Technology and Security

Category: Cybersecurity

Zero Trust Architecture

Zero Trust Architecture Overview

Zero Trust Architecture is one of the internet’s most highly overused buzzwords. At its core, it is a set of recommendations to secure an organization by:

  • removing implicit trust
  • enforcing least privileged access, and
  • applying continuous risk evaluation and monitoring.

NIST 800-207 formally documents the architecture. In this post we will attempt to simplify the complexity by focusing only on high-level concepts.

What is it?

In traditional security models, anything connected to an organization’s network was implicitly trusted. Not so long ago, when networks were smaller, more static, and easier to manage, this model was reliable.

Fast forward to today. Organizations now include a mix of on-premise equipment, clouds, mobile devices, IoT, and constantly evolving applications, protocols and threats. This complexity makes the old models impractical and insufficient.

As of May 2022, most major vendors are now offering products and services to support zero trust architecture. However, this is not something a single product can solve. Each vendor sells a piece of the puzzle. Every organization will have differing needs based on their attack surface, business model, and customer relationships. Implementing zero trust is as much about company’s governance and practices as it is about the technology itself. Next, we’ll focus in on the major influencing factors.

Three Pillars of Zero Trust

Frequently summarized as “never trust, always verify,” the three pillars of zero trust architecture are:

Pillars of Zero Trust
Pillars of Zero Trust

Zero Trust designs to secure modern environments by:

  • removing implicit network trust (and adding segmentation),
  • using least privilege authentication and authorization methods, and
  • intense monitoring and auditing.

In the next sections, we will take a brief look at each of these topics.

Never Trust A Network

Would you ever check-in to a hotel and start using the shared computer in the lobby to access your bank? Most of us would cringe at the thought, but conversely wouldn’t think twice about banking from your office computer. And yet IT staffs are continually under-staffed, under-budgeted, and over-worked. Having complete trust in your network’s security is now a luxury reserved only for the largest of companies or government agencies. And even they are fighting a losing battle against insider threats.

The current rate of cyberattacks is unprecedented, and assuming that your network is secure is dangerous. Even if you do everything right in advance (and few do), you are still vulnerable to 0-day attacks. At this point, it is simply more practical to assume your network is insecure, and move forward with planning from that perspective.

Now that we have a healthy distrust of our network, next up is to control the access to data and assets on the network.

Enforce Least Privilege Access

We need to protect high-value data and assets. To accomplish this goal, the principle of least privilege recommends that you only assign the minimum necessary rights to a subject (users, networks, systems, files, etc.) in order to function. Ideally, these restrictions should also factor in time, granting permissions only when needed and for minimal durations.

Through careful access delegation, any potential damage posed via an activity is limited, regardless of whether it is sanctioned, unsanctioned, intentional or unintentional.

Laziness often works against the principle of least privilege.  Granting bulk permissions beyond the scope of the necessary rights is convenient, but can come with disastrous effects when a breach occurs.

Audit and Monitor Everything

The days of “set it and forget it” are over. Perform continuous risk evaluation and monitoring vigilantly; Without this, you have no hope of minimizing your attack surface against ever evolving threats.

A dry run is the best way to determine if your monitoring and auditing posture is sufficient; Assume a network breach. Next run through your audit logs and determine whether there is enough information to find an attacker’s footprint.

installing metasploitable on hyper-v

Installing Metasploitable on Hyper-V

Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice penetration testing. This article will look at the steps required for installing Metasploitable on Hyper-V.

Downloading Metasploitable

There are a number of versions available for download. We will be using the download available directly from Rapid7 found here. Note that you will need to register an email address before receiving the free download link.

Converting the Image

Metasploitable is packaged in a VMware format. We must first convert it to be Hyper-V compatible. As of 2022, there are a lot of online links to documentation using Microsoft Virtual Machine Converter for this task. Unfortunately, Microsoft abandoned that utility and it is no longer available. We will instead use the free StarWind Converter found here. First unzip the Metasploitable download; Then use the following options for the wizard and finally press “Convert”:

  • Local File
  • Provide Source Image
  • Local File
  • Microsoft Virtual Hard Disk (VHD/VHDX)
  • VHD Growable Image
  • Destination File
StarWind Converter
StarWind Converter

This conversion will generate an image which can be directly imported into Hyper-V in the next step.

