Tales From the Road: Oops, We Did it Again! Breaking the Bank During a Red Team Assessment

Plus: 10 Tips to Keep Your Organization Out of the Red

A financial institution enlisted our services to perform a Red Team assessment – an effective approach to simulate a real-world threat actor attempting to compromise an organization from the outside in. Using an email phishing campaign combined with a physical breach, DirectDefense consultants uncovered several security vulnerabilities in both the internal and external environments that would be sure to leave banking clients in the “red”.

Keep reading to learn how we were able to “break the bank” and, just as importantly, our top 10 recommendations for protecting your organization from a real attack.

Breaking the Bank: A Two-Pronged Red Team Assessment

Starting with zero access, DirectDefense consultants were tasked with finding their way into the organization’s internal network on their own. We executed a Red Team assessment that leveraged two attack vectors: an email phishing campaign and a physical breach.

Attack #1: Testing Security Awareness With an Email Phishing Campaign

1st Attempt: Our first attempt ended up being successful – call it lucky, or call it the reason why so many email phishing attempts are successful in the real world. We sent a fake Helpdesk email to an employee selected at random and asked them to follow a link to relink their Office 365 account. The recipient of the email responded that they had received an error message after clicking the link, and they even included a screenshot of the message.

Thanks to their screenshot, we learned that the organization had a conditional access policy in place to prevent out-of-network devices from connecting to the network, tipping us off to the fact that we needed a different approach.

2nd Attempt: We sent another fake Helpdesk email to a few hundred employees, forwarding the email and screenshot from the first target, explaining that some users were having issues relinking their Office 365 accounts. Our email instructed the targets to use the updated link to resolve the issue. The link, however, was created using a popular commercial support tool that is utilized by the bank’s IT department in order to provide remote support to their users. Rather than providing access to the bank’s IT team, this version of the tool provided us with access to the target’s computer.

After snaring a victim and logging in to their computer, we gained access to a variety of data on the computer along with everything else that was accessible in the organization’s internal network. It’s important to note that once we had this access, there was no alert to our presence on their network.

Attack #2: The Physical Security Test

One of our consultants visited the organization’s main location posing as a printer and copier repair professional. He tailgated his way into the building on the heels of an employee and walked right through a door protected by a card reader.

Our consultant got right to work “doing his job”. Appearing to be repairing a printer, he actually spoofed said printer by abusing a misconfiguration in the bank’s Network Access Control (NAC) setup that allowed for extensive internal network access. Not once was he approached or questioned by bank personnel.

Next, our consultant connected a drop box to the internal network through the printer’s port, established a persistent outbound connection to a DirectDefense server, and hid the drop box under the printer. After gaining unrestricted physical access to several other secured floors and areas within the building, he returned to his car and proceeded to spend the afternoon remotely exploiting vulnerabilities within the internal network and compromising the bank’s Active Directory environment.

10 Tips to Keep Your Organization Out of the Red

Our ability to gain significant internal network access undetected demonstrated a substantial risk to the organization’s critical data and information. Our team was able to exploit vulnerabilities, move laterally throughout the internal network, and compromise privileged accounts and infrastructure without being detected or causing any alerts. The bottom line: A malicious actor could essentially “break the bank” if they gained similar access.

Don’t let a bad actor take you to the bank! We recommend taking the following actions to secure your important assets:

  1. Disable NTLMv1: If possible, we recommend that the insecure protocol NTLMv1 be disabled via Group Policy. Devices should only support the more secure protocol, NTLMv2. Our consultants used this misconfiguration to quickly compromise a Domain Controller that supported NTLMv1 authentication.
  2. End-User Security Awareness Training: Look to improve upon existing security awareness training and be sure to specifically inform employees about in-person and email phishing attacks, the risks of accepting requests for remote access software, and proper usage of Multi-Factor Authentication (MFA). Part of security training should include educating employees to call their Helpdesk or support personnel to verify any suspicious emails, or send a new email to a known valid address questioning an issue versus just hitting “reply.”
  3. Security Monitoring and Alerting Improvements: Active security monitoring is just as important as any other security measure. Real-time alerts and notifications should be generated for events regarding privileged account groups, as well as other suspicious events such as account compromises, lateral movement, data egress, logins from unknown or unusual devices, etc.
  4. Network Segmentation/NAC: Broadly, organizations should have configurations in place on every floor and office space in their building that applies to every network port, preventing someone from accessing the network from any device, including a printer (which is not always as innocent as it may seem). Implement access control lists to restrict access wherever possible and implement the principle of least privilege. Segmenting the network provides a method for containment once a compromise of the environment has been successfully executed.
  5. Active Directory Certificate Services Hardening: Harden Active Directory Certificate Services (AD CS) configurations by requiring Extended Protection for Authentication (EPA) and HTTPS/SSL connections for CertSrv on all AD CS servers. Implement a variety of hardening controls within Active Directory and on Domain Controllers, such as disabling the print spooler service on Domain Controllers and setting the MachineAccountQuota attribute to zero.
  6. Egress Filtering: Put strong egress filtering controls in place to ensure there are no unnecessary avenues for command and control or data exfiltration from the internal network environment. Egress filtering also applies to the end user environment that has access to the Internet, as well as the printers and server environments.
  7. Patch Maintenance: Patching and upgrading play a significant role in preventing a malicious attacker from exploiting vulnerabilities and compromising environments. Re-evaluate patch management solutions to ensure they have the ability to not only maintain patches on operating systems, but also on any third party software that is running within the environment. Equally important is ensuring that all systems and devices are included in the patch management lifecycle, and that there are no systems slipping through the cracks and not being patched frequently or in line with updates.
  8. Windows Hardening – PowerShell and Command Prompt: Perform hardening of Windows systems to reduce the tools available to an attacker. Disable access to cmd.exe and PowerShell within the environment by default. Exceptions should be made on a case-by-case basis.
  9. Insecure Protocol Support: Discontinue support for insecure protocols and weak encryption within the environment, such as Telnet, SSL version 3, as well as other weak SSL/TLS implementations. Replace the insecure protocols with secure alternatives that employ strong encryption and authentication mechanisms such as SSHv2 and TLS 1.2 and 1.3.
  10. Schedule a Red Team Assessment: One of the best ways to identify where your weak spots are is to put your organization’s security to the test! Let our security professionals help you build up your best defense by showing you how to secure your organization from the inside out.

Don’t Be Caught with Your Defenses Down!

The fact that we were able to gain access to the bank’s internal network environments through a variety of tactics points to the importance of a defense-in-depth strategy. Security is deeper than a set of protections or protocols, and our physical and network penetration testing demonstrates just how robust security needs to be.

Schedule Your Red Team Assessment Today!

Take stock of how secure your organization is from malicious attackers. Visit directdefense.com or call us at 1 888 720 4633.