Mike Jankowski-Lorek, Ph.D., is a solution architect, developer, data scientist, and security expert. He designs and implements solutions for databases, network and management area, mainly for Microsoft platform for medium to enterprise level organizations. He holds multiple certifications, especially security, database, and software development related. He is one of core experts at CQURE and closely cooperates with Paula Januszkiewicz. Jankowski-Lorek co-presented with Paula a session at RSAC USA and Black Hat USA / Europe 2010-2018. At the same time he cooperates with Polish-Japanese Academy of Information Technology. Moreover, he is an author of multiple scientific publications, including a chapter in Encyclopedia of Social Network Analysis and Mining published by Springer.View the profile
About the talk
Mike Jankowski-Lorek, Director of Consulting and Cybersecurity Expert, CQURE Inc. - Top Rated Speaker Modern identity management is crucial for organizations faced with remote working and relying upon cloud based solutions. Are these solutions truly safe? Watch how hackers are bypassing MFA, attacking modern authentication protocols or misusing Windows Hello for Business and other software.
I'm Doctor Mike and cuz I'm director of Consulting and sagacity a spurt or working for secure company established by Polanski is more than 12 years ago and we are working all over the world through providing Services related to the cyber security. Configuration review, penetration. Testing Kawasaki 900. Let's to the trainings and to the conference is Like A Parasite. Personally, I switch out and that's why I'm here today with you to share posts about modern identity and remote work
laptop. Do the confirmation has a rapidly increased. Its Pace since the beginning of covid-19 are just working at the office. Maybe a little bit. I are working for remotely true therapia, but we were forced to switch to remote work or at least some kind of mixed type of work. This is interested in competing. You type of security ready to challenge. One of them is access incorporate result report already created in 2019. It was more than 50% of employees globally. Working, at least two and a half day the week, not from work. Now, during the
covid-19 pandemic. These numbers are completely different and they are much much higher. I'm at the same time as cyber security infrastructure. Agency encourages organization to adopt their high in the state of cybersecurity with the beginning of the global content. And what was the easiest solution? Give everyone asks to therapia, why it was already in place? Just, a new group of employees, were honest with its price for what contest for employees, and Z to
adopt in the Philippine 2020. Regarding Enterprise VPN security, especially advertising targeting with their fishing and identity theft for all of migration without MSI. So everyone that has not adopted. And that, I will be Definitely. I'll get to buy limited capabilities of ice security. Personnel to perform cybersecurity stocks on VPN access detection of the app animal. Something that is amazing. When you are getting to the repair watch out for that one and also increase this visibly. This shows that the first simplest and let's say the latest type of
identity credentials just like a username or password is going to be more targeted than ever before. It's also that we are observing during multiple incidents and emergency services that we've been providing throughout couple of last month. The first place of attack, always look the same. This damn good fishing companions. Harvesting some credentials. Do they use it? Then they are connecting through the VPN because there is no MSI a table. So the traditional my credentials that site and the easiest way to verify the
identity with the username and password is really fighting us here because it's so easy to harvest. Someone pretty sure. It's a remote elevation of privileges true that someone else thinking about what? I think it's a wealth, just very sad inside of your network. They are not exposed to external to the VPN. They are visible in the daytime deployment. Ground somewhere. This is usual possible. What are other requirements are options for the remote work, best for
sharing the date a week? Do they use it? You should have already in place a good collaboration Solution. That's a sharp point or whatever. But also, if you don't have it, you received about the fuses wheelchair, it through the mail, different versions of the same five, that's really bad. Because in case of business email, compromised, Dells Auto V, would be visible II think it's access on premise databases usually done through the VPN. Nothing we can do here unless there is an application in front, if there is some web application, you can go with application
proxy Enterprise on the side and for example, motor out the application for those I couldn't business applications from anywhere everywhere and all the time. It is a good thing to have but not every application is already prepared for being available publicly. Remember. So different identification of the user authentication and authorization for this case. And the last part, which is very important that you need to think about trusted devices to process the data security, because the
strongest Health indications, the strongest out the authorization can be bypassed if your environment in which we are processing. The data is not secure, this already compromised by the hacker. What are the main risk of the remote work or not? Well-managed computers to the corporate Network system. Something that is really, really dental problems with charging for services likely p.m. They are accessed 24/7. So there is no time for rebooting. There's no time for
passengers. You need to develop the plan for that one because if there is a issue with it recently, we had a couple of CDs that are related to those kind of access. Then you will Expose and expose for example, identities folder accident internally that has increased fishing campaigns targeting your credentials. Nothing to do about that one. You can increase the filters. You can just educate users about reading of March. Can be down here unless you change to that. Some kind of credentials
with lack of the solutions, which I already mentioned for data sharing to get to the Flies to that uses and work at the same file, to get problems with a VPN access to Performance, stability of it. And this is something that's increasing all the time cuz we have a couple of options of bypassing this or other mitigating it. Remember. It's always, So before we jump to the team and the hottest couple of Statistics, how many percent of employees in question were using each of the devices for what major reduce using desktop, or
smartphone, tablet? Not so much only 19% of the questions. Employees has not used any kind of devices, personal devices to access the corporate data. So even if you distribute them down still using also that the data on their own device seconds, Corporate data on a personal type of the device desktop laptop, smartphones and tablet. As you can see, most of those are the desktop and laptop. So they're ones that employees use the most. And how about controlling those device? 65% of
IT, professional responded that doesn't have tools to manage. Not compassionate device, 44% in increasing help desk work. After switching to the remote wire, two factors that are contributing to the problems of the I can construct, what can go wrong, really wish that it's about the attacks on the remote work. I will start with the VP and you might be wondering why this article has been chosen by me to show a nap. I cook for my mother. I didn't imagine that
this is not based on the username and password that has bacon. Besides she case I do for the computer up with a user. So it's a strong indication and this is a good way of protecting died. At the same time. We still can open the Capri. It's also like you both into the device that it already established a connection to the environment. Let's see how this one works. First of all, let's set up this page. I'm sitting up right now. The user is going to connect
from the environment 2:30 p.m. Let's see. What our day collections. Can I ping the server? This is there an easier one rock on the pl. It's not working until I would be able to connect with the GPS, just showing that I'm outside of the network. This is already pretty confident with me p.m., That's very simple to complex. The second time,, I would be able to reach This Server, again, sometime for the pink, but is very good. Sam Legacy Java server. For those of you who have seen this one. It's probably vulnerable for many different types of that I
can do right now to get do my assistant. I have already here. I come. Let's see if I'm able to get to the same server IP address. Okay. I'm here because I like you a lot. I could he should not know the IP address outside in such case. We already know this to speed up the process of The dino, it's connecting to the network, which is 192 168 201. It can be anywhere around the world. Just say it's about knowing the IP address for sandy cap that 100 because what this server would be used for this would be used for the command-and-control. So
I'm switching to them. It is very common framework, testing car. For example, for playing around with that environment. Like something calming connections is imported, the connection has started from the workstation to my server, to my clock alley light and there is a cause that IP address of where my local Carolina. But I know it's setting up their payloads for that matter whether it's Rebus. T p experts. Are we starting to listen on the post office for waiting for incoming Comics that the connection is
coming from the Windows 10 machine. I'm not connecting from the car. He likes to the Windows 10 machine, but I'm connecting from the Windows 10 machine inside to the Cali life. This was not visible because there is already malware, that is constantly running on the Windows 10 machine. Right. Now, I'm only focusing on their part in which the machine already and it's connecting back to Michael and allow me to get this connection. No matter from what I hear. He's
controlling this computer and it's no matter if there is a fire only between or a. I can see this same system on the same session. It is only possible. Of course, if the connection outgoing connections from the Windows 10 machine, are allowed to get to my sisters. But let's see, what are the sessions? This right now, still active, the Station 80s, number one, so I'm interactively connecting to the session number 1. This is starting to metric. Can do is get to
the shop in the remote host. The second thing is that I have the IP configuration. So this is one of the networks is 79022. But the second one is 10-10-10 151 because if you can come like that computer, so this computer is in two different places at the same time. It is, except to that VPN and it's connected also to some access to the house because it need to have access to their remote results. If it's possible for me to extract the credentials, for example, which can be stored inside of the VPN connection
