How To Handle Leaked Credentials

OK, so you used ClawBack™ or some other tool and found leaked credentials linked to one of your employees on the web. Now, what do you do?

First, don’t panic. Leaked credentials happen all of the time. On average, it was discovered that employee email credentials from 10% of all Fortune 500 companies have been leaked in some form of data breach. (blog.finjan.com)  Another report published recently suggests that the web currently hosts leaked credentials of employees for 97% of the top 1,000 global companies – many stemming from third-party data breaches. (blog.finjan.com)

Once you come to terms with your find, it’s time to get down to business researching the issue. The first step is to determine what kind of data you have identified. Usually, leaked credentials come with a user ID like an email, system login name, or the like. Presumably, this is how you found the credentials in the first place. Next, determine if you have a password and/or hash for that user that was contained in the leak. If you found only a list of emails or names, there is not much actionable intelligence there, beyond maybe letting those users know that they are at increased risk for phishing and reminding them to be vigilant.

If, however, you have a password or hash tied to one of your user names in the leak, a few more steps are involved. If you have a password, the first step is to determine if that password meets whatever password policies you have defined across the organization. This is a key leverage point for identifying potential leaks – many, if not most, leaked passwords come from third-party systems and websites that are compromised by attackers but are only used by the firm’s employees. It’s pervasive for industry sites, or shopping sites to be linked to your employee’s identity – it could be as simple as your employee signed up for the site with their work email, and that site got breached. If that is the case, then as long as your employee doesn’t use that password at work (or similar passwords: eg: Summer12 and Summer13, etc.) there is little risk to the firm. If the password would not meet your password policy for your domain, webmail, and other applications, then this is likely the case. If that happens, simply contact the employee, advise them of the leaked credential, and make sure that they understand to change their passwords anywhere they used that password in their online life.

But, what if the password could be one of your domain or webmail accounts? If the password would meet your policies, then immediately force a password change on all systems for that user. If possible, you should also terminate any open sessions and force the user to change their credentials. While a determined attacker may exploit this process to reset the password themselves if they have the ability, it prevents any non-resourced attackers from exploiting the credentials. The worst case is that an employee loses a current session and has to reset their passwords to continue working.

However, don’t stop there – contact the user and advise them of the leaked credential. Ask them if it was used on any work-related systems or applications, and if so, immediately begin an investigation on those systems looking for signs of illicit access. This should be performed using intensive log reviews and should go back to the date of the user’s previous password change whenever possible. Do not depend on the leak date, if shown, as the boundary for the incident. Attackers may have had knowledge and access prior to making the leak public. Often, attackers use compromised accounts for some time, getting what they want from the victim, and then release the stolen credentials to other attackers via a sale, or to the public, in the hopes that the additional attacker traffic will hide the original compromise.

Lastly, if you only have a hash of a potential password, I would still follow the process above. Most hashes can be broken given enough resources. Thus, it is erring on the side of caution to follow the above process, and accept the hash as a credential that could be in use in your environment.

Got other workarounds for leaked credentials? I’d love to hear them. Drop me a line on Twitter, and let me know (@lbhuston). I’ll share any insights in future posts.

If you’d like to learn more about ClawBack – check out our solution for hunting down leaked credentials, source code, and configuration data. Get in touch with us for a discussion, or check out the videos on our website for a walkthrough.

 

 

 

Automating SSL Certificate Management with Certbot and Let’s Encrypt

As we posted previously, following best practices for SSL certificate management is critical to properly secure your site. In that post, we discussed automating certificate management as a best practice. This post is an example of how to do just that.
 
To do so, we will use the highly-trusted free certificate provider Let’s Encrypt. We will also leverage the free certificate automation tool Certbot.
 

Installing Certbot

Installing Certbot is pretty easy, overall, but you do need to be comfortable with the command line and generally know how to configure your chosen web server. That said, if you check out the Certbot site, you will find a dropdown menu that will let you pick your chosen web server and operating system. Once you make your selections, simply follow the on-screen step-by-step instructions. In our testing, we found them to be complete and intuitive.
 

That’s It!

Following the on-screen instructions will have:

  • Certbot installed
  • Configure your web server for the certificate
  • Generate, get and install the certificate
  • Implement automatic renewals of the certificate to prevent expiration

You can literally go from a basic website to fully implemented and automated SSL in a matter of moments. Plenty of support is available from EFF for Certbot, or via Let’s Encrypt. In our testing, we ran into no issues and the implementation completed successfully each time.

Give it a shot! This might be one of the easiest and most effective security controls to automate. Together, Certbot and Let’s Encrypt can create a no-cost cryptography solution for your web sites in a very short amount of time.

Last Quick and Dirty Log Tip for the Week

OK, so this week I posted two other blog posts about doing quick and dirty log analysis and some of the techniques I use. This one also covers converting column logs to CSV.

After the great response, I wanted to drop one last tip for the week. 

Several folks asked me about re-sorting and processing the column-based data in different ways and to achieve different analytical views. 

Let me re-introduce you to my friend and yours, sort.

