Can You Stop a Breach in 19 Minutes?

Posted by Monnia Deng on Feb 27, 2019 10:03:31 AM

Spotting an initial breach of a network is already difficult. New research begs an additional question: can you stop attackers from gaining control of your critical systems and applications in a matter of minutes? According to Crowdstrike, if you can't detect and respond to a breach in under 19 minutes, you may be vulnerable to Russian hackers. In their annual threat report, Crowdstrike found that Russian hackers had a “breakout time” - the time a hacker takes from gaining initial foothold in the network to when they start moving laterally to critical machines - of just 18 minutes and 49 seconds, which is the fastest in the world. North Korea, China, and Iran placed second, third, and fourth, respectively (English-speaking countries were not studied, but we imagine the US and UK would be among the top of the list).

Read More

Topics: Hacking

Three Ways to Limit the Cybersecurity Impact of the Government Shutdown

Posted by Monnia Deng on Jan 25, 2019 10:25:25 AM

UPDATE (Jan. 25): Recent news reports state a deal has been reached to re-open the federal government through Feb 15. The issues outlined in this blog continue to apply to public and private sector organizations.

As many of you may have read in the news recently, the government shutdown has had a negative impact on both federal and enterprise security. Krebs on Security has reported possible consequences of the government shutdown on the talent pool, such as federal employees actively being recruited by the private sector, as well as delays on security clearances. Duo Security’s news arm, Decipher, has also done a great job laying out potential government shutdown impacts on enterprise security, including delays on NIST guidelines and standards, and closure of FIPS validation sites.

Read More

Topics: Risk, Credential Compromise, Hacking

It’s Time to Get Proactive on Energy Sector Security

Posted by Wade Williamson on Dec 10, 2018 12:58:25 PM

The 2010 discovery of the Stuxnet worm was one of the truly seminal moments in the world of cybersecurity. The world saw firsthand how malicious code could cause crippling damage to physical assets. Virtually every industry had to stop and take notice, and none more so than the energy sector.

Read More

Topics: Risk, Hacking

You Failed Your Pen Test: How Can You Reduce Your Attack Surface?

Posted by Heather Howland on Nov 9, 2018 4:04:03 PM

Penetration testing is a critical best practice for virtually any organization’s cybersecurity posture. By putting defenses to the test against trained offensively-minded professionals, organizations can gain deep insights into how they’ll fare against real attackers. Often, the challenge is that the results are not what you would have hoped. When pen testers are able to carve through your defenses at will, it can be discouraging and hard to know where to start.

Read More

Topics: Threat Mitigation, Hacking, Insider Threat

From Public Key to Exploitation: How We Exploited the Authentication in MS-RDP

Posted by Eyal Karni on Mar 13, 2018 10:05:15 AM

 In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a critical vulnerability that was discovered by Preempt. This vulnerability can be classified as a logical remote code execution (RCE) vulnerability. It resembles a classic relay attack, but with a nice twist: It is related to RSA cryptography (and prime numbers) which makes it quite unique and interesting.

Read More

Topics: Multi-factor Authentication, kerberos, Hacking, Black Hat, Security Advisory, Microsoft, RDP

Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers Through MS-RDP (Video)

Posted by Yaron Zinar on Mar 13, 2018 10:03:36 AM

In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP) which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials to target servers. The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software. No attacks have been detected in the wild by Preempt.

Read More

Topics: kerberos, Hacking, Threat Detection, Security Advisory, Microsoft, CredSSP

New LDAP & RDP Relay Vulnerabilities in NTLM

Posted by Yaron Zinar on Jul 11, 2017 10:01:54 AM

Over the past few months, the Preempt research team discovered and reported two Microsoft NT LAN Manager (NTLM) vulnerabilities. These vulnerabilities have a common theme around two different protocols handling NTLM improperly. These issues are particularly significant as they can potentially allow an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled.

Read More

Topics: Domain Controller, NTLM, Hacking, Threat Detection, Security Advisory, Microsoft

QakBot, Stop Playing with my Active Directory!

Posted by Eran Cohen on Jun 23, 2017 9:39:32 AM

Really, it’s not just me saying that Active Directory is the crown jewel. It's actually them, the hackers, that de facto target the active directory in almost every advanced attack. They look for domain credentials and administrative accounts, they practice domain reconnaissance, privilege elevation, targeted attacks against the domain controller and more. Their motivation is similar to terror. For example: produce widespread fear, obtain recognition and attention of media, steal money, damage facilities and functionalities. This is why it was not surprising to learn about the QakBot Trojan causing a mess. 

Read More

Topics: Active Directory, Credential Compromise, Passwords, Hacking

Improving Hacking Techniques Used by the CIA  - DLL Proxy Made Easy

Posted by Avi Kama on Mar 16, 2017 11:59:45 AM

Just like the rest of the world, I’ve been fascinated by the CIA documents released by WikiLeaks (aka Vault 7 release). The more you read about the way CIA operates, the more it feels like there’s little anyone can do.  

Read More

Topics: Preempt Research Team, Hacking, CIA