A

Foreign.

B

Hello, this is Kathleen Campano and this is a Risky Business News sponsor interview with infosec legend HD Moore. His fingerprints are all over our industry, but now he's the founder and CEO of Run Zero, a company that does asset inventory and network visibility. Welcome, hd.

A

Oh, thanks, Kylan. Happy to be here. Hd.

B

You'd normally think that asset inventory and discovery is a closed case by now. You have a certain number of preset technologies that companies use. New ones appear once in a while. So everybody, scanners should be pretty tight by now to detect everything. But that's not true, is it?

A

No, I mean, it's less that the. It's asset inventory that's the challenge as much as it's exposure management that's the real challenge. So if you look at what folks are trying to identify and find, a lot of companies aren't even running scans anymore. They're not looking for networks they don't know about. They're basically using the results of existing tooling like endpoint agents to say what they have, which in turn misses a huge portion of their estate. It's also really difficult to keep track of what is externally exposed when you have multiple geographic locations, multiple cloud providers, contractors coming in, VPNs, etc.

B

So what's your way to, let's say, help them put some order in this mess?

A

Sure, yeah. There's a lot of ways to do it. So where Run Zero started was really helping folks get a handle on the inside of their environment. So finding the networks you don't know about, finding your door access controller, finding all that stuff that it's already part of your environment, but it was missing from your vault management, it was missing from your EDRs. And that's kind of our strong point where we started. Over the years we've been adding more to it. So we have passive discovery, we do integrations with all your different things. And more recently, we came up with this thing that we've been calling Inside Out Tax Service Management, where we use detailed information about your internal assets to figure out which of those are exposed externally.

B

So how does this work at a technical level?

A

We spend a lot of time doing fingerprinting. So we'll look at every SH server, every TLS server, every remote desktop, and we say, what is the public key being used? What is the fingerprints of this particular service and what NTLMSSP response comes back from the domain, things like that. So lots of kind of nerdy bits of the protocol layer that indicate a unique fingerprint for that device or something that should be unique for that device. Then we basically boil the entire ocean of the Internet and say, okay, did I see the rote desktop fingerprint for this internal server anywhere on the entire Internet? And we do that really efficiently, really quickly. And if you find what should be the internal server outside of the Internet, you've got a problem. And it's interesting because you can have multiple different types of problems depending on what you find. Let's say you find that same certificate on 10 servers outside, but there's only one inside. Well, oftentimes that means the machine was cloned. You've got a VMware machine that was copied multiple times. Or let's say it's a web camera, and the web camera has the same SH key on a thousand machines on the Internet, as well as the two machines on your internal network. Well, that means the vendor hard coded the cryptokey the SH key into the device. So there's a mix of different things that we can report. The good news is it's no false positive. It's either a direct exposure from the Internet to an internal device, or it's a case where one of your machines is using a key that should be unique, but isn't.

B

You mentioned two cases there. I presume, based on what you're fingerprinting, it's only a certain number of technologies that you can typically find using this. What are the most common things that you. Let's say, fine with them. You mentioned certificates, I imagine misconfigured servers inside, servers exposed in, outside. That's the most common you see, or do you see something else?

A

Yeah, the ones we see. The most common exposure of internal to outside is actually expected. It's a normal thing you would expect to see. It's often web servers that are configured with the same certificate as the external side that are behind the firewall because they're the backend of the load balancer. So they're totally normal. You're supposed to have those things. That's not a security risk. But what we're finding when we start digging deeper into the data are cases where VPN appliances are exposed to the Internet on an IP range the customer didn't know they had. So we're finding this thing, like Apollo Alto device wired up to a broadband IP address that they had no idea was even tied to their network. They thought they shut the thing down years ago. Something else we're finding that's really interesting are mobile laptops that have mobile broadband adapters like cellular connectivity modems. And we're finding that v6 addresses on the cellular side exposed to the Internet through rdp, ssh, snp, you name it. And we'll be able to track those internally and externally based on the fingerprint of the Service. So the three types of data we really track well today are SH host keys and SH kind of application fingerprints, the TLS certificates and the X599 part of it, as well as the public key component and then also Mac addresses. So if we can identify the Mac address of a device externally and internally through however, we can find the Mac a bunch of different ways. We see the same device on multiple places. It's either a cloned device or it's a case where the device is directly exposed.

B

So let's say you have a customer and you found something for them. I presume you will trigger a priority alert. Then you provide the alert to the customer. Do you help them investigate what's going on or is this something that they have to figure out?

