![]() ![]() I want to be very clear that ServiceNow Discovery is not vulnerable or bad, nor is Virima or BMC Helix Discovery (other asset discovery tools that suggest similar implementations). As of the time of publication, none of the vendors named in this blog expressed interest in updating their documentation. Before publishing this blog, we reached out to each of the vendors in advance to see if they’d be open to updating their documentation to provide clearer guidance on the security risks associated with these configurations. Therefore, it is important for organizations to understand the risks these configurations expose and consider them accordingly. Worse yet, these implementation options may even be a documented solution. Unfortunately, these types of asset discovery tools, when configured improperly, can increase the risk to an organization rather than reduce it, by further exposing an organization to lateral movement activities by an attacker. These CM and discovery tools programmatically log into systems and run commands to check their configuration. These tools are meant to give companies a better understanding of what systems are on their network, their patch level, and how the systems are configured. ![]() Organizations have rightfully started using auto-discovery tools in order to find services, applications, and devices in order to mitigate these types of exposures before attackers can take advantage of them. I will use whatever means available to compromise other systems on the network or “move” laterally.Įnter asset discovery tools to help with configuration management (CM). In my role as an attacker, I will take advantage of misconfigured systems, default credentials, exploits for unmanaged or unpatched systems, or all of the above. Lateral movement is a term used to explain the techniques attackers use to move through a network as they explore systems attempting to gain further access or compromise sensitive information en route to their objectives. I’m going to take you through how vendor documented implementation methods - that are commonly used by IT orgs - can introduce unintended risk into your environment, with a focus on a particular type of asset discovery configuration that makes it easy for an attacker like me to move laterally in an organization.įirst, a quick definition of lateral movement (if you know what this is skip ahead). Weak configurations like this are a categorical risk to organizations, and I’m hoping that by talking about it, I can help close the knowledge gap between red-teamers and blue-teamers. The first time I took advantage of something like this was in the early 2000s, and in some cases, there is tooling available to take advantage of it. As an attacker myself, I can say with confidence that some vendor-recommended implementation strategies are widely abused by red-teamers and attackers to achieve different objectives. We regularly encounter improper implementations within our customers’ networks, suggesting many blue-teamers are unaware of the risks of certain configuration methods. Improper implementations can be very problematic for an organization to understand the ramifications of, near impossible to spot, and even more problematic to fix. What doesn’t get as much media coverage, and is often more important to an attacker, are things like common misconfigurations or an improper implementation that introduces unintended risk. But in the past couple decades, we’ve over-indexed on vulnerability management. Our industry pays lots of attention to vulnerabilities and the need for patching. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |