Kick start the new year with our "Ask Me Anything: Hacked from home" webinar, where we zero in on one of the newest and most predominant security topics of the last 12 months: remote worker protection.
That's why we invited Rafael Federer, CTO of NSIDE Attack Logic, to answer your toughest security questions.
Bonus: Rafael will demonstrate how the compromise of just one employee — working from home but attending an online meeting — can give attackers access to an entire corporate network.
Webinar Details
January 26, 2022 | 9:30 a.m. EST | 14:30 p.m. GMT | Register Now
Pre-registration is required and allows you to send questions in advance.
Can't make it?
Even if you may not be able to attend any of the live sessions, be sure to still register. We'll send a link to the recording following the presentation.
We hope you can join us!
Q&A From the Webinar
Question Asked | Response |
What does the acronym WDE stand for? | RF: Whole disk encryption |
Would Sophos Intercept X have stopped this simulated attack? | AM: We'd expect Intercept X to stop some of these activities, but for transparency, we did not asked Rafael to run his attack against a Sophos protected system. Customers with Sophos XDR benefit from investigations being created when suspicious, but not convictable as malicious activities happen on a protected system. Check out https://news.sophos.com/en-us/2022/02/04/sophos-xdr-enhanced-investigations-and-office-365-integration/ for more information! |
I'm getting into ethical hacking. Are there any entry-level Linux hacking games you can suggest? | RF: Try HackMe.com. |
How can I make sure my Sophos Intercept X-protected machines are utilizing best practices for protection? | AM: We have a TechVid to guide you through best practices at https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/126339/sophos-intercept-x-threat-protection-policy-best-practices. |
If split tunnelling is enabled for VPN on an employee's computer and one of the devices on his home network is infected, does that open up any channels for attackers to get into the office network? | RF: Yes, it does. One side of the split tunnel (through the employee's direct internet line) is used by the attacker for C2 traffic (command and control), while the other side of the tunnel (the VPN side) is used to access company resources through the employee's system. |
Would it be fair to say that if an employee had taken robust cyber awareness training this would have helped to prevent such attack? | RF: Awareness training is only part of a defense strategy. No defense strategy should depend on users always being fully-aware and capable of spotting 100% of attacks. Awareness training still reduces the odds of an attacker gaining a foothold. |
What if Thomas was using MFA? | RF: MFA would most definitely have helped against the credential stealing/cracking and reuse. However, other steps would still be possible - just not the RDP access. This would depend on the company's exposed infrastructure (VPN, extranet, etc.). If ALL of them were protected with MFA, then yes, this would make the password much less useful to an attacker. |
How can I tell the difference between a spoofed email address and a hacked email? How can I prevent email spoofing from recurring? | RF: You can protect your own domain against spoofing with email security DNS extensions like SPF, DKIM, DMARC. By evaluating these records for other domains, you can detect spoofed email addresses if the sender's domain has these kind of DNS records set. |
Does this hack presume that VPN is not necessary and that the RDP PC is open on the internet? | RF: Yes. |
Can connected devices like Wi-Fi cameras be vulnerable to attacks? | RF/AM: If the manufacturers do not detect and fix vulnerabilities in them, certainly yes. There were already several hacks involving WiFi-enabled cameras. To avoid this, consider using a separate SSID which only allows internet access for IoT type devices. |
Is using a password manager dangerous? | RF: If the password manager is used in an insecure way, then yes. In general, using a password manager improves security. |
What would you suggest for network segmentation internally? We're hearing lots of noise about ZTNA, NAC etc... | AM: Using intelligent segmentation can help protect organizations from lateral movement (sometimes called "East/West" traffic). Sophos Firewall lets you specify granular access rules between zones but can also take into account the health state of the Sophos agent on your workstations and servers, ensuring systems in a bad condition cannot communicate across segments. |
Would Sophos MTR service be able to pick up on this compromise from the very beginning? | AM: We'd expect the MTR team to have very early visibility into the activities being carried out and respond based on the customer's mode. |
What is the best way to block script execution on endpoint from Excel macros (means centralized from GPO, SCOM, Application Control tools)? | AM: We'd expect Excel (or other apps) launching scripts to be detected and blocked by the default Sophos Intercept X agent. To stop all scripts from running, you can set GPOs to disable macros in Office applications. You can also consider using Application Control to limit scripting tools your organization doesn't use. |
How can bloodhound be used for defenses? What kind of attack path analyses and remediation can you do? | RF: Please refer to the BloodHound documentation for that. There are tools though that are easier to use for defenders, such as PingCastle or PurpleKnight. |
Would Sophos AV normally block the malicious code when executed on the organization's servers? | AM: We'd expect machine learning in Sophos Endpoint to block executables with a very high true positive rate and a low false positive rate. The behavioral analysis will also have chances to block the steps leading to a malicious file being written and to any activities carried out by malicious code if it weren't blocked earlier in the attack chain. |
