Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Preventing and mitigating cyberattacks is a day-to-day — sometimes hour-to-hour — endeavor for enterprises. New, ever-more-advanced techniques are revealed constantly, especially with the rise in ransomware-as-a-service, crime syndicates and cybercrime commoditization. Likewise, statistics are seemingly endless, with a regular churn of new, updated reports and research studies revealing worsening conditions.
According to Fortune Business Insights, the worldwide information security market will reach just around $376 billion in 2029. And, IBM research revealed that the average cost of a data breach is $4.35 million.
The harsh truth is that many organizations are exposed due to common software, hardware or organizational process vulnerabilities — 93% of all networks are open to breaches, according to one recent research report.
Cybersecurity must therefore be a team effort, said Scott Sutherland, senior director at NetSPI, which specializes in enterprise penetration testing and attack-surface management.
The company today announced the release of two new open-source tools for the information security community: PowerHuntShares and PowerHunt. Sutherland is demoing both at Black Hat USA this week.
These new tools are aimed at helping defense, identity and access management (IAM) and security operations center (SOC) teams discover vulnerable network shares and improve detections, said Sutherland.
They have been developed — and released in an open-source capacity — to “help ensure our penetration testers and the IT community can more effectively identify and remediate excessive share permissions that are being abused by bad actors like ransomware groups,” said Sutherland.
He added, “They can be used as part of a regular quarterly cadence, but the hope is they’ll be a starting point for companies that lacked awareness around these issues before the tools were released.”
Vulnerabilities revealed (by the good guys)
The new PowerHuntShares capability inventories, analyzes and reports excessive privilege assigned to server message block (SMB) shares on Microsoft’s Active Directory (AD) domain-joined computers.
SMB allows applications on a computer to read and write to files and to request services from server programs in a computer network.
NetSPI’s new tool helps address risks of excessive share permissions in AD environments that can lead to data exposure, privilege escalation and ransomware attacks within enterprise environments, explained Sutherland.
“PowerHuntShares is focused on identifying shares configured with excessive permissions and providing data insight to understand how they are related to each other, when they were introduced into the environment, who owns them, and how exploitable they are,” said Sutherland.
For instance, according to a recent study from cybersecurity company ExtraHop, SMB was the most prevalent protocol exposed in many industries: 34 out of 10,000 devices in financial services; 7 out of 10,000 devices in healthcare; and 5 out of 10,000 devices in state, local and education (SLED).
Enhanced threat hunting
Meanwhile, PowerHunt is a modular threat-hunting framework that identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques. It also detects anomalies and outliers specific to the target environment.
The new tool can be used to quickly collect artifacts commonly associated with malicious behavior, explained Sutherland. It automates the collection of artifacts at scale using Microsoft PowerShell remoting and by performing initial analysis. It can also output .csv files that are easy to consume. This allows for additional triage and analysis through other tools and processes.
“While [the PowerHunt tool] calls out suspicious artifacts and statistical anomalies, its greatest value is simply producing data that can be used by other tools during threat-hunting exercises,” said Sutherland.
NetSPI offers penetration testing-as-a-ervice (PTaaS) through its ResolveTM penetration testing and vulnerability management platform. With this, its experts perform deep-dive manual penetration testing across application, network and cloud attack surfaces, said Sutherland. Historically, they test more than one million assets to find 4 million unique vulnerabilities.
The company’s global penetration testing team has also developed several open-source tools, including PowerUpSQL and MicroBurst.
Sutherland underscored the importance of open-source tool development and said that NetSPI actively encourages innovation through collaboration.
Open source offers “the ability to use tools for free to better understand a concept or issue,” he said. And, while most open-source tools may not end up being an enterprise solution, they can bring awareness to specific issues and “encourage exploration of long-term solutions.”
The ability to customize code is another advantage — anyone can download an open-source project and customize it to their needs.
Ultimately, open source offers an “incredibly powerful” ability, said Sutherland. “It’s great to be able to learn from someone else’s code, build off that idea, collaborate with a complete stranger, and produce something new that you can share with thousands of people instantly around the world.”
Specifically relating to PowerHuntShares and PowerHunt, he urged the security community to check them out and contribute to them.
“This will allow the community to better understand our SMB share attack surfaces and improve strategies for remediation — together,” he said.