TechTarget: How to Build a Security Champions Program

On March 11, 2022, Nabil Hannan guest authored a TechTarget article titled, How to Build a Security Champions Program. Preview the article below, or read the full article online here.

+ + +

Application security is more important than ever, as apps remain one of the most common attack vectors for external breaches. Forrester’s latest “State of Application Security” report stated organizations are starting to recognize the importance of application security, and many have started embedding security practices more tightly into their development stages — a big step in the right direction.

It’s important to understand, however, that building a world-class application security program can’t happen overnight. A great deal of foundational work must be done before an organization can achieve results, including sharpening security processes around the software development lifecycle (SDLC) to identify, track and remediate vulnerabilities more efficiently. These efforts will eventually bring organizations to a high level of maturity.

Adoption of security in the SDLC is often lacking in many organizations. The answer to this problem lies within an organization’s employee population. Companies should establish a security champions program, where certain employees are elected as security advocates and drivers of change.

To create a strong cybersecurity culture, security champions should be embedded throughout an entire organization. These individuals should have an above-average level of security interest or skill, with the goal of ultimately evangelizing and accelerating the adoption of a security-first culture — not only through software and application development, but throughout the organization.

Developing a security champions program doesn’t need to be complicated. This four-step process helps organizations establish their program with ease.

Continue reading How to Build a Security Champions Program on TechTarget.


Escalating from Logic App Contributor to Root Owner in Azure

In October 2021, I was performing an Azure penetration test. By the end of the test, I had gained Owner access at the Root level of the tenant. This blog post will provide a short walkthrough of what I found and disclosed to the Microsoft Security Response Center (MSRC).

What was the bug?

The short explanation is that having Contributor access to an Azure Resource Manager (ARM) API Connection would allow you to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload.

How did I find it?

It’s fair to say that I have spent a lot of time hacking on Logic Apps, and I experience a lot of recency bias with the services that I’ve dug into. After I published my Logic App research, I started seeing Logic Apps popping up on my tests. 

To recap, Azure Logic Apps use API Connections to authenticate actions to services. In my blog, Illogical Apps – Exploring and Exploiting Azure Logic Apps, I discuss how to tease unintended functionality out of Logic Apps to perform actions as the authenticated user. The examples I use involve listing out additional key vault keys or adding users to Azure AD. 

When we create an API Connection, it requires a user to authenticate it. That authentication will persist for the lifetime of the API Connection, unless changes are made to it which will invalidate the connection. You can view the connection dialog below.

API Connection dialog

In this environment there was an Azure Resource Manager API Connection authenticated as a user with User Access Administrator rights at the Root level. If you’re not familiar with Azure terminology, the User Access Administrator role allows for creating new role assignments, and the Root level is the highest tier in an Azure tenant. I had not looked at the ARM connector in my prior research, but I was confident we could abuse this level of access.

Initial Recon

Generally, our goal is to escalate to the Owner role on a Subscription. This is similar to getting Domain Administrator (DA) on an internal network penetration test in the sense that it is a bit oversimplified, but very useful for demonstrating the severity of a finding. I started looking at the relevant ARM actions that I could use to achieve this. Consulting the Microsoft documentation, “Create or update a resource group” looked like a good starting point. But looking at the parameters for the action, the Subscription and Resource Group parameters are required.

Create or update a resource group

While they’re required, we can insert custom values. If we make the Resource Group blank, will that work? No. Here’s why: API Connections are just wrappers around an API as the name would suggest. These APIs are defined by Swagger docs, and we can pull down the whole Swagger definition by using an ARM API Connection in a Logic App and making a request to the following resource:


Looking at the Swagger definition, the endpoint for this action is a PUT request to this path:


So, we can reasonably assume that when we use a blank Resource Group name, a request is getting made to:


And we get an error since this Resource Group does not exist. At this point, I verified that using a valid Subscription and Resource Group name, it was possible to create Role Assignments at the Resource Group level. This is because Role Assignments are created like any other resource in Azure. At a minimum I was able to (as a Contributor) give myself Owner rights on all the Resource Groups in a Subscription. Still not a bad privilege escalation, but we can do better.

You might have spotted where this is headed given the format of the path above. If we can include custom values for the Resource Group and Subscription, can we manipulate the final path to perform actions at different scopes? If we provide “..%2F” as the Resource Group name, then our path will match the right Swagger path, but the server will resolve the payload and our request will end up going to:


Now we can create Role Assignments at the Subscription level! Taking this one step further, we can traverse the Subscription path too, and create Role Assignments at the Root level (if the connected user has sufficient access).

