Podcast: Security reconnaissance through the eyes of a pentester

Security reconnaissance through the eyes of a pentester – an interview with Kamil Suska, expert at EXATEL

Piotr Mierzwiński:

Welcome. My name is Piotr Mierzwinski. Today I have the pleasure of hosting Kamil Suska, Manager of Advanced Security Services. Hi Kamil.

 

Kamil Suska:

Good morning, hi Piotr.

 

Piotr:

I wanted to talk to you first and foremost about security per se because, after all, that’s your specialty. Is business secure?

 

Kamil:

It depends on what you mean by “secure”. It is certainly fair to say that we can see an improvement when compared to what was the standard one, two, five or eight years ago. When I remember what security looked like in Poland a few years ago and compare it to the current situation, although we are far from the ideal, we are definitely more secure.

 

Piotr:

So there is some progress. Perhaps this is due to greater awareness, or maybe technological advancement. Maybe it also stems from the fact that the topic of cyber security is no longer obscure, but rather frequently discussed.

 

Kamil:

Yes. You can see a change in attitude, for example, in the case of engineers. All the time, although definitely less often, it happens that administrators configuring the network, make all the rules on ANY. Likewise, you can see an improvement in the quality of the code being written. And, first and foremost, you can see a change of attitude in the management team. There is a growing awareness that cybersecurity is important, it is something that has to be taken care of, is impossible to do without it, and that the consequences of neglecting this topic can be very serious. While certainly not ideal, the provisions of GDPR have also influenced this change in approach, by means of introducing the threat of real and direct penalties. There is also the issue of the obligation to disclose information about the incident, when until now a lot of things were swept under the rug.

 

Piotr:

You’ve mentioned seeing that progression and the fact that the degree of security is actually increasing for us. It’s getting better, organizations are becoming more aware of everything that’s going on. But you are the practitioner. You test these solutions and check if everything is really as the organizations claim it is, that they’re not afraid, they do not have any secrets and their fortress is impregnable. How does it look like in your experience?

 

Kamil:

I’m involved in cyber security in one branch – I’m a pentester – what I do is check whether what the organizations are saying is true. Sometimes the reality is quite different from their claims. I could cite examples of situations that have happened to us during the provision of reconnaissance services. A very common case is that someone says that something is isolated – OT networks are a great example – that there is no traffic from the outside, but later it turns out otherwise. We had one case; it wasn’t a typical reconnaissance because the customer didn’t dare us to go in fully and we were just evaluating and auditing. At one point, as we were reviewing the boxes that were connected to the network, we noticed that one had some unusual addressing. The customer was totally baffled and we just followed the wires, as if they were footsteps. It turned out that we found a closet where this “isolated network”, was connected (by a cable in a switch) with the normal production network. When someone tells us that something is definitely isolated, it is very common that our checking proves that this is not quite true. It was an interesting case in general, because we practically didn’t touch the keyboard during this work. It was an audit-like activity, but it was also successful from our point of view.

 

Piotr:

Before we started our podcast you mentioned that sometimes an entrance to a network can be a very unusual spot. You mentioned the interactive kiosk situation…

 

Kamil:

Yes, it was actually a very similar situation, although here you could touch the infrastructure and there was an interactive kiosk in a publicly accessible place, which the customer declared that it was ordered, an external company installed it and there was definitely no access to the network. The customer himself wasn’t very aware – which is actually a common problem in case of solutions that are bought, finished, delivered and deployed – of what was actually going on there. So it turned out that we could both deploy Sandbox and access the operating system. Of course, the entire interactive kiosk was running on local administrator privileges. And what have we discovered? It was connected with the normal production network. Also, the customer gave the stakeholders a computer with access to corporate network.

 

Piotr:

But the tests you talked about, those are just examples. Sometimes there are situations where you walk into a customer’s office and they – somewhat unknowingly – grant you access to information that they should be protecting.

 

Kamil:

Something like that happened to us. The reconnaissance service is often carried out without the knowledge of the technical staff, or there is a member of staff most trusted by the management who knows what we are doing and assists us, helps us, so that we do make to much damage, to put it bluntly. But in this situation we visited the customer undercover – we went simply as salespeople from EXATEL. And here I would like to add that it was the first time I saw a teammate wearing slippers; all he said was that a salesman must have slippers. Anyway, we went to the meeting and talked to the CEO. We were outsiders, but we were also incognito (visiting as salespeople); the CEO called some employee to take care of us and show us around the company premises. He didn’t know who we were though, so when we asked him if we could go out for a smoke, he said: “Yes, but then don’t go out through the main entrance. I’ll show you.” He led us to the back and said “here’s the access code, but you can block the door with a stone and come in and out whenever you want.” So these situations also occasionally happen, and then in the report you also find these descriptions.

