The money concious, yet secure company

Posted on 2020-01-07 by Alexei Doudkine in Tools of the trade


Let’s face it, security in an organisation can be expensive. You need corporate antivirus, firewalls, a SIEM, a Vulnerability Management solution and of course, that NextGen Threat Analytics and Attack Simulating Toaster (NGTAAST™). Congratulations, you’ve just racked up over a million dollars’ worth of gear. If you are a large corporation with large security budgets, that’s great! Chances are, these controls are legitimately useful for you and help with your day-to-day defence. However, if you are a smaller company, the reality is that you have very finite resources to stop the exact same adversaries that threaten large corporations.

The good thing for smaller companies is that it’s not just black and white. You don’t have to choose between having the best AV or none at all. There are many free and open source tools available that can help if not completely replace paid software. What I love about the infosec industry is that it is full of people who truly care. They write and release software not for money, but to make a difference in the world. Let’s take a look at some of my favourite free and/or open source tools.

Windows Defender

I know, I know. The first tool I list is neither open source nor free ( 😊 ), but it is included in the cost of Windows 10. I listed Defender first because it is probably the easiest to install. So easy, in fact, that you don’t need to install it at all! It’s just there when you install Windows 10 and it can stay there as a security control.

I am often asked by clients and friends: “What is the best AV?” And, in my opinion, that is currently Windows Defender. During penetration tests, I go up against many different AV and EDR vendors and Defender honestly slows me down the most. No, it’s not likely to stop a competent hacker or targeted malware, but then again, neither is any other AV. That’s just not what AV does.

If you’d like, you can give Defender a features boost by purchasing Microsoft Advance Threat Protection (ATP) which also makes it more (centrally) manageable. It’s certainly not mandatory, though.

PingCastle

PingCastle is a free and open source software dedicated to finding vulnerabilities and misconfigurations in Active Directory (AD) environments. Many companies rely on AD to manage their network and if you’re one of them, you should know that AD can pose a significant risk if some settings are left in their default state (SMB signing off and LLMNR on, just to name a few). It is possible and even common that an attacker can go from no rights, to full Domain Admin rights using AD-based vulnerabilities alone. We frequently do this as part of our Internal Penetration Test.

By using PingCastle regularly, you can identify these vulnerabilities and remediate them, making it harder for attackers to compromise your network.

Resource: https://www.pingcastle.com

BloodHound

While we are on the topic of AD and Domains, BloodHound, developed by @_wald0, @CptJesus and @harmj0y (very smart dudes), is an open source tool that helps defenders and attackers alike find logical vulnerabilities in AD environments. It does this by gathering data about AD objects and creating a visual map of their relationships to one another.

Why is this important? Amongst other things, It will allow you to find shadow admins. For example, you have 3 users in the Domain Admins group, and 10 users in the Helpdesk group. The Helpdesk group has admin rights over workstations, but not servers. However, the Helpdesk group has also been given password reset rights for any user in the domain. A malicious Helpdesk user can reset a Domain Admin’s password and login as them, gaining full access over the domain. In this scenario, you have your 3 direct Domain Admins, but also at least 10 indirect Domain Admins, not all of whom you may trust with such power.

There are thousands of these combinations that can create shadow admins, potentially giving a low privilege user the keys to the castle. It is important to identify any that exist in your domain and remove any rights that are not supposed to be there.

Resource: https://github.com/BloodHoundAD/BloodHound

OpenVAS

OpenVAS is an open source vulnerability scanner. It is not quite as powerful as some of the paid solutions, but it’s certainly better than nothing. OpenVAS will help you find the obvious vulnerabilities and missing patches on your network. It’s no replacement for a proper penetration test, but it should cover the low hanging fruit so that your pentester can focus on finding the more complex vulnerabilities.

Resource: https://github.com/greenbone/openvas

sysmon

Part of the SysInternals suite from Microsoft, sysmon is a free, extremely flexible and configurable (maybe too configurable) logging agent. It takes an XML file for configuration that tells it what to look out for and what do to if that event occurs. For example, I can add a rule to monitor for changes to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key in registry and send me an alert if that happens. Hackers commonly add values to this key for persistence so that their malware starts when the system starts.

I recommend you start with one or both of these configuration resources:

Be warned, the learning curve for sysmon can be pretty steep, but once you get the hang of it, adding additional rules and checks becomes easy. As you learn more about what is or isn’t a potentially dangerous event in your network, you can add bespoke rules specific for your use case, making sysmon a powerful IDS.

Resource: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

pfSense

pfSense is an open source firewall based on FreeBSD. It comes as an ISO that you install on any metal of your choice. What hardware should you use for it? That really depends on how large your network is, how many users it will serve and what you plan on using it for.

It is a firewall, but also so much more. pfSense comes with plenty of “premium” feature right out of the box including VPN, VLAN support, routing, DNS and DHCP just to name a few. If your hardware has a built-in wireless adapter, it can even act as an Access Point. If that’s not enough, you get a suite of packages that you can install right from the web UI.

It does fall short in “enterprise” features, however. Lacking centralised management and any sort of UTM functionality, so if you need to manage 100 instance of pfSense, it is probably not for you.

Resource: https://www.pfsense.org/

Pritunl

Pritunl (I think it’s pronounce like “Pry Tunnel”?) is an open source VPN server and client that is essentially a skin over OpenVPN. However, you would never know that it uses OpenVPN because of how simple and intuitive the interface is. The install and setup process of the server-side is a piece of cake and the client is light, supports Windows, macOS and Linux and it just works.

Granted, strictly speaking a VPN services isn’t a security control, I still wanted to add it because of how useful it can be as part of your security architecture design. As an example, putting all your admin login interfaces behind a VPN can massively reduce your attack surface.

Honestly, just go get the Premium version (or higher). It’s just $10 US a month, flat. Unlimited users, you get features like automatic push of configuration changes and you support an awesome project.

Resource: https://pritunl.com/

Whether you’re looking to level-up your company’s security or just want something new to play with this new year, I hope this short list of tools has helped you out. Be aware, that it might take you a bit of time to learn and properly configure these tools. Maybe more so than commercial ones. But that can be part of the fun too! Also, my aim here is not to discredit commercial products, but just to show that there are alternatives to consider. Choose what fits your specific needs and goals.


About the author

Alexei Doudkine is Co-Founder and Offensive Director at Volkis. Hacker, tinkerer, car modder and dog person, Alexei has been in the infosec game for over 10 years focusing on the “attack” side of security. You can catch him on Twitter and LinkedIn.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn