You are browsing the archive for Personal.

10 years of IT SEC everything and nothing

November 3, 2018 in Personal, Preaching

In 2008 I joined a security consulting company in London trying to do something different. After working for an antivirus company for a while I wanted a change. I’ve been looking for a job in London for nearly a year… so…. when this magic consulting opportunity popped up I jumped on it, even if I had to sacrifice a bit of a salary cut. And… I have never done security consulting work prior to that, plus I am/was/will be always quite anti-social… so… understandably… I was  terrified.

In my new role I got to do work for two ‘branches’ of the company’s security team:

  • one that did pentesting, code reviews, and forensic work on credit card breaches (PCI) in a private sector, and
  • the other one that I would only occasionally support: the forensic team that did the ‘heavy on mind’ work for law enforcement.

Without going into details: I had to quickly learn a new set of soft and technical skills, fail miserably both in acquiring them and using them on my first IR gig, learn to appreciate the fact that I am not the smartest in the room, or that ‘technical knowledge alone’ doesn’t actually sell, and kinda by accident… eventually start adapting to this new, emerging DFIR market.

Having the reverse engineering skills helped a lot. I was able to quickly make some sort of impression on a number of people – both peers and clients; I was ‘flying’ through the samples they were sending my way and was providing them answers faster than anyone else could.

Good.

This helped, and became ‘my thing’ in the next consulting company I worked for as well; it helped the company win some brownie points with a number of customers, and organizations, and most importantly – the relationships I built at that time I still cherish today.

You may be wondering why am I writing this?

Mid-life crisis? Mental breakdown?

Hmm probably, but not really, I hope 🙂

10 years later I must admit I think of these times with a bit of a nostalgia, and, probably like many people in the industry who share a similar experience, I can’t think of it any other way than ‘what a crazy decade it was, but I loved it’… We all literally not only witnessed, but also helped to build a new industry!

Soon after I entered this forming ‘scene’ we had an avalanche of reports in the news: aurora and apt craze, stuxnet, a torrent of never-ending white papers about state-sponsored attacks, Snowden leaks, any leaks really, lulzec, anonymous, POS Malware, ATM malware, more ATM malware, lots of hacking stunts; even migration from old-school social media to new became a thing; blogs to Twitter, then random coding web sites migrated to Google code, github, the Usenet and CodeGuru/CodeProject to Stack Overflow, and so on and so forth… oh, and let’s not forget the ‘everyone is now coding in python’ bit – the coding lingua franca du jour replacing perl, bash, vbs, C and everything else, and then the decompilation magic of the Hex-Rays decompiler, the ‘wow’ effect of first iphone jailbreaks, superawesome pwn2own awards, Project Zero, the new security measures (ASLR, DEP, etc.), development of sandboxes, spy companies being hacked, doxed, then emergence of ‘new’ security industry branches: threat intelligence, EDR, and threat hunting, and tones of new reversing and forensic projects that completely changed the way we do things from manual to automation and conquering new platforms (volatility, plaso, SIFT, autopsy, xdbg64, radare2, remote forensics, etc.). Lots of new great & strong researchers and developers joined the community as well, plus, we even started sharing! And while a bit less related – we observed lots of company acquisitions — bye bye boutique companies. Welcome to big business taking over. And… yeah… imagine that 20 years ago… Windows now hosts Linux.

WTH?!

For me personally, the luck put me in the shoes of a programmer, localization engineer, writer, an investigator of early PCI DSS breaches, forced me to do some pentesting (not the biggest fan, for some reason it doesn’t click with me), and code reviews, then people management, project management, some compliance work, accounting, company secretary, and finally introduced me to a number of super smart individuals. And in the end these experiences helped to land more interesting jobs at a number of companies I would never dream of joining (ok, partially, because I didn’t even know they existed! :)).

As they teach you during MBA – people networking is the key. And it’s the people networking that I never believed in too much… that somehow happened accidentally! This decade was probably for the first time in my life I felt I was in a right place at a right time. The Hexacorn project was built upon all this sentiment and excitement, the ideas I sat on for a long time eventually finally had its outlet and I launched it in October 2011. Simultaneously, between 2011-2018, for 7 years, I held the FTE job at various fintech companies while spending private time cracking problems for my Hexacorn clients and doing researching. To be honest, I do hope I can come back to it in the future, but now I am taking a break (It actually feels good to just focus on one [new to me] thing and not having to work till 2-3am on the moonlighting projects).

Again, why the heck am I writing it?

As you throw yourself deep into one of these ‘specific’ infosec subjects, let it be reversing, forensics, log analysis, SOC, CERT function, threat intel, threat hunting, writing tools, or even less work-related events: attending conferences, doing networking and blogging…. the other trends in the industry progress with a really rapid pace!

