Something you might take for granted could be robbing you blind.
Here is a little background to set the stage. The Verodin platform was installed at a customer site to help them instrument their security posture across network and endpoint security controls.
Verodin is a security instrumentation company with a platform that allows you to validate your security controls such as firewalls, IPS solutions, DLPs, SIEMs, endpoint security controls and the like by allowing you to safely execute real attacks in your production network resulting in empiric evidence about the true state of your security at a point in time and trended over time.
By using Verodin’s platform, you can determine if your controls are blocking, detecting, reporting, etc. as you assume, hope and pray they are while also reviewing the effectiveness of your people and processes. And Verodin helps to ensure that your awesome security posture hasn’t suffered from defensive regression i.e. stuff that was working is no longer working because someone changed a rule, a patch update was applied, a cable was unplugged, a span port was shut off or an endpoint control was modified. More simply put – Verodin allows you to continuously have visibility into what’s working and what’s not.
This customer had Verodin Actors deployed throughout their network and on various endpoints. Think of a Verodin Actor as a software, hardware, cloud or VM-based attacker and target. Verodin Actors are controlled by a – wait for it – Verodin Director. The Director will tell the Actors when to attack, how to attack, what attack to use, how often, with what parameters, etc. Verodin Actors only attack other Verodin Actors to see if the security controls in place are doing their job and if the people and processes in place to respond to attacks are working.
Some of the customer’s Actors were deployed in their critical server network; other Actors were deployed in network theaters (a bit of a theme here I know) such as desktops, remote users, Amazon cloud, partner networks, unprotected Internet and so on.
The customer configured thousands of hourly assessments where various Verodin Actors were attacking other Verodin Actors and testing everything from malware and bot activity to lateral movement and data exfiltration. That’s when the dreaded defensive regression set in.
The security team started getting alerts from Verodin showing that it was now possible to use ICMP to tunnel data from their critical server network to the internet. This wasn’t possible before because ICMP was being blocked at the firewall. While ICMP is most commonly associated with ping, it’s a lot more than that. Ping or echo requests are just one ICMP message type. But for simplicity let’s just say their servers couldn’t ping the Internet and now they can.
Apparently, a network engineer that was troubleshooting an issue had modified some firewall rules and enabled ICMP. Once their troubleshooting was complete, they neglected to return the firewall back to the secure state. I know, this has never happened to anyone else. :)
Ping was left open. So, it’s ping, what’s the big deal? Shortly after the change, Verodin alerts started firing because of Verodin’s continuous, automated checks. The Verodin Actor successfully demonstrated the use of an ICMP tunnel-based upload of a .csv file containing 100 fabricated records about fictitious customers to the Internet. The Verodin Actor in the critical server network was communicating with a Verodin Actor on the Internet for the compromise. As illustrated in the Verodin Director image below, the ICMP tunnel was not blocked.
Luckily Verodin alerted on the fact that an attack that was not successful in the past was now successful and the security team responded promptly. Thanks to Verodin the security team knew exactly what rule to add back into the firewall to mitigate the attack and once the change was made, they used Verodin to verify that the change was, in fact, blocking ICMP tunneling again.
It was interesting that some of the folks on the networking team were not familiar with ICMP tunneling as a method for data exfiltration. Interesting only because – well – it’s a tunnel, it’s not really new, but there you go. The security team walked them through the attack sequences in Verodin to show them exactly how it worked so in the future, mistakes like that could be avoided. Another tip would be, maybe not allowing them to make firewall rules changes – but that’s a process issue and beyond the scope here.
If you can ping an external device from within your organization, chances are you can set up ICMP tunneling. There are a lot of tools for tunneling as a mechanism for data exfiltration such as Hans and Ping Tunnel. Mehmet Ince wrote a detailed article on tunneling titled “Data exfiltration (tunneling) attacks against corporate networks” on the Pentest Blog.
It’s important to note that tunneling isn’t just limited to ICMP, sometimes called ICMPTX. Tunneling can be used to create covert channels and inject data into DNS and other protocols that are commonly allowed from internal networks to the Internet.
Generally, critical servers should not be allowed to establish outbound connections. You probably wouldn’t use a browser from a critical server to surf the Internet for example. You likely wouldn’t allow DNS requests to go to external DNS servers from your critical servers. ICMP can and should be blocked at your firewall as well. If you can’t block it, ICMP has a variable packet data size that you can play with too. But generally speaking, I see organizations block ICMP or allow it until they are aware of the risk. Then they simply block it as opposed to trying to shrink it down so data exfiltration is more difficult.
Verodin is defining the emerging concept of Instrumented Security. Its revolutionary platform empowers customers to measure and continuously validate the cumulative effectiveness of layered security infrastructures, revealing true security posture. Through automated defense analysis, Verodin customers achieve maximum value from security spending, better leverage existing security investments, and measurably improve their cyber prevention, detection and response capabilities.
Request a demo and learn more about Verodin at https://verodin.com/.