Unnecessary Optimizations

At this point I had a working exploit in my lab, and I went to reproduce it in the client environment. It went off without a hitch, and I was now a Subscription Owner. While I was setting up the Logic App, I noticed something that I hadn’t before: Since my lab environment is very small, when I clicked the Subscription dropdown menu, it was populated with Subscriptions that my account didn’t have access to. This meant that these Subscriptions were being fetched in the context of the API Connection user – but I hadn’t run a Logic App.

To track down the behavior, I fired up Burp Suite and found that a request was being made to the “dynamicInvoke” endpoint of the API Connection. The request payload looked like this:


And the response looked like this:


Another area that I’ve spent a lot of time looking at is Azure’s REST API. Given that the response JSON included a status code, I figured the request to the dynamicInvoke endpoint triggered the server into making a request in the context of the connected user. 

For those curious, my understanding is that the server makes a request to https://logic-apis-[region][region]/[connectorname]/[connector-id]/exchange which returns a token to the server. 

You can verify this by sending malformed input in the path value to the dynamicInvoke endpoint and observing the output. I assume that the returned token is then used to access the relevant services as the connected user.

Anyways, we can just hit this endpoint directly to trigger our exploit instead of creating a Logic App. This is what the final payload looked like:

                'principalId': '$principalId',
                'roleDefinitionId': '/providers/

I also confirmed that trying to hit the Subscription directly (without the resourceGroups part) via this endpoint did not work, it would yield a 404 error. But if we included the path traversal payload, then a nice “201 Created” message was returned instead. This is important, because it is proof that this wasn’t an intended behavior. 


To summarize, I was able to escalate from a Subscription Contributor to Root Owner by abusing an API Connection. The root cause of this behavior was that a path traversal payload would meet the Swagger API definition, and the payload would be resolved by the server resulting in a request to an unintended scope. 

This issue was responsibly disclosed to MSRC and acknowledged by Microsoft in March 2022. They remediated the issue by filtering the method value to block the paths that include the path traversal payload. 

I would still recommend that anyone using API Connections should evaluate what users are authenticated for each connection. If any of the authenticated users are privileged, there may a possibility for abuse.


Why the Telecoms Industry Should Retire Outdated Security Protocols

The Federal Communications Commission (FCC) recently announced its proposal to update data breach laws for telecom carriers.

A key change in the proposal? Eliminating the seven-business-day waiting period required of businesses before notifying customers of a breach.  

Although the proposed FCC change would allow companies to address and mitigate breaches more quickly, it does not solve the greater issue at hand: The sensitive data collected by the telecoms industry is constantly at risk of being exploited by malicious actors.  

The Telecoms Threat Environment 

Protecting data within the telecoms industry is instrumental in ensuring customer privacy and safety.  

When telecom companies experience a data breach, hackers often target customer proprietary network information (CPNI) – “some of the most sensitive personal information that carriers and providers have about their customers,” according to the FCC. This includes call logs, billing account information, as well as the customer’s name, phone number, and more.  

In August 2021, T-Mobile suffered the largest carrier breach on record, with over 50 million current and former customers affected.  

To protect customers from further breaches, the telecoms industry must deploy configurations securely, enable end-to-end encryption, and return to security basics by enabling automation in vulnerability discovery and penetration testing.  

Misconfiguration Risk 

Networks, specifically telecommunications channels, continue to increase in complexity, causing an increased risk for misconfigured interfaces within organizations.  

From these misconfigurations, attackers can stitch together multiple weaknesses and pivot from one system to another across multiple organizations.  

In October 2021, LightBasin, a hacking group with ties to China, compromised telecom companies around the world. LightBasin used multiple tools and malware to exploit weaknesses in systems that were configured with overly permissive settings and neglected to follow the principle of least privilege.  

These hacking tactics are not unique. Had the telecoms industry instituted the proper channels for alerting and blocking on common attack patterns and known tactics, techniques, and procedures (TTPs) that attackers use widely they may have been able to prevent the LightBasin attack.  

Additionally, to protect against future attacks and data breaches, industries should build proper standards and automation to ensure that configurations are deployed securely and consistently monitored.  

The Need for End-to-End Encryption 

Enabling end-to-end encryption within mobile communication networks could help to combat some of the lateral movement strategies used by LightBasin and similar hacker groups.  

This lateral movement within telecommunications networks can be challenging for the industry to address for multiple reasons. The overarching issue? Telecommunications systems were not originally developed with security in mind and are not secure by design.  