open VPN extraction tool recent. This is very simple, Powershell script that is extracting, safe information that are inside of the registry of the window. So, if you think about saving summer credentials, think about this. Who can access those credentials. Were storing was kind of an impasse was very easy to extract at whenever you are saving the password. Remember someone comes. Then met her brother is so I'm getting back to the matter brother and I'm going to send this session into the background because I want to
switch from the matter Predator this time to the different multiple routes. Till the session exist. There is an established connection. I can communicate with the Windows 10 machine and it sucks for a this is a service that allows me to just simply use it as a prox. It's listening on the porch before running cuz I need to add one more thing. I want to access the route and you seen the network to wish it was going like that. So it was 10, 10, 10 0, will you
there? 24 beat, so it's 255, 255 255 zero, because this is that Enterprise, but they interfere this time. It's a session ID. So this is the same as previously. I was playing and connecting food and crawled around other Rhonda proxy server. I have a proxy server talking freely as an IP address whenever I'm trying to get to that one directly know, if there is no connection in such case. I will use proxychains. I would be able to get to my assistant. I've got to them to that inside of
the network of the corporate Network that So, how's it going to see I'm scanning right now and there is airport. 8080 available and its connection. Okay, because I'm connecting to the local house and going through that to town to get to that remote host and then really work with scanning the Windows 10 Network traffic to be p.m. Collection that was established,, compromised serve. So even without knowing how about, I thought that the Firefox as a proxy train
and as you can see, it's also available for me right now. So that's something that's quite commonly used for accessing and externally available Network looks like. So just to have a small recap here. The computer was compromised if my computer or my personal computer that has an established connection 2:30 p.m. So disconcerted has access to the VPN access to the next. This computer was compromised with her mother. This, I was not trying because there's so many different ways of how it can be at. It can be, for example, true, that special kind of mad or anything
similar and it's connecting to my accountant control computer. So this was my Carolina. This is there a computer that is controlled by there and he was just issuing become a true. This Server through this computer to get to the service inside. So it's like a tunnel that is initiated from this Windows 10 machine. The same Windows 10 machine with the muffler is initiating connection to that command and control center which allows bouncing over to get to the company resource. So, how
do you have seen the Celtic? Can we use no matter what? Kind of credentials or identity verification is done, under the PM also works with the most modern identity. No matter. If it's a certificate to cemetery on the VPN, you can just simply use it and to act. Now, it's time for something more modern than can be fully Cloud by or they can be very foggy. Out. Putting some new principles. One of those is zero. Trust me. It's for cloud-based on it for hybrid environments, all those which are on site, only on Primus and where I'm at. It's a little bit more dick,
but it's very good idea to even start adopting partially the zero trust. What are the three principles of the zero? Trust what. Everyone is talking about 3 right now? It's never trust always verify, so always out and decayed and outer eyes all incoming requests include accuser, identity location device, Health Data classification, and try to detect Animas. All of those elements are building this always verify. The second thing is assigned, no matter what. So this is the meaning of the opposite of privileges and promotions. All signed today users
or in general identities, to perform the tasks that didn't need to do. It's also risk based adaptive policies, which are protecting the data breaches. For example, you are outside of yours normal working out. Are you are outside of your no more or less a stand-up locations in with your work. You are getting less privileged. You don't have access to the most sensitive date. Then the last part is always assume the bridge. So you don't trust and a device know whether this is the computer. If your
colleague, which is next to you, if this is the server that's controlled by that your college remind Department. You always assume the dark device that process that request is a hostile. A request. You should always encrypt all traffic and do I meant ripshin no matter what I use analytics to get a disability and detection of the threat detector anomalies on Earth. So, why we are focusing so much on the identity and the protection of it. It's all about the evolution
of security Perimeter hotel games. They sing at the beginning. There was a physical security. Big fans. God dog, maybe moultrie's alligators inside. Next, we connected the computers connected to the internet and there is a new Terminator the network, especially the parameter natural DMZ external access. This is what was protect, but right now, we are what are Real Madrid in can working in the hyper-connected world. Where are your smart watch is connected.