In this case, instead of using the sort -n -r like before (numeric sort, reverse order), we can use:

  • sort -k# -n input_file (where # is the number of the column you’d like to sort by and the input file is the name of the file to sort)
    • You can use this inline by leveraging the pipe (|) again – i.e.: cat input.txt | sort -k3 -n (this types the input file and sends it to sort for sorting on the third column in numeric order) (-r would of course, reverse it…)
    • You can write the output of this to a file with redirects “> filename.txt”, i.e.: cat input.txt | sort -k3 -n -r > output.txt
      • You could also use “>>” as the redirect in order to create a file if it doesn’t exist OR append to a file if it does exist… i.e..:  cat input.txt | sort -k3 -n -r >> appended_output.txt

That’s it! It’s been a fun week sharing some simple command line processing tips for log files. Drop me a line on Twitter (@lbhuston) and let me know what you used them for, or which ones are your favorite. As always, thanks and have a great weekend! 

Quick And Dirty Log Analysis Followup

Earlier this week, I posted some tips for doing Quick and Dirty PA Firewall Log Analysis.

After I posted this, I got a very common question, and I wanted to answer it here.

The question is something along the lines of “When I use the techniques from your post, the outputs of the commands are column separated data. I need them to be CSV to use with my (tool/SEIM/Aunt Gracie/whatever). How can I convert them?” Sound familiar?

OK, so how do we accomplish this feat of at the command line without all of the workarounds that people posted, and without EVER loading Excel? Thankfully we can use awk again for this.

We can use:

  • awk ‘BEGIN { OFS = “,”} ; {print $1,$2,$3}’
    • Basically, take an input of column data, and print out the columns we want (can be any, in this case I want the first 3 columns), and make the outputs comma delimited.
    • We can just append this to our other command stacks with another pipe (|) to get our output CSV
  • Example: cat log.csv | awk ‘BEGIN { FS = “,”} ; {print $8,$9}’ | sort -n | uniq -c | sort -n -r | awk ‘BEGIN { OFS = “,”} ; {print $1,$2,$3}’
    • In this example, the source IP and destination IP will be analyzed, and the reduced to unique pairs, along with the number of times that that pair is duplicated in the input log (I use this as a “hit rate” as I described earlier
      • A common question, why do I ask for two columns in the first awk and then ask for three columns in the second awk?
        • The answer of course, is that the first awk prints the unique pairs, but it also adds a column of the “hit rate”, so to get the output appropriately, I need all three fields.

So, once again, get to know awk. It is your friend.:)

PS – Yes, I know, there are hundreds of other ways to get this same data, in the same format, using other command line text processing tools. Many may even be less redundant than the commands above. BUT, this is how I did it. I think it makes it easy for people to get started and play with the data. Post your ways to Twitter or share with the community. Exploration is awesome, so it will encourage users to play more. Cool! Hit me on Twitter if you wanna share some or talk more about this approach (@lbhuston).

Thanks for reading!

How to Engage MSI for Supply Chain Security Help

The month of March is about to wrap up and come to a close. I hope it was a great month for you and your security initiatives. I also hope you took advantage of our focused content this month on Supply Chain Security. If you want to go back and read through some of the articles, here are quick links:

3 Reasons Your Supply Chain Security Stinks

Ideas for Vendor Discovery

Sorting Vendors into Tiers

Mapping Control Requirements to Vendor Tiers

An Example Control Matrix for Supply Chain Security

What is MSI’s Passive Assessment & How Does it Empower Supply Chain Security?

Many folks have asked us about how to engage with MSI around the Supply Chain. I wanted to add this bit of information in order to make it easier for folks to know how we can assist them.

You can engage with MSI around Supply Chain Security in three primary models:

  • Focused Mission Consulting Model – This model is when you have a specific set of tasks and deliverables in mind that you would like MSI to create/review/audit or test. We scope the work effort up front and provide a flat rate engagement price. The work is then completed, usually offsite, and the deliverables are worked through until completed. This is fantastic for organizations looking to build a program, create their tiers and control matrices and document the processes involved. Basically, you hire us to do the heavy lifting…
  • Retainer-Based Consulting Model – This model lets you hire MSI resources for a specific time frame (usually 1 year) for periodic oversight, design, review or operational tasks. Our team supplements your team, providing experience and assistance to your process. Basically, you do the heavy lifting – and we make sure you build an efficient, effective and safe program for supply chain security. This is a flat rate, billed monthly, for a set number of resource hours.
  • Virtual CISO Model – In this model, you can hire MSI to manage and provide oversight for security needs across the enterprise. You get an assigned MSI resource who is responsible for ensuring your initiatives get completed and performed in accordance with best practices. This resource can draw from other MSI subject matter experts and our services, as needed, to build out/supplement or support your security initiative. This is a great offering for small and mid-size organizations who need deep expertise, but who might not have the budget or capability to retain world class talent across multiple security domains. Basically, in this type of engagement – you hire us to solve your security problems and build/manage your security program. We do that with attention to cost/efficiency/effectiveness and safety. Pricing for this service type varies based on the maturity and requirements of the security program.

You can also retain MSI to leverage our passive assessment platform to assess your vendors passively, “en masse”. For information about how to engage with us to serve as a fulcrum for your security program, arrange for a free, no pressure, exploration call with your account executive. If you don’t have an account executive, give us a call at (614) 351-1237 or drop us a line at info (at) microsolved /dot/ com and let us know of your interest. We would love to share some demo information with you and walk you through how we can help.

If you have any other questions about Supply Chain Security or other issues, please get in touch, as above. You can also reach out to me on Twitter. As always, thanks for reading and until next time, stay safe out there!