 

Piotr:

These are the kind of tidbits that anyone who is a part of an infrastructure that has a door with an entry lock knows. Everyone at least once in their life was a witness to such a situation, that there was a piece of paper in the door, a chair, a shoe or whatever; it really affects the safety. We also talked about some other story where the network was actually well secured and hard to access. And yet there is always some gap.

 

Kamil:

Yes, we were at a customer’s facility once and performed a reconnaissance service for them. We have to admit that all machines were patched and there was no vulnerabilities that we could identify without performing some very deep tests. At first glance, there was nothing. So we decided to use another method and this is where ARP Spoofing came into play; we simply inserted our intranet site at the customer’s as part of this activity with Basic auth . And a little bit further we got lucky because some employee tried to log in, they were unsuccessful so they called the IT department. An IT employee came in and checked first to see if he could log in there with his credentials. To his misfortune, the credentials, that is, the account he was using was an account that also had (though it really shouldn’t) an AD admin account. This greatly accelerated our journey to success, as in this way we obtained the login and password of the domain administrator.

 

Piotr:

The implication is that there are many paths and possibilities, often extremely simple and even though we work with systems every day, we may not necessarily be aware that someone gained access. And that’s an interesting starting point for talking about different problems and challenges. Cyber security is like an ecosystem; it is worth testing. It’s a good idea to check where you stand, to verify the level of security in our organization. A security reconnaissance is one way to do it. Tell us, as someone who knows what is going on behind the scenes, what exactly is reconnaissance?

 

Kamil:

Our customers are very different and process different types of information. So I usually ask them to think about what kind of information they’re processing, who is their possible adversary, how determined they might be, and how much money they’re willing to spend on it. Because in a situation where we have a very determined adversary who is able to devote a lot of forces and resources, sometimes even several full-time working people and a significant amount of time, just to achieve his goal. There is no denying that the chances of such a full defence are slim in case of most organizations. When we talk about security, our primary concern is obstructing that work, because the moment we manage to do it, we increase the chances (if we have monitoring) of detecting unwelcome actions and limiting the damage that can occur. In fact, reconnaissance is a means of checking the security; it is a very important first step consisting in shutting down, mitigating, limiting before the attacker causes damage. It’s important to realize that if we’re talking about professional and determined attackers, they do not shoot a cannon at a sparrow and use some very advanced attacks if they don’t need to, because it would be pointless. First, you use the solutions that are standard. Analogically, if there is no need, you do not look for vulnerabilities in some custom applications. These solutions are only resorted to when basic measures have failed. The moment an attacker is not able to make use of a portfolio of publicly known and easy to exploit vulnerabilities and has to focus on an internal application (let’s assume a custom one) and decides to target it, he has to test it on production, which increases our chances of detection. The aim of the reconnaissance is primarily to give us a bird’s eye view of the security in our organization. Above all, the reconnaissance is designed to pinpoint the vulnerabilities, show the vectors of attacks that can be carried out, and help create a plan to properly protect the organization.

 

Piotr:

Is reconnaissance, then, primarily checking a physical aspect of security, direct IT security that you talked about? Or is it exclusively performing pentests?

 

Kamil:

As a part of the reconnaissance, we focus on many aspects at once; on the one hand the pentesters perform their tasks, and on the other hand it is process-procedural reconnaissance. Even though we provide this service as a finished, defined product, every customer is distinct and we find ourselves in a different situation each time. Here again I will bring up an example from one of the jobs where, in turn, due to the decision of management all employees concerned knew exactly what was going on. You could see it right away; when you saw a dozen or so of similar networks, you are quickly able to see that the network was patched up. In this particular case, the effect was that it turned out that the admins had their own “secret” mail that they used to communicate among themselves. We took it over and this is where I still got hit by them personally because they referred to me as the older one in the Simpsons T-Shirt. But they owned up. They were concerned whether they had turned off all the cryptocurrency excavators. Interestingly enough, we already knew about them as a result of our external activities we performed before coming to the customer. Afterwards we did not find any excavators, but they admitted themselves that they used them and they turned them off; in fact a colleague from the procedural team also had a lot of work to do in this particular case, because when he asked one of the employees about the roles that should be required and their responsibilities, he received an answer that there was nothing like that, and later when he went through the documentation and verified his words, it turned out that it was not true and, in addition, the roles and responsibilities were incumbent on the man who talked to him and said that there was nothing like that in their company and that it still needed to be done. That was us “checking”.

