

As much as I love to put my red hat on, as I always explain to my SANS students, pentesting or even red teaming, can become ‘boring’ over time (sorry guys), especially when you are brought into environments where all the organization wants is to have a green check for yearly compliance purposes, or simply to have one more report to ignore. And trust me, that happens more often than not.

That is why I am so happy to see how many security professionals, experienced or not, are making the shift, joining the blue team ranks to learn how to defend their crown jewels in a highly increasingly complex world where technology advances so fast, data is ubiquitous, networks become more opaque and endpoint devices are less trusted than ever.

If this is your goal, and you are willing to get into an exciting, high paced but also highly rewarding field, where learning never stops… welcome aboard! Now, where do you start? There are a plethora of resources out there on how to get started into pentesting, but it seems that it is not so easy to find good resources on how to become an effective cyber defender.

There are many resources I can recommend, but since dropping here a list of 100 links won’t probably help you much, let me recommend you a very easy and light reading to start with: “Time Based Security”. Though it was written in 1999, TBS is still one of the most relevant, effective and terribly simple security models you can apply today. The principles enumerated in this book are absolutely essential for any blue teamer, regardless of whether you are a CISO, a SOC analyst, a security architect or an incident responder. TBS provides a reproducible method to understand how much ‘security’ a product or technology provides, by answering:

  • How long are systems exposed?
  • How long before we detect a compromise?
  • How long before we respond?

While it is usually applied to auditing, TBS is a very practical model to assess and design security architectures too. The method proposed is very simple, but it provides you with the knowledge and the tools required to make systems more secure and resilient. Here’s the main idea:

“If it takes longer to detect and to respond to an intrusion than the amount of protection time afforded by the security measures, that is if P < D + R then effective security is impossible to achieve in this system. It should be becoming a little bit obvious that the choice of a good protection system is not the first thing you need to think about when designing a secure network environment. It’s the efficacy of the detection and reaction processes that really matters.”

If this wasn’t good enough, Winn allows you to download and read his book for free on his website, so please go and grab a free copy of “Time Based Security” now!

https://winnschwartau.com/wp-content/uploads/2019/06/TimeBasedSecurity.pdf

Want to learn more on #BlueTeam? If so, please let me know, and I will follow up this post with a series of articles on how to improve your cyber defense skills. In the meantime check out the series of webinars that Justin Henderson and I recorded here:

Defensible Security Architecture and Engineering – Part 1: How to become an All-Round Defender – the Secret Sauce

Defensible Security Architecture and Engineering – Part 2: Thinking Red, Acting Blue – Mindset & Actions

Defensible Security Architecture and Engineering – Part 3: Protect your Lunch Money – Keeping the Thieves at Bay

Password Cracking ‘Pass The Hash’ style

One of the most time consuming tasks a penetration tester has to face is password attacks. Traditional password attacks involve password guessing, password cracking or a combination of both. While the first can take anything from days to months, the latter can take from hours to days, depending on the quality of the password dictionary and the available CPU power among others. Tools that make use of Rainbow Tables, like Ophcrack, have significantly reduced those times to hours or even minutes, especially for systems that use weak password schemes like LM or NTLMv1.

All of the above describe how the password attack picture was before a new technique, called ‘Pass-The-Hash’ made its way into the hacking scene. Although someone may think this technique is quite new, it was actually back in 1997 when Paul Ashton posted on Bugtraq a Windows exploit named “NT Pass the Hash” along with the theory which the exploit was based on. This Unix-based tool implemented a modified version of a SMB client that allowed the use of captured LanMan hashes, without having to decrypt them first. However, it wasn’t before last year when Core Security finally took this concept to the next level and produced a much more powerful tool called ‘Pass-The-Hash Toolkit’, which now runs on Windows and works with NTLM hashes. Let’s see how this technique works in more detail.

Continue reading “Password Cracking ‘Pass The Hash’ style”