Installing Metasploitable on Hyper-V

Following the previous section should result in an image ready to be installed.

Converted VHD Image
Converted VHD Image

In the Hyper-V application, right click and choose “Import Virtual Machines”. Use the following settings in the wizard:

  • Specify Name and Location
  • Specify Generation 1
  • Assign Memory 2048MB
  • Configure Networking: Default Switch
  • Connect Virtual Hard Disk: Choose Existing
Choose Existing VHD
Choose Existing VHD

For the last step in the wizard, select the VHD that you previously converted. Finally press “Finish” on the summary page to create the virtual machine.

Changing the VM Network Adapter

The virtual machine will start but will not connect to a network as configured by default. The setup process creates a network adapter which is not compatible with Metasploitable. To resolve this problem, open the virtual machine settings. First remove the default network adapter and then create a “Legacy Network Adapter” as seen in the images below.

Remove VM Network Adapter
Remove VM Network Adapter
Create Legacy Network Adapter
Create Legacy Network Adapter

Verifying the Metasploitable Hyper-V VM

Now that your VM is fully configured, start it from Hyper-V. Once the Linux instance has launched, the username and password are both msfadmin.

Starting MetaSploitable
Starting MetaSploitable

After login you can issue a ping to google to ensure that networking is working correctly.

Ping Google from MetaSploitable
Ping Google from MetaSploitable

Your VM is now complete and ready to hack. Rapid7 maintains an exploitation guide found here. Finally, read our guide on installing Kali Linux to build a VM for attacking Metasploitable.

updating kali linux vm 2022.1

How to Upgrade Kali Linux to 2022.1

In this brief article we will upgrade Kali Linux to release 2022.1. This upgrade demonstration is on a Hyper-V virtual machine. The steps, however, are not specific to Hyper-V VMs and will work on other platforms. Kali 2022.1 was released on Feburary 14th 2022 with the full release notes located here. If you would like to create a Kali VM on Hyper-V please follow the process documented here.

Verifying the Virtual Machine

Start by opening a terminal window. Then issue the following command:

grep VERSION /etc/os-release

As you can see below, we are running the previous release from 2021 and need to upgrade.

kali linux old version
kali linux old version

Upgrading Kali Linux to 2022.1

Start by opening a terminal window. Then issue the following commands:

$ echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" | sudo tee /etc/apt/sources.list
$ sudo apt update && sudo apt -y full-upgrade
$ cp -rbi /etc/skel/. ~
$ [ -f /var/run/reboot-required ] && sudo reboot -f

If prompted, accept and details and make sure the vm reboots at the end.

Verifying the Upgrade

Start by opening a terminal window. Then issue the following command:

grep VERSION /etc/os-release

The virtual machine’s version is now up-to-date.

kali linux upgraded version
kali linux upgraded version
Kali Hyper-V

How to Install Kali Linux on Hyper-V

This article documents the process of installing Kali Linux as a virtual machine running on a Windows 10 workstation using Hyper-V. The installation has numerous steps but most of them involve accepting default values. Rather than include all of the screenshots inline (which will become unwieldy), this article will be broken into several pages. An overview will be discussed and the full series of screenshots will be included as appendix pages.

What is Kali Linux

Kali Linux (formerly known as BackTrack Linux) is an open-source, Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing.

Kali linux documentation

What is Hyper-V

Hyper-V is Microsoft’s hardware virtualization product. It lets you create and run a software version of a computer, called a virtual machine. Each virtual machine acts like a complete computer, running an operating system and programs. When you need computing resources, virtual machines give you more flexibility, help save time and money, and are a more efficient way to use hardware than just running one operating system on physical hardware.

microsoft hyper-v overview

Installation Overview

Installing Kali Linux on a Windows 10 workstation using Hyper-V involves the following steps:

  • Download the Kali Linux ISO image
  • Configure a new Hyper-V Virtual Machine
  • Install and Configure Kali Linux Operating System
  • Login to the Kali Linux VM

Downloading Kali Linux

Kali Linux is an open-source Linux distribution that has several installation options. For our purposes, we will be pulling the ISO image of the most recent stable build from the Kali Linux Download page.

There are several preconfigured virtual machines provided by Kali, but unfortunately Hyper-V is not one of them. We will instead select the recommended option for the “Bare Metal” installer.

download kali linux bare metal option
Download Kali Linux Bare Metal Option

Configure a new Hyper-V Virtual Machine

We assume you already have Hyper-V installed and running on your workstation. If not, please follow the Microsoft documentation for enabling the software.