You kinda know it, you feel it, and have it within your hand’s reach until one day you wake up to realize that other than the articles or their headlines…. you know nothing about new top 10 OWASP, CPU bugs, cryptominers, IoT, ICS, Cloud, 2FA standards and bypasses, Smartphones’ internals, and yes, even JavaScript – many of which you probably or kinda knew by heart back in a day(!), let alone new network protocols, new HTTP headers, new rules enforced by browsers, GDPR, introduction of web sockets, web assembly, completely new types of vulnerabilities, pentesting tricks, and tones of other things, including increasingly growing vendor offering, more and more bug bounty programs… and also – your knowledge about other stuff that is getting really old is actually… declining. Yup, while we are constantly looking at all ‘new’, who has the time to revisit these old RFCs?

The never-ending paradox of being in the middle of it, but also totally outside of it is… well… quite depressing.

We can’t forget about our progressing age either.

You now work with a new generation of security pros who know more, think faster, and know everything about the ‘current state of affairs’ more than you
+
I don’t know what they do, but they seem to know all the memes better than me!!!

Yet another reason to feel obsolete, redundant – I guess it’s time to give up and retire.

Right?

From ‘the youngest chap in the room’ a few years ago you suddenly become that ‘the oldest one’…

Ouch.

How the heck did THAT happen?

As you get engaged with the younger, and smarter, as you talk, as you read what they write, as you feel their excitement you will hopefully realize that your experience actually does have a bit of a benefit. First of all, you can quickly adapt. Secondly, you have ‘seen it all’ (okay, lots of it, at least). Thirdly, they are not against you, and may even see you as a teacher and friend – and on that note – you can learn a lot from them too! If you are lucky, they are actually like you, or better than you, greedy for knowledge, really fast, and just a bit younger. You may become their mentor, but also… their mentoree.

And with that… time for an explanation: why did I write all this…

Over XY years ago almost all my buddies at the uni were learning Java. It was the FUTURE.

While they were talking UML, Eclipse, etc. I was focused on x86 assembly language, the art of cracking games, bypassing protectors, and understanding how demoscene demos and viruses are made. Most of these guys were shrugging it off – I was just a weirdo and had my weird hobby… While they became unbeatable masters at Java, I got to skim through stuff, and learn and program some of that Java (my BSc project was Java-based!), I got to use my x86 / x64 asm skills a lot, I got to learn how to C, Pascal, Delphi, VB, VBA, VBS, unix, Windows, osx, basic Objective-C, use tools, build own tools, and face a lot of challenges they will never face (e.g. cracking a password for a very obscure private application), etc… And most importantly, I never learned _any_ of it fully. Yup. ended up being the sad Jack of all trades.

Is that wrong?

I don’t think so. I learn new stuff every day, I constantly ‘index’ interesting bits from every blog/twit I read, and while I am aware my knowledge is becoming obsolete every single day, no doubt, I know that I am also capable of things, given an opportunity.

I think we are forced more and more to be IT Security generalists. Ones with an interest and capability to deep dive if necessary, and in many topics new to us. We don’t actually build things anymore. We delegate. We try to understand the big picture, but more importantly – we try to understand it in a security context. And then in a business context. So that we can delegate with a guidance. Over and over again I learn that people outside of IT SEC don’t know what I am talking about and it always takes an effort to explain this stuff to others. No, they don’t know what you do. They don’t care/know/couldn’t be bothered. So, you need to explain, explain again, and then rinse and repeat. By the sole nature of being on this cutting edge we end up being preachers, educators, and yeah, as some describe themselves – evangelists or strategists.

One thing for sure, it’s not for everyone. It’s not comfy to know that 10-15% of it. ‘Real’ developers or architects won’t like it. ‘Real’ pentesters won’t like it. ‘Real’ compliance guys won’t like it. And ‘real’ hardcore forensics analysts or ‘firewall’ guys won’t like it either… The IT Sec is now a soup of everything else, an amoeba, and amalgamate, sometimes a bit of a mess that hits the fan – to deal with it you need to feel comfy with… the chaos.

Perhaps this post is my way of dealing with the impostor syndrome. Perhaps it’s just a fake infosec wisdom I am pretending to understand. One thing for me _IS_ sure, and I will preach it to everyone who dares to listen: never rest on the laurels. While I am looking back at my past I must honestly admit that in my own eyes I did commit this sin twice in my career and it took me a long time to catch up afterwards. Each time.

So… DO NOT REST ON LAURELS.

As long as you don’t rest on laurels, you are an impostor with a purpose – probably the only meaning of our infosec life…

How to find new persistence tricks?

October 14, 2018 in Autostart (Persistence), Personal, Preaching, Reversing

Every once in a while people ask me how do I find all this stuff.

The TL;DR; answer is simple: curiosity + reading Microsoft documentation + other peoples’ research + applying some automation.