A

Yeah, right now we create a, we attach a vulnerability record to the asset, so the asset criticality will change to, you know, critical medium, whatever the exposure happens to be based on the heuristics that we find. And then they can quickly see that here's the external endpoint it was found on, here's the internal machine that's signed with and any kind of hints we have about whether it's actually a direct exposure or a copied key. We try to like either try to create a different vulnerability record for shared keys than we do for direct exposure. So if there's like 20 of those devices internally and we see one externally, it's probably a cloned virtual machine. But there's just a one to one ratio. It's almost certainly a direct exposure. So cases that we've identified for customers in the past have been like the RDP open on a random Telco IPv6 address because of the cellular modem. But also cases where a remote desktop server internally was being port forwarded and they just weren't aware of it.

B

You mentioned earlier about this causing less false positives. Security teams usually receive a very precise alert with exactly what went wrong and what was exposed. Are there other benefits customers have told you that they get from this type of.

A

Yeah, the big one is knowing what internal device it goes with. So if you look at normal external attack service management, it's scanning your external infrastructure, it's saying here's ports that are exposed, badness, et cetera. That's great. The hardest problem that folks have using those tools is trying to Find the owner of that asset. So you say, okay, I found a Windows desktop on the Internet, but who does it belong to, which admin set it up, which cloud is it even part of? So that great thing about starting off with the internal side first is we already know the inside part of it. We already know what network it's on, who the admin is, does it have EDR installed. Like we have all that other context about the asset so that when you go to Azure, remediate the issue, you're not hunting for it across your environment. You already know exactly where to start.

B

I've dealt with several security practitioners that usually say when something gets deployed inside the network, it's usually secure, but it's made insecure later for interactions and management. Like for example, if you say you have a Jenkins server, you install a few integrations and then all of a sudden it starts spilling everywhere. Is this type of approach, can this type of approach be used for continuous monitoring?

A

Absolutely, yeah. If there's a type of device that you want to keep an eye on, or this shouldn't be on your network at all anymore, you can set an alert in the product and say, if I see this thing anywhere in my environment, external, internal, flag it, alert me, you can go the other way. Like, what we often see is that folks have they tried to decommission something, they think it's totally offline and they forget one somewhere. So there is a leftover Apollo Alto Networks firewall, there's a leftover Outlook web access server in the corner, or, or they're about to decommission a test domain controller someplace. Those tend to be where they get in trouble because it's a device that they're not really tracking. It's kind of off their radar of what they're managing. So it's those kind of forgotten things in the corner that tend to be the easiest entry points for an attack.

B

Since when have you been doing this type of scans? Do you have by now certain data to get an idea what kind of network topologies or specific platforms usually cause these problems?

A

We rolled it out about two months ago and so we let it kind of soak through the whole holiday season. We've been slowly wrapping up the severity of the vulnerability findings to be more serious as we get more confidence in the finding. So early on we made everything low level, just info level. Here's some information that might be exposed, but no need for an action yet. And as we started getting more details about what's actually exposed, which ones are shared keys Improving the kind of coverage of that, we started getting to the point that now we can flag RDP and SSH exposures as being a critical vulnerability you should go solve. Where things like your known web server backends are generally low level, if anything you care about. So we have a bunch of heuristics we apply to it. But to give you some stats on it, we've something like 50,000 devices out of about a sample set of 10 million are exposed in some way or some form. And some of those are probably intentional, like web server backends, load balancer, things like that. But there's cases where they definitely weren't intended. Those could be things like older VPN servers, older gateways, remote desktop. Of course, you almost never want to see externally exposed SMB services in some cases. So it's been fun to kind of look at that. There's been some really oddball ones too. Like, one that really drove me crazy for a bit was that we had a external web server with a TLS certificate that was valid, but then we found a remote desktop server with the same certificate internally. And that's not normally what happens. So what happened in this case is the admin took the web server certificate, installed it on remote desktop. So it kind of threw us for a loop a little bit as we dug into it. Then we realized, what was that going on? Okay, it's not really an exposure. On one hand, you've got the web server and you get the remote desktop server. They're not the same thing. So that's kind of how we nailed it down. But you can have cases where like, an RDP gateway is sharing the same TLS server between the RDP endpoint and web server. So that's where we had to make the tool smarter, basically. And look a little bit further. Look at not just the key and the fingerprint for it, but also look at the application layer and make sure that the application layer matches the crypto key side.

B

From what you're telling me, this is just as useful for cloud environments, right?

A

Yep. It doesn't matter where it is. If you're scanning inside of your cloud VPC and you think your security rules are set up a particular way and your groups are configured a certain way, we can prove that they actually are or not. So. And the main goal of this is to make, you know, your existing external task service management better. Whether you're using Run zero for that through our hosted scan engines and all of our external discovery, or whether you're using a third party, we can help you identify what is the internal side of that exposure. So when you go to mitigate it, it's just a really quick process.

B

Thank you very much. That was a very insightful talk. Thank you very much.

A

Okay.