 

Piotr:

So, in fact, in such a reconnaissance, you touch upon procedural aspects, in short, how it was planned to work, how it was prepared and written down in the form of some procedures, processes, all these management documents, and then, colloquially speaking, you translate it into a living organism and you say: if it really is written down in such a way, if there are such divisions of these roles and responsibilities, if there are the processes of maintenance and technical support, then what does it look like in reality and if anyone looks at it or if it still works.

 

Kamil:

It is not quite like that This is a low-cost service, and we spend several days on it. It’s not like the auditor reviews all the documentation. He simply works in cooperation with the pentesters and if something is “off”, he reaches for this documentation and in specific, concrete aspects – if this documentation exists, because often it does not – he verifies whether theory translates into practice. Because as we repeatedly point out, this is not a full audit or a comprehensive effort, and we’re not hiding this fact. The manner of checking can be rather random, and if we identify some vulnerabilities, we can see that in reality not everything looks as good as on paper.

 

Piotr:

You said you’re really addressing this procedural issue, the infrastructure security issue. These are very technical matters, in part very low-level in terms of the actual procedure for applying certain elements. When it comes to IT security, these are often heavily technological things: access, connectivity, separated networks, etc. And I wonder – what do you deliver at the end? Because from the point of view of the kind of board member, the owner, or the person who commissioned you to do this, who gets a heavily technical, technological report, I think they can find it a bit confusing?

 

Kamil:

The report is actually divided into two parts. The first part of the report is the part intended, to put it simply, for people with less technical knowledge, not for engineers. There we try to describe in as accessible a way as possible what we did and how, referring of course to specifics, and what we could achieve and why a specific vulnerability can be dangerous. We also describe recommendations of a general nature, what can be done to better secure the organization, we draw a clear diagram with an attack vector. Sometimes with several vectors, because there are situations when we identify one attack vector, and sometimes more, and it depends on the security level of the organization. So we also draw these kind of diagrams with the attack vector that we used to take over the organization as part of this effort. Only then do we move on to the technical part, where we have the “meat”, i.e. individual vulnerabilities described, with evidence and ways to mitigate them. We emphasize it both in the management summary and in conversations with customers that this report should not be treated as a penetration testing report and that mitigating these technical vulnerabilities will not fix the issue completely, because it will simply eliminate or break the attack path that we used. However, it is not said that it will eliminate all attack vectors. And here are the recommendations of a general nature in which we describe what approach to take in order to achieve an appropriate level of security. It is their implementation that is actually probably even more important here than mitigating these individual identified vulnerabilities.

 

Piotr:

So, we get a management report. A report from which we can usually learn that things are not as nice as they seem, that there are problems, sometimes simpler, and sometimes it may turn out that no matter how much time we spent on security, we still left an open door somewhere.

 

Kamil:

Yes. It is not that we blame only IT workers. When we see something good we point it out too, of course. It is often the case that we see that something is already well put together, not much is missing and we provide the necessary help. I use the phrase that safety is in the details, and it is those details that you need to pay attention to. Often, this is also information that does not put the blame on line workers at all, because we often still see such a model of operation in organizations – although it is fortunately becoming rarer – in which the scope of responsibilities of an IT department employee is extremely broad. He is responsible for removing the jammed paper in the printer, helping Miss Kate with Excel, while also being responsible for maintaining and coordinating the network, servers, and external services.

 

Piotr:

A handyman indeed.

 

Kamil:

Yes, a handyman. Moreover, that worker is expected to do it all in a safe manner, of course.

 

Piotr:

And within 8 hours of work.

 

Kamil:

And unfortunately, it doesn’t always work out that way and these people are really hard pressed. Again, let me tell you an anecdote. The IT department of a different customer also knew what was going on and we had a situation that we are not too fond of. There were such housing conditions that we had to work in one room together with the staff. So on the one hand we saw what kind of problems they have on a daily basis, (the phone ringing constantly) and it was really evident that they don’t have time to take care of anything other than the current affairs. On the other hand, they must have thought we were a little weird. We were playing the role of the attacker, so we didn’t want to give away our intentions, and we only wrote messages to each other via Signal. Two guys who sat for 8 hours without saying a word to each other.

At that time we also had, maybe remorse is too much to say, but such a strange feeling, because there was this one guy who was terribly nice to us, he brought us coffee, but unfortunately it was his account that came across and we had to use it to define our attack vector, even though he was a terribly nice guy. As a result of our discoveries these guys were really screwed, but the board approached the issue responsibly. We are an voice from the outside, an objective voice, we have nothing in common with these people, with this organization, and we are simply objective in our assessment. It is also encouraging that when we sometimes point out problems that are not due to lack of competence (although sometimes the problem is that there are no competent people), they do not indicate that someone is lazy (because sometimes you can see that someone simply does not want to get involved and that something could have been done better), but that when we point out problems, we really need to reorganize IT. General recommendations sometimes include such information. In such cases we indicate that the organization needs to separate people who perform the day-to-day work from those who are supposed to take care of security, give them more authority. We are often met with understanding and management often implements our recommendations.