A male server, where my car is getting information from your phone and all connected to the internet, which one major league available all over the world no matter where or so. What is one thing that is giving you access to all of the devices and data? It's your identity. So you need to protect it and you can take 15 Alex saying the classic. Why? I like use an impossible or you can go a little bit more more than the way. We just some horror secure as well. What's the simplest way to protect that?
Which is good set of credentials. And what's the easiest way to mitigate class a specific? It's MSI multi-factor authentication. What? What? About. At least two factors? What are the factors? You have something to you? Are you are so, for example of biometric verification, please never send it by messenger TK in the identification. Over than a biometric is very good. But to unlock sounding like a strong credentials, like it as much. Don't transfer it because
it is not changeable, something you have. You can change my password. So something, you know, you can change it but I don't need. This is the number of different day. I have about me if it's going to be a fingerprint with the iris scan. I'll meet you. I also know that good idea to lose it somewhere. You are somewhere. You are. So where are you depending on the location? If it's your stand up, IP addresses, come by your gear location. It, my disabled. And I fight for you. This is a conditional access for this and that's a good.
Is it really possible to break the MSI? Let's see. How secure is hematite. Let's switch to the next email. So I'm connecting right now to that and I get line of machine. This is public house all day to text in life, and I'm starting to get your Microsoft because I'm sending a message as a domain, Microsoft online, Co and this is bad and played for the matching which are you have like a team member things message. You have some messages not received yet or not reply to
from Domain that is similar to the Microsoft domain. I'm just going to show. How does my looks like when the user receives it? Either get the mail. That's a brand new Mile and it's open and get inside of the web browser. On the Outlook is clicking on the link and it redirected to the Microsoft online. Calm. Co the logging and everything is looking perfectly fine. Just, what are the different domain name in the URL. It's time. The same operation is happening in the background to the real Microsoft Word page, and after user authentication provides that he's
redirect. So he's not suspecting anything here and it's all looks good. So he's getting something like I think also information from that site and there is this playing right now on the Avalanche gear, the information about this user and their identification for this with the password and also that all out Precision tokens intercepted. So as you can see also I have a session which is working here and I'll only be to get to those credentials also to all the programs that were issued. So now it's just a case of
getting the dog ran into the browser and Not passing through the password anymore. No, not being bothered by Anna, kind of MSI. And think, I don't love you back. So, how about? Even more modern authentication done using, side. How about using that strong of indication? We just Windows club for business. It replaces password with strong two-factor authentication on PC, and mobile device. And use the biometric verification like, more maybe PIN to unlock the credentials, by magic or the penis, never sent. The only the NGC is used
to confirm. The identity of. This is the most modern type of the credentialing that we have. And it's address the problems of the song possible breaches on the server exposed to network credentials. All of those, they can you use for Alton ticket to the Microsoft account, active directory account, Microsoft Azure active, directory, or to any other line party ideas, for example, But also that we just left for business might be used as a factor of an attack or other persistency inside of the network
try and see how this one looks like. This is this already that configuration in which I have that ability access. And right now I'm trying to leave the past fancy for the future. I'm creating new credentials to solve science that she carried. As you can see that, it says South Side. So we just presenting that NGC. And I'm exporting Goods to the pfx file. All of those operations. I'm going to use that dies in turn off Mojo Mojo created by my colleague, Michael and this is not the time for some users seed.