The telecoms systems have flaws that cannot be fixed without major architectural changes and these systems have evolved to be utilized in a way that’s outside of the original creators’ intent.  

In particular, these mobile communications networks were not built with a quality of service guarantee or any type of end-to-end encryption to ensure that users’ data is not exposed while in transit.  

WhatsApp, for example, uses the Signal protocol to asymmetrically encrypt messages between users. The encrypted messages then get transmitted the via a WhatsApp facilitated server.  

This ensures that only the intended recipient can decrypt the message and others who attempt to do so will fail. Legacy telecoms players should adopt a similar approach for added protection to users’ communications.  

While end-to-end encryption can protect against lateral movement strategies, this does not mean the security is infallible. Just because the communication channel is secure doesn’t ensure application security. Users are still vulnerable to social engineering attacks, malware, and, as in WhatsApp’s case, the app itself may be vulnerable.  

To truly secure user data, the telecoms industry security must invest in holistic security strategies including application security testing.  

For more on end-to-end encryption, read Why Do People Confuse “End-to-End Encryption” with “Security”? 

Collaboration and Coordination 

As the telecoms industry begins to prioritize security, organizations harnessing the networks must also prioritize security.  

This includes ensuring multi-factor authentication between users and systems, the principle of least privilege, or even proper input validation and output encoding.  

In tandem, the telecoms industry should strive to build automated vulnerability management processes where possible. This ensure continuous checks and balances are in place to secure all deployed systems – both at the software and infrastructure levels.  

Where hackers have only become more sophisticated in the technology and methods used to acquire data, the telecoms industry has neglected to keep up.  

Currently, messages and calls can be spoofed, data is not encrypted while in transit, and the quality of service and protection is not guaranteed. We have adopted a network with inherent flaws in its design from a security perspective, and these systems are used by billions of people across the globe.  

The change in FCC guidelines mark significant progress. Given the current threat environment, security efforts in the telecoms industry must be prioritized to ensure billions of people and their data are protected. 

Learn more about the benefits of vulnerability management for the telecoms industry in our case study with a fast-growing provider.

ChannelPro Network: IAM for IoT

On March 1, 2022, Larry Trowell was featured in a ChannelPro Network article titled, IAM for IoT. Preview the article below, or read the full article online here.

+ + +

IDENTITY AND ACCESS MANAGEMENT is hard enough when it’s mostly users you have to worry about. When large volumes of vulnerable IoT devices are involved as well, the challenges only get greater.

“IAM is already a complex subject, and the addition of IoT devices makes the entire process much more complex,” says Larry Trowell, principal consultant at NetSPI, a penetration testing-as-a-service security company in Minneapolis.

In IT, IAM “is used to streamline user digital identities, and to enhance the security of user-facing front-end operations,” says Dimitrios Pavlakis, a senior analyst at ABI Research. Policies for passwords, email, accounts, and more can be automated, like onboarding, to meet security requirements and compliance rules. These advantages apply to IoT devices as well as users, but there are numerous hurdles.

For instance, domain controllers used by many companies often have trouble supporting IoT devices with limited client intelligence, according to Trowell. Even cloud solutions prepared for IoT devices “may not be able to operate with the level of access businesses feel they should,” he notes. Multiple IoT devices may need to maintain identities and roles between various accounts, leading to security gaps within this complex environment.


Making Cybersecurity Readiness Mainstream

When an organization gets hacked, who is the most vulnerable? 

The answer is a no-brainer. It’s the employees not in IT or security who are the most vulnerable. So how can we train these people to understand security concepts better? And how do we make it simple enough to understand so that it is accessible to the general population and non-technical employees in your organization? 

Cybersecurity readiness depends on all of us, not only security professionals with technical acumen. I recently joined NetSPI managing director Nabil Hannan on the Agent of Influence podcast to discuss this very topic and share highlights from my book, Cybersecurity Readiness: A Holistic and High-Performance Approach. I discuss this, and similar content, on The Cybersecurity Readiness Podcast.  

In this blog, I’ll share highlights from our discussion and advice on how to achieve cybersecurity readiness across your organization.

Cybersecurity Education Goes Mainstream 

Start by engaging in security conversations with people in a non-technical but pragmatic manner. We need to stop or limit the use of acronyms when communicating with people who are unfamiliar with this domain. 

Many people don’t have a formal technology education. Instead, they learn these practical skills on the job or through other circumstances. In many cases, they’re fast learners and sometimes even more adaptable and flexible compared to those who do have a formal education. My point is, someone who doesn’t have any expertise in cybersecurity readiness can still learn and understand cybersecurity education.  