Then it happens that all the time we participate in improving the level of safety, and frankly the heart rejoices when you see how these people develop and have a double motivator, because they also feel appreciated and wish to receive this knowledge from us or our team. To put it plainly, they are thrilled about it; it is something different from the grey reality in which they have lived up to this point.

You really do get a mix of competent, motivated employees who have just been given a fishing rod and shown how to fish. This is a process. It doesn’t happen overnight, but day by day, and you can see how these organizations, day by day, are improving their security levels more and more. It gives really great personal satisfaction.

 

Piotr:

We’ll talk more about satisfaction, because this is a very interesting topic – the satisfaction in conquering the unconquered. You said one important thing, that sometimes these reports are brutal and show bluntly that there is a major risk of an attack. Sometimes they show that there is more than one gap, error or something not quite aligned the way it should be. But you also said that there’s often a follow up, a process, that this reconnaissance is really the first step on the journey to achieving better cyber security awareness. So we have done our reconnaissance. What happens next? What are the next steps that are typically taken? We already know that there is a reconnaissance, after the reconnaissance there is a report and this report is divided into parts. There is a management component thanks to which the board can understand where the main source of the problem is – not the only source, but the main source that has been diagnosed. What’s next?

 

Kamil:

There are reports in which we write that it’s really not bad and only point out some minor problems to solve. These cases are rare, but sometimes they happen.

 

Piotr:

Does the exception prove the rule?

 

Kamil:

Sometimes we hand over such reports. After that it depends on the customer’s attitude and how they feel about it, because there are some customers who try to deal with the vulnerabilities on their own, and there are others who ask us for help; we are able to provide it. Here, it’s partly my teams that do it, but other teams in our department of cybersecurity also come into play. For example, we have a great network team and cyber security system administrators, we have a great second line that reviews security systems, helps design them, identifies (from documentation, conversations and interviews) the problems that they think could lead to mishaps. We have a very broad team of experts with over 30 people in the cyber security department right now. So we do not leave the customer alone, but we are able to offer them a comprehensive service. If the customer wants to further improve their security using our resources, then at the moment when, for example, L2 gives an opinion and identifies some problems, my team can come into play, check whether these problems occur only in the documentation or whether they also occur in practice. We will then be able to tell you how to eliminate the problem, and the process and procedure team will create a manual or process that will help prevent these situations from happening in the future. Also after the reconnaissance we are able to help – it is a question of deploying the relevant process, not using a magic wand, but with all our wide competences we could help you reach a satisfactory level of security.

 

Piotr:

In general, when you talk about cybersecurity and pentesting, it’s clear that you simply enjoy it. Not so much indicating gaps in the system, but the whole process, and most importantly, you actually see that this action that you’re implementing is actually having a real impact on how these organizations continue to grow. You see that your actions have some positive impact on them. You’re not only “the older one in the Simpson’s T-shirt”, someone that is disliked. Later on these tech people begin to understand your role in the organization, but also the fact that the organization is changing from the top, from the directors, the board members, at whom your report is really aimed. It is clear this is something that you kind of enjoy and probably constitutes an important element of your everyday life.

 

Kamil:

Yes, here we have a case of local and global satisfaction. If we wish to consider the local satisfaction, it’s like you said, if there’s a customer that we see that wants to draw on our knowledge, we go out to them wearing our hearts on our sleeves, we try to help as much as we can and we do it to the best of our knowledge and sometimes even more. Because the pentester profession is a job that is all about learning quickly. It’s impossible to have all the knowledge, you have to learn fast all the time, so we can do our utmost to help. But then there is that global aspect. I really believe that what we are doing is improving the security of all of Poland’s cyberspace. A strong state, is not only a state that is strong economically or militarily, but also a state that is strong in the aspects of cyber security. A lot of recent geopolitical developments in the world indicate that this is simply a new area that we should not fail to consider.

 

Piotr:

Kamil, thank you very much for today’s conversation, for revealing to us a little bit of the backstage of pentester work and for selling us some very interesting examples of what it looks like in reality. Thank you so much for your time. I hope we will have the opportunity to talk about the topic of cyber security in the future. See you around. We are definitely looking forward to hearing from you.

 

Kamil:

Thanks. Till next time, then.

Author
Kamil Suska
Deputy Director of the Cybersecurity Department, EXATEL