This user seed has used the scores from the domain because it's our own, the domain access, but similar atoms can be performed when we are accessing something on the net. That think about that credentials, is that they need to be imported inside of that. I can direct object. So I need to find that object of this user. This is the master user phone me in the raccoons domain and I'm setting the MSDS key credentialing to NGC keys in the binary. In the binary format. I'm writing him to the acting director of those.
So I'm signing out because I don't want to be an admin anymore. And I want to show. There is a user, it's a local user. That's very important. It would be a local user. So it's nothing that I have a permissions on the domain. Just, I need to have an access to this TSX might have access to the ngc's because it's based on the certificate, but they really inside of that. And it's not visible as the search game, and let's try to get to the domain controller.
Restless. Who am I to the year? And now today, it's only Built it from the, let's try to get to the domain controller in Disguise and the wrong seller, but there should be done as you see, I think Think is that I'm going to use exactly the same credentials or use the same powerful tools. So this time, it's in the cacao. This is created by Benjamin delvey. I would be requesting the digit e-ticket granting ticket because I'm on Travis guide us. So, that's one of the things that it's possible that no matter. Where are you? You can request this
token. If it's available for your ngt credential and credentials are also for the club but slightly different path. Would use a factor seeing that as your ID. Right. Now I'm I'm putting the pfx because previous attempt was not correct. I need both in the pfx. This is the cell sign certificate that was generated with the NGC adopted especially importing the NGC. I'm able to get to my system because I'm requesting right now, their PC, and this is the TGT. And the second thing is that I already here at password hash for the Antilla.
So they sometimes you see is which are the newest, I can get the old one and he's still giving me a faucet from getting to that. That's quite. So I can also use it to Dad's first PT. I told get that kind of ticket right away. So you have just simply get that console or use the same console to Alton tk82 and a resources example to the domain controller. Do with that one, when it starting exactly like this. And that I can get to the example and TDS bill teeth or any other application.
That does fencing in the oxy directory, which is using the newest Windows. Hello for beans. This is something that is sometimes neglected in that environment to be able to perform this kind of attack. Remember that the only one that surfing is that there is some set get inside of the back and key out in the environment. Okay, those are a couple of parts that were using a different kind of identities. For example, the first one was surgery PNP voting which showed you. Even with the most modern authentication to the VPN. It is still danger
has adjusted to that new reality. Everyone is working,? Yeah. Sure. Definitely remember. I'm a definitely on. Then the second I'll talk was about Dan and getting to bypass. I think the mfi. The last part is really about the windows local business. So also using their newest type of the critters. So mitigate the remote access in the problems we can meet, we might not even though I was showing how to bypass mfi. It is still much better to have it then not to have increase the visibility of And what's your remote workers are doing? I'm sure that
there is an appropriate training, for the, IT personnel to handle the cases with the VPN. What are the long-term indication? So those which are not including the jacksepticeye. VPN itself, when written and passed that incident response plan involving including the complete remote access nurse, no matter, what is your remote access nor is it that proxy servers with Brooke? Safe is a VPN doesn't matter included because your security claim has changed and the service of Attack cast and I'll send the bridge
as a critical aspect. Or if you're using VPN mop and your ongoing security monitoring security monitoring for the VPS math hat, design and introduce access authentication outdoor ization to the resources regardless of the user lock. Mission underway of Alton Alton skating accessing their resources. Try not to use that Legacy identity credentials with the username password, go with something more than Cypress case. We just left for business and I think is better than this. Paul George on it, true that zero trust,
adopt Your solution to verify identity and access regardless of user location. Remember Implement password, without invitation. That's a good idea because past was our constant be breached. I hope you enjoyed the session. You adjust the remote work as well. Be protecting of the remote work of the attackers are adjusting to it, to try to breach your security.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.