At first, it was really just some curiosities that I could not explain when I was less experienced in reversing e.g. the Visual Basic VBA Monitors. When you use Procmon a lot, some of the stuff you see in the logs eventually gets stuck in your head and becomes really familiar. Such was the case with the HKLM\SOFTWARE\Microsoft\VBA\Monitors key that I saw anytime I was analysing a VB application with Procmon. I could not explain it and was curious what it is for…. googling around didn’t bring any answers. Eventually I started analysing the actual code that triggers that behavior and that’s how Beyond good ol’ Run key, Part 6 was born…

Then there is obviously a number of them that was a result of manual, often annoyingly time-consuming code analysis. There were times where I couldn’t find anything new for a few months. Perhaps assumptions were wrong; perhaps we have already discovered it all… at least so I thought every once in a while…. But… then… they keep coming… not only from me, but also from others… And it’s hard to explain how it is even possible… For instance, the recent one is a perfect example of a situation where the random luck played a role a lot. While looking at some unrelated stuff inside the kernel32.dll I happened to spot the bit that was loading the callback DLLs. With so many people looking at kernel32.dll over the years I still find it amazing we find new stuff there all the time.

Many other cases were a result of a more deliberate research; for instance, many persistence mechanisms I described rely on the fact that some programs or components load a number of DLLs that are executed one by one after they are listed under a certain location in the Registry. Such activity needs to rely on Registry enumeration APIs. If you can find programs or DLLs that use these functions you will most likely find possible persistence mechanisms!

And then there are keywords e.g. ‘providers’, a very popular way to name a place in the Registry where a lot of plug-ins are loaded from. Example of possible enumerations for some keys that include the keyword ‘providers’ is shown below:

  • SYSTEM\CurrentControlSet\Control\Cryptography\Providers
  • System\CurrentControlSet\Control\SecurityProviders\SSI\Providers
  • SYSTEM\CurrentControlSet\Services\LanmanServer\ShareProviders
  • System\CurrentControlSet\Services\RemoteAccess\Accounting\Providers
  • System\CurrentControlSet\Services\RemoteAccess\Authentication\Providers
  • SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders
  • SYSTEM\CurrentControlSet\Services\WbioSrvc\Service Providers
  • SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
  • System\CurrentControlSet\Services\WinTrust\TrustProviders
  • System\CurrentControlSet\Services\WlanSvc\Parameters\ComInterfaceProviders
  • System\CurrentControlSet\Services\WlanSvc\Parameters\VendorSpecificIEProviders

I also mentioned Microsoft Documentation; it’s like a RFC for Windows programming. I have read a lot of it over the years, and every once in a while some of that old knowledge comes back to me. Ideas for tricks around DDE, WM_HTML_GETOBJECT  as well as the Propagate trick (SetProp) are result of my experience actually coding for Windows for more than 10 years. These (especially old, legacy) things stay with you and sometimes bring some really refreshing ideas. Not only for persistence tricks.

Then there are ‘magic’ APIs… if you read code and see references to ShellExecute, WinExec, CreateProcess, LoadLibrary, CoCreateInstance and their numerous variations and wrappers you will soon discover that the Windows ecosystem hardly re-uses code; or, more precisely, it does re-use a lot of it, but it also relies on lots of custom paths that are added to it. Lots of code snippets you come across look like a custom programming endeavor of the coder who wrote that part of the program just to test an idea. It’s actually a normal, even expected behavior in such a sea of code. But… quite frankly…. we really have to thank Microsoft Programmers for all the testing & debugging code and error messages/strings that are shipped with the OS. This helps a lot!

All of these unexpected and probably meant-private/for lab-only code paths provide a lot of interesting opportunities… both for persistence, and LOLBINs; anyone who just dares to look for it will eventually find something.

I am fascinated by it; the actual persistence bit is less important, even if on occasion the ‘novelty’ of some of these techniques may have the ‘wow’ factor ; the real pleasure for me is derived from these three things:

a) an opportunity to read lots of other peoples’ code and sharpen my reverse engineering skills

b) learn how the system works under the hood

c) being ahead of a curve with regards to forensic analysis

Actually, the a) and b) are equivalent… the c) is an obvious bit.

If you think of the books like Windows Internals, or The Art of Memory Forensics, the majority of the information that the authors rely on is a result of direct or indirect contact with the actual system internals (and these guys did it a lot). There is no magic wand. Yes, there are source leaks, there are ex-MS programmers becoming researchers who had an access to the source at some stage and for some time can leverage their privileged position, but I’d say that majority of the discoveries presented at conferences over last 30 years, as well in books and written on the blogs is relying on the work of all these poor reversing souls sitting and digging in the OS code all the time. Some of them even become famous and get hired by Microsoft :).

Many developers curse unpredictable behavior of some APIs, complain about the way things work, yet often are unable to pinpoint the exact reason for a certain behavior so that the root case can be analyzed. In my eyes, an ability to dig into code of others, whether the source is available or not, is the core skill of any programmer, and… perhaps even information security professional. None of the reversing, forensic, vulnerability research tools would exist w/o this ‘poke around in other people’s code’ infosec branch.

So… if you want to find new persistence tricks… pick up any code you think has a potential, start digging, and actually discover how things work under the hood. Or at least 0,000001% of it. And no, whatever you find, you don’t need to blog about these new persistence discoveries at all – get out of my lawn! 😉