How do you defend yourself against Evil Twin and Man-in-the-Middle attacks in a home network? | RF: Evil Twin/Rogue AP attacks do not work against WPA2 Personal (unlike WPA2 Enterprise) due to a different authentication protocol. Thus, on the media access level, there is no need for protection against Evil Twin/MITM. In the consumer space, there aren't many protections against MITM once an attacker is inside the network though. |
What's the best way to protect users when they work from home on their own computers? | AM: Sophos Home Premium has the same protections as Intercept X Advanced. Talk to your Sophos account team for possible home use access for your end users. |
Is it possible to prevent this SMB problem for home users? | RF: Remotely configure the Windows firewall to not allow SMB while not inside the internal domain's network. Alternatively, use separate firewall devices for stronger isolation. See Microsoft documentation on how to use Firewall profiles, but please note that it is important that employee systems will need to correctly identify networks in order to apply the correct profiles: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ics/windows-firewall-profiles |
Is it worth turning 2fa on for admin access to internal servers? | RF: Depends on the need for protection of these servers. In a proper multi-tier security architecture, tier 0 servers MUST require MFA. Tier 1 administration of servers SHOULD require MFA but you can opt out of that if your protection requirements are low. Tier 2 does usually not require MFA. For more information, refer to the ESAE concept. |
What happens if you PEN TEST and then the company still gets hacked? | RF: No penetration tester is always perfect or sees 100% of vulnerabilities with a 100% guarantee. Still, we did not have any cases in our company's history where (if our client agreed on our suggested scope) they were hacked after a penetration test performed by us. The cases where customers of ours were actually hacked after we had pen tested, it was because they did not agree with our scope recommendations and excluded systems/applications from testing scope, against our recommendation, that were later used to hack them. |
Great demo, any easy way of identifying users with old zoom client? Difficult process with remote working. | AM: You can use Sophos XDR to report on installed versions of Zoom and all other applications! Check out the built in Data Lake queries "Windows Programs" and for macOS, "Installed Applications." |
What AV or EDR is currently running on the ts1 machine? | RF: Windows Defender was running on it, but these attacks are possible with all current endpoint protection products if the attacker is sufficiently skilled. |
How are attackers using applications like AnyDesk or Team Viewer? | AM: Attackers are using legitimate remote access tools like Microsoft Remote Desktop, AnyDesk and Team Viewer as initial points of entry to exposed systems with stolen credentials or as their own method of remote access and persistence after they've breached a network in another way. Sophos customers should consider using Application Control to limit these legitimate apps in their environment if they are not used by the IT teams. |
If it safe for home users to use Team Viewer to access company computers from home? | AM: TeamViewer itself isn't a dangerous application but it can be used by attackers. |
Is a VPN access from home a safe option? | RF: As long as VPN does not use Windows credentials and uses some form of weak or strong MFA, VPN will be more secure than direct RDP access. Weak MFA is, for example, demanding both client certificates and username/password, with the password being a different one from the domain password. Strong MFA is, for example, an OTP or physical token. |
Once you were logged into the server using Thomas credentials. What was the user hacking tool you used? | RF: I used the post-exploitation agent called PowerShell Empire. |
Is AV present on this terminal server? | RF: Windows Defender was running on it, but these attacks are possible with all current endpoint protection products if the attacker is sufficiently skilled. |
What are the software tools (PuTTY , VM Ware, Oracle VirtualBox) used for today simulation demo? | RF: A variety of tools were used: Putty, VMware Workstation, Kali Linux, PowerShell Empire, Bloodhound, Responder, Mimikatz, hashcat, and a few more. |
How susceptible are Apple computers? | RF: They are as susceptible as Windows computers but not targeted as much because of the smaller use base. |
Will an organization with MFA/2FA configured provide some level or protection? | RF: Yes, MFA will certainly add a layer of protection. |
Is Rafael on YouTube? | RF: No. |
If our "Thomas" were to go through this whole scenario where his password was cracked like this, how could we find out this happened? If we only allow permitted devices to connect to our VPN (so a Terminal Server isn't viewable through the Internet), what can be done with Thomas's password? | RF: This depends on many factors, for example: are there other systems that can be accessed just with Thomas' password but without MFA? What can an attacker do with access from these? Is VPN access possible using Thomas' password or is something else (a client certificate, a different password, a hardware token, an OTP) needed? If VPN was used, properly secured (client certificate, hardware token, OTP...), AND no other systems are externally accessible using Thomas' password, an attacker would likely pursue a different avenue and abandon this one. |
For a company who uses Mac workstations (AWS S3 and O365), do you feel that we are at just as much risk? | RF: Depends. O365 attacks are common. Regarding S3 it depends on what exactly you are using it for and how much you are exposing it on the internet. Mac attacks are less common than Windows attacks, but Macs are not more secure per se. If an attacker however gains initial access by compromising an O365 account, they won't give up just because Macs are used internally. |