Training needs to start at a peer-to-peer level. People who are trained in cybersecurity can train others by engaging in simple discussions, providing small tips here and there, showing them the potential points of vulnerability, and discussing what they should and should not be doing. It’s a matter of recognizing the need and providing the resources to others in the organization, creating a cascading effect.  

Cybersecurity readiness and education also need to begin much earlier in life. Kids three to five years old are now using the internet and they need to be aware of what are the do’s and don’ts – and the consequences. We need to start at that age group and slowly advance the level of readiness.  

Media and entertainment are great avenues for popularizing cybersecurity education, whether that is through movies, television series, or even Broadway shows. People like movie producers and scriptwriters can always find ways to instill cybersecurity hygiene and cybersecurity discipline in the audience.  

Cybersecurity training exists today, but we need to go beyond that. Training needs to be customized, personalized, continuous, and it should be interactive and gamified. We need to incorporate continuous assessments in our training to better understand how effective the training is in enhancing people’s level of cybersecurity readiness. 

Organization-wide Accountability in Governance is More Important Than Ever 

There is a lot of guidance and tools out there to help organizations monitor threats. But here’s the problem: Not all organizations do a great job of properly logging, reviewing, and acting on the intelligence received. That’s where having robust processes and established governance mechanisms can make a difference. 

The most critical success factors in cybersecurity governance are dependent on the level of commitment from the leadership team. As mentioned earlier, cybersecurity readiness is everyone’s business, it’s not just a technical issue.  

I believe there needs to be an organization-wide effort to create and sustain a “We are in it together” culture in governance. To be able to build that culture and sustain it, organizations need to factor in joint ownership and accountability.  

It’s not enough to expect the Chief Information Security Officer (CISO) to take ownership of all that is cyber in the organization. Every department must take responsibility and get involved. 

The CISO Role Must Be Collaborative 

If you hire a CISO, you should enable them to be successful. To do that, it is important to make the CISO function as collaborative as possible. Ensure that the CISO has direct reporting opportunities, whether that is at the level of the CEO, President’s level, or an external group. The CISO should not operate in a silo. 

We need to be proactive and substantive, and we – senior leadership – must be genuine about our desire to shore up our defenses. They are going to be the ones who hold the key to creating a formalized roadmap that will drive the security culture in the organization.  

Development and Security Alignment 

It’s not uncommon to receive pushback from senior leadership or top management about the need to do more cybersecurity training because they would rather devote resources to prioritize the development of a product or service. 

The development team is incentivized to get the product out as quickly as possible whereas the security team leads quality control, making sure that the product is secure before it goes out.  

The development team often sees the security team as an impediment to their goals, but their goals need to be aligned. They should be working together in cohesion as one team. To do that, management needs to communicate this approach, recognize that they will support this approach, and provide the necessary budget.  

For more on this topic, read: Build Strong Relationships Between Development and Application Security Teams to Find and Fix Vulnerabilities Faster 

Cybersecurity Professionals Must Take on New Challenges 

There is an ever-growing concern about the catastrophic consequences of ignoring or being unprepared for cyber threats. To raise the overall level of cybersecurity readiness, we’ll need to incorporate holistic training in our cybersecurity curriculum. 

The holistic approach will equip teams with both the business and technical acumen to handle the business critical vulnerabilities of the company. These skills will enable them seamlessly to transition from a technical position to a managerial position, and eventually the CISO of the organization. 

Celebrate Failures 

Failure is not a bad thing. In fact, I think it’s very important to fail. You fail when you’re trying to go beyond suggested specifications or when you’re trying to create something new. It’s an important mindset and skill to have because failure is one of the many features that define cybersecurity innovation

If people are scared to try something new, they would stop innovating. Can you imagine in the world of cybersecurity, when hackers are coming up with something new every couple of hours, what happens to the cybersecurity defense teams if they don’t keep up? The importance of stimulating and supporting innovation is key. 

Final Words 

Cybersecurity deserves the same level of attention as the rest of the business. After all, security is everyone’s business. We are all part of the solution, and we can all fall victim to a cyberattack. So, let’s do something about it. Making cybersecurity more approachable, incorporating organizational-wide accountability, and encouraging innovation are all great areas to begin. From the CISO to the new intern, every employee plays a part in your organization’s cybersecurity readiness.  

*This blog was co-written by Kia Lor, NetSPI Content and Social Media Specialist, based on the Agent of Influence podcast episode featuring Dave Chatterjee. 

Listen to Agent of Influence, Episode 36 with Dave Chatterjee now

Discover why security operations teams choose NetSPI.