Back to Newsletter Archive

Having trouble seeing this email. View it online.
Sword & Shield - Intelligent Security
Security Solutions for Peace of Mind October 2016
Theresa Payton at EDGE2016
EDGE2016 Puts Knoxville, Tenn. on the Map for CyberSecurity
KNOXVILLE, Tenn. Oct. 26, 2016 EDGE2016 Security Conference, the inaugural world-class cybersecurity conference where complex business security problems meet real-world solutions, concluded last week after providing information security professionals and business leadership valuable cybersecurity insights and actionable information from a variety of experts for two days at the Crowne Plaza in Knoxville, Tennessee.

Bringing in more than 350 attendees, EDGE2016 featured experts in the fields of healthcare, retail, legal, banking and finance, manufacturing, and government information security to have an open dialogue about the cybersecurity challenges every industry is facing.

Information is everything, and in the business world its nearly all accessed through some form of technology, said John McNeely, president of Sword & Shield Enterprise Security, the company hosting EDGE2016. You may not think your business is at risk, but think about how much of your day-to-day operations rely on computers, servers, smartphones, etc., and how much of your information is stored and delivered on those devices. Its easy to see the impact a security breach can have if your technology is negatively impacted or your information becomes compromised. Our goal for this conference was to bring experts from a variety of industries together to meet with business leaders and security professionals to learn how they can focus on managing and mitigating the growing risk of cyberattacks, and I think we not only accomplished that, but also put Knoxville on the map as a growing hub for cybersecurity.

Keynote speakers at the conference included Theresa Payton, former White House CIO, cybersecurity authority and expert on identity theft and the Internet of Things (IoT); and Kevin Poulsen, a former hacker once wanted by the FBI turned cybersecurity expert and current editor at Wired magazine.

I think its always a great day when business leaders get together and talk about the challenges were all facing, said Payton during an interview after her keynote speech on day one of the conference. One, you realize youre not alone, but two, you can hear from each other how somebody else has solved this. Cybercrime attacks everybody and so weve got to put our competitive guard down and be able to just talk openly about what to do to prevent you being the next victim. A forum like this, where people can come and talk openly and ask questions of the experts, is always great and a positive step forward for cybersecurity.

Read the story

See also:
Save the Date
Sword & Shield Security Consultant Chris Lyons will present, Addressing Your Advanced Threats," at the Ninth Annual Shriners Healthcare IT Symposium Nov. 4 at 4:15 p.m.

The symposium, held at the Mandalay Bay Resort and Casino in Las Vegas, will focus on Cyber Security: Awareness, Safeguards, Regulatory Requirements, Penalties, Risks and Tools and has assembled a number of accomplished speakers from leading healthcare and technology organizations.

Please visit the Shriners Hospital for Childrens website to register.
Security Lab
Multi-Tool Multi-User Proxy
by Russel Van Tuyl
Background
Many of the popular Command and Control (C2) tools today operate over HTTP (i.e. Metasploit and Empire). One of the reasons why HTTP is an effective protocol for C2 is because it is allowed on nearly every network in existence and is expectedbehavior from every network device. Additionally, using HTTP over TLS adds an additional layer of security for these tools because it makes inspecting the C2 traffic a challenge. Organizations properly configured with a web proxy that performs SSL/TLS inspection are better able to detect C2 traffic, but I dont typically see this capability in organizations I have tested.

In order to look as normal as possible, HTTP C2 traffic should operate on ports 80 and 443. Any deviation, like using port 8080, will cause more suspicion then traffic over the standard ports. An interesting problem is that I like to use multiple tools on the same host. If I want to use Empire and Metasploits Web Delivery module all on the same box, I will need a total of three ports. I would likely use ports 80, 8080, and 443. However, I would like for all of my traffic to just go over port 443. We employ multiple security analysts here at Sword & Shield. I like the idea of having one host for all of the analysts to use as a type of C2 proxy. If I had three analysts, all wanting their own Empire and Metasploit listeners, I would need a total of nine ports.

This problem can be solved by creating a C2 proxy using Nginx as a reverse web proxy. This will allow for the use of a single web server that can handle multiple tools for multiple users all on one port as shown in the figure below. When setup is complete, proxy rules are used to split traffic off to each analysts C2 server on multiple ports. This configuration also allows the actual C2 servers (the host being proxied) identity to remain a secret. In the event that the C2 proxy server is burned, a new instance can be stood up with a new hosting provider. Nginx can be quickly installed, configured, and operational again in no time.

See the full article