Run the Hyper-V application, then right-click your workstation and select “New | Virtual Machine.”

create new hyper-v vm
Creating a new Hyper-V VM

You must complete several screens of options in order to configure the VM. Several steps worth noting include:

  • Assign Memory: change the default from 1024 to 2048
  • Connect Virtual Hard Disk: default is too large, 20GB is more than adequate for a starter Linux VM
  • Installation Options: configure to use the downloaded ISO image

There is a full listing of screenshots included in the Hyper-V Screenshot Appendix. After creating the VM by pressing Finish, you can begin the Kali Linux installation.

Install and Configure Kali Linux

Right-click on the newly created VM and select Connect:

connecting to a kali linux vm using hyper-v
Connecting to a Kali Linux VM using Hyper-V

There are almost two dozen configuration screens for the OS installation. Fortunately most of the steps can use default values. There is a full listing of screenshots included in the Kali Linux Screenshot Appendix. Fill out each configuration page and make sure to remember your username and password.

Login to the Kali Linux VM

After the last battery of questions, the VM will reboot itself and be ready for use with the login credentials you provided during setup.

Kali Linux Login Screen
Kali Linux Login Screen

Enter the username and password to login to the desktop:

Kali Linux Desktop
Kali Linux Desktop

Note that the initial user is an account with root user privileges. To verify this, open a terminal window and sudo up:

Kali Linux Root User
Kali Linux Root User

At this point your Kali Linux VM is complete. See the following pages for a complete listing of screenshots from the installation process. Note that you must be in the full-page mode for this article to see the additional pages.

log4j vulnerabilities in spring boot

Spring Boot Updates for Log4J Vulnerabilities

Hackers continue to scan and exploit systems containing Log4J vulnerabilities at an unprecedented rate. On 10 December, the Spring Blog published detailed instructions for remediating Spring Boot applications using Maven or Gradle build scripts; Where this solution pattern is still accurate, the documented version is now out-of-date. Remember that even though the library may not be explicitly imported, it still might be present as a transitive dependency.

Latest Release for Log4J Vulnerabilities

The most secure version of Log4J is now version 2.17.1 (documented in our previous article). To force Spring Boot to import the most recent release of Log4J, include the following in your build scripts:

Maven

<properties>
    <log4j2.version>2.17.1</log4j2.version>
</properties>

Gradle

ext['log4j2.version'] = '2.17.1'

Log4J Vulnerability Update (2.17.1)

Several weeks out from the initial zero-day event, the IT world continues to work through the remediation and blowback from the Apache Log4J vulnerability. First published as CVE-2021-44228 (Log4Shell) on 9 December 2021, subsequent CVEs continue to be issued as quick turnaround patches fail to completely resolve the problem. The most recent version is now 2.17.1 (released 28 December) which repairs a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.

This family of vulnerabilities affects millions of computers, clouds, networks, and IoT devices ranging from the size of postage stamps to automobile chargers. It derives from the use of a ubiquitous piece of software, Log4J, which is mostly unknown to those outside of the IT industry. This open source code is used to generate files containing records of events that occur in software written in (or somehow leveraging) the Java programming language.

Hackers, in the form of independents or state actors, continue to scan the internet for vulnerabilities as IT teams race to resolve the problem. Once a vulnerable device is found, bad actors attempt to trigger a log message that includes a malicious payload which Log4J will process as a valid instruction. These exploits can open a reverse shell which allows the hacker to remotely control the targeted device.

As concerning as the exploit is itself, even more concerning is the pervasive use of Log4J leading this vulnerability to be described by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) Director as one of the most serious she has seen in her career.

As of today, the remediation path involves upgrading impacted software to use the latest Log4J release, version 2.17.1 (note that versions of Log4J 1.x remain unaffected). The 2.17.1 release is available on the Apache site and has not yet migrated into the central repositories such as Maven Central.

CISA has published a response page which lists the history as well as recommended remediation paths for this exploit. Large vendors continue to release updates, including Amazon, IBM, and Google, but a significant concern also remains with smaller IT shops that do not have the workforce to quickly identify and push out updates.

If you have not already remediated systems that you are responsible for, it is long overdue that you do…

Powered by WordPress & Theme by Anders Norén