View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 15, 2019updated 07 Jul 2022 4:05am

What Happens When a Security Company Decides to Hack Itself?

Charl van der Walt, Chief Security Strategy Officer at SecureData shares the tough lessons learned when his team of pentesters decided to practise what they preach and take aim at their own systems.

By CBR Staff Writer

This is what happens when a company hacks itself.

As a security company, we spend a lot of time advising our clients on the tools and techniques needed to fend off the ever-hungry, increasingly clever cybercriminal. 2018 was a lesson in how not to do security. According to research from NordVPN, more than one billion people were affected by the loss of personal data through 13 data breaches at 11 different companies. 2019 will be no different; cybercriminals are taking no prisoners, and they’re ambitious enough to go after some of the biggest global companies (arguably with more security resources at their disposal) to get what they want – your data.

But you don’t have to be a Facebook or a Google to be on a cybercriminal’s target list. No company is immune to the charms of a hacker and his/her keyboard. Even security companies.

So, we make a habit of staging security attacks against ourselves. The aim of the exercise is for us to better understand how our own systems would fare in the face of a cyber-attack and, if truly faced with an adversary with malicious intent, how effective our protocols would be against preventing his/her success.

In our most recent exercise, we uncovered a flaw in our own defences, the value of which greatly outweighs any discomfort we might feel admitting this as a security provider. Why am I sharing this? We feel the results of our experiment offer crucial insight for any business of any sector currently fighting the ongoing cyber battle.

Attack of the Pentesters

The last pentest by our SensePost redteam proceeded from the assumption that the attacker had already breached the perimeter and secured a ‘beachhead’ on a machine within our private network. Having ‘secured a beachhead’, the modus operandi for our SensePost team was to run a horizontal brute force attack, using employee information gleaned from open source technology, such as LinkedIn, to build a credible list of ActiveDirectory user IDs.

See also: Microsoft Just Made Hackers’ Lives a Lot Harder – but Has Anybody Noticed?

The next step was to take a series of commonly used passwords, trying them out across the entire list of users, until a match was found that provided access to one user’s account. Leveraging that user’s credentials, the SensePost team was then able to gain access to a list of all active users, and the process was repeated – running the passwords until access was gained to an administrative user. By implementing a tool made infamous in the large-scale WannaCry hack – Mimikatz – the team then extracted cache credentials for the domain administrator.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The team was able to hack into the domain admin’s account in less than a day. The crowbar that pried open access? A trusty list of example passwords.

Predictable passwords and legacy tech: two of the most common security weaknesses…

Password Pitfalls

You’re probably thinking that the brute force attack was successful because the passwords in question were ‘weak.’

The vast majority of them actually met general suggested levels of security credentials – alphanumerical and between 8 and 12 characters long, with a sprinkling of punctuation and capital letters here and there. The reason why they were so easily hacked was because they used formats, however ‘strong’, that were predictable.

(The password our attacker was able to crack was ‘May2018!’)

According to our data about customer environments, one in three passwords (32%) starts with a capital letter and ends in a number. One in eight (12%) contains a year and one in every 11 passwords (9%) ends in three numbers. Do any of these configurations sound familiar to you? Chances are you’re using a password right now for at least one of your accounts that follows one of these formats.

The more predictable the password is, the easier it is for cybercriminals to anticipate and then build template passwords to be used in these kinds of highly targeted brute force attacks. Apparently, we weren’t immune either.

Ghost in the Legacy Machine

It wasn’t just passwords that caused a chink in our armour. Our pseudo cybercriminal also took advantage of a missing patch on an old machine sat collecting dust in the corner of the office; one that had a legacy vulnerability (via a ticketing system). While the attacker was unable to steal any data from this legacy system – it had long been replaced, had no data on it, and was disconnected from the environment – this was never actually their intent. Their aim was to elevate their access across the domain.

Hacker Seizes Mission Control

So, our make-believe hacker has tripped us up not once, through pesky passwords, but twice through a legacy system. Strike three came through a controlled experiment we designed to breach an endpoint through Microsoft DDE.

Our hacker friend started the next phase of the campaign with an email, containing a Word document with an embedded DDE object. This enabled him/her to reach out to and evoke an external script object. This prompted a common ‘end of formula’ message box in MS Excel, asking whether the user wanted to enable editing. Hitting yes triggered a download of PowerShell, giving our cyber foe full remote command and control of the machine.

Our detection technology picked this up, because DDE isn’t permitted. As soon as we spotted this red flag, we were then able to monitor for a change in the registry, indicating that the machine is potentially vulnerable. We also were alerted to the fact that the machine was attempting to ‘talk out’ to an external source, and the use of PowerShell to communicate with the command and control center. I

’m relieved to report in fact that, although the test identified serious vulnerabilities, our detection platform identified elements of the attacks at numerous different stages and we were able to track the exercise in near to real time. I guess that’s why detection is such an important part of a ‘defence in depth’ strategy.

Learnings for Businesses

We’ve said it before, but it bears repeating – in today’s digital age, a breach or hack for any business of any size and sector is a case of when and not if.

Self-awareness is crucial to fighting the ongoing cyber battle – you can’t fix what you don’t know is broken. And while this type of war game might bruise the egos of the proudest enterprise cyber security teams, experiments such as the ones we conduct are essential to gain insight into avenues attackers might pursue to get to your data. Don’t be caught off guard – understand the risks to your business by enhancing your systems and techniques on a regular basis, and don’t be afraid to get your hands a little dirty in simulating and anticipating fake crises before they become a terrifying reality.

See also: Understanding and Assessing Technical Debt for Improved Cybersecurity

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.