One of the things we love about our speakers is their relentless passion for learning, applying and sharing their insights with others. Their hands-on, down-to-earth, action-driven approach inspires and motivates us every day. René Freingruber is just that kind of guy, which made this interview both a fun and learning experience.
René’s focus is research in the fields of malware analysis, reverse engineering, fuzzing and exploit development. He dives deep into modern mitigation techniques and how they can be bypassed by attackers, so his stories might prove to be very helpful for many of us.
Because René has a detailed perspective on how cybercriminals see their victims.
As a result, we wanted to find out to what extent attackers see everyday users as easily reachable targets. “I think the overall awareness is slowly increasing, however, users are still the weakest link. During the last years, most people learned to not click on easy-to-detect spam e-mails, but as soon as attackers start more targeted attacks, users can again easily be tricked. We, at SEC Consult, noticed in several social engineering projects that it’s mostly enough to send simple e-mails with valid company signatures to trick users to expose their credentials or install malware (for example with an e-mail requesting the employee to check their vacation days in the new online system). Moreover, exploit code for several 0 days found its way to the public in the last months. Because of long update test times in large companies, it’s trivial for attackers to abuse such exploits to own them. I think online criminals share a similar opinion and are happy that social engineering is still highly successful in 2017.”
Turning thought into practice, we asked René to name a few key evolutions in the way malware is engineered and distributed which will most likely impact the infosec field in the short term.
“In my opinion, malware development does not only impact the infosec, but also the infosec highly impacts the malware development – it’s more like a circle. When the blue side starts to use new protections (e.g.: application whitelisting), the malware authors move along and start to find interesting bypasses. Then the blue side starts to monitor such bypasses (like invocation of Microsoft signed binaries which can bypass application whitelisting) and the malware authors catch up by finding ways to disable or stop logging. And then it’s again the defenders’ turn…
During the last years, we saw a strong increase in highly sophisticated malware and exploits being developed from which we can learn lots of things (starting from simple things like specific log deletion up to complex exploit chains). In my opinion, we also live in a time where we should assume that an attacker can get a foothold on networks (Microsoft’s assume breach methodology) and that it’s more important than ever before to secure the internal network. In addition to that, systems and techniques must be deployed to detect a compromise as soon as possible. This can start with simple honeytoken, honeypot or callback documents and can go up to sophisticated deception technologies like CyberTrap.
In a time when 0 day exploit code is available on the internet, attackers compromise default software to own their targets and internet providers allow content injection, it’s impossible to be 100% secure against such attacks.
And therefore, it’s extremely important to build and research systems to detect compromises as soon as possible. In most cases, the attacker has the advantage (for example, the attacker must only find one vulnerability, he can attack at any time and he can play dirty). But with honeypots, the advantage goes to the defender’s side because an attacker does not know that an internal system is a honeypot. He only knows that as soon as he compromised it and that’s too late because then the defender is already alerted. That is, in my opinion, the path for infosec for the future: more internal network audits together with social engineering exercises and development of advanced honeypot/deception technologies.”
But before moving to the next level, infosec people still have to deal with frequent security mistakes that cause data breaches and security compromises. “Users with low-security awareness, administrators which were not educated in the field of security (secure system configuration, operating system, and domain hardening, etc.) and, in general, the absence of regular security audits. Simple penetration tests can quickly reveal misconfigurations or vulnerabilities and are a magnitude cheaper than a compromise. The same applies for awareness and security training for users and administrators.”
It sounds simple, but these elements are often overlooked, as we all know. Speaking of bad habits, we asked René to share his thoughts on security boundaries that companies still rely on, without that trust being justified.
“There is a whole bunch of them like AntiVirus solutions, Firewalls, Endpoint Protection Systems, Web Application Firewalls and Network Threat Detection Systems and so on. These systems are often used as an excuse for making real in-depth security changes: not patching critical vulnerabilities because the WAF catches them, not educating end-users because a spam-filter with an AntiVirus is installed and so on. In my opinion, such systems can be useful as an additional layer of protection, however, it’s not enough to solely rely on them.
Another important fact to consider is that these systems also increase the attack surface. For example, last year we at SEC Consult demonstrated a successful hack where we could compromise companies via their internal firewall systems (CSRF in a victim browser to send a memory corruption exploit to the internal firewall to get a reverse shell into the company’s network). And that is not an individual case; several such examples were found during the last years.
A system which can monitor the full companies network traffic to detect malicious behavior can also see the full traffic as soon as it gets compromised and is, therefore, a high-value target for attackers! That fact is often forgotten by companies.”
Since René was so generous with his time, we thought of exploring some topics that are tied to cyber security. Particularly, we wanted to see what René thinks about the ties between cybercrime and fake news.
“In my opinion, they are in general related but it’s very hard to exactly estimate. For example, online criminals can steal confidential data and publish them together with fake data to increase the reputational damage of the victim. This can be done against political parties (political leaks) as well as against companies (e.g. public documents are mixed with fake ones to falsely prove a successful hack) and all these scenarios are happening right now. Moreover, a botnet together with fake profiles can be used to quickly spread fake news to a huge audience. In addition to that, news websites are often weakly protected and therefore prone to many vulnerabilities. Techniques such as Cross-Site-Scripting can be used to place fake news on such pages which can then be shared on social media platforms. The same applies to websites from political parties.”
Our curiosity also prompted us to find out what worries René the most about securing the key assets that make our world keep going (critical infrastructure and beyond). “Medical institutions and public transport (train, airplane, …). Unfortunately, in these areas, money is not spent very frequently on security which leads to extremely unprotected systems. For example, nowadays banks have a good security base level, but hospitals, on the other hand, are often vulnerable to simple attacks. That fact together with the frequent low security awareness of medical staff and that systems are connected to the internet is a very bad combination. The same applies to the public transport sector where critical control systems are directly connected to the internet. Especially in these fields, security should play a fundamental role where the life of people is at risk, but reality shows that security is mainly important in the financial sector.”
Extending security awareness beyond the confines of the infosec industry is an important mission for us as well. That’s why we asked René to share 3 security habits of infosec specialists that even home users can apply.
“Use a password manager to generate and use unique passwords per website and don’t use the same passwords for work and private stuff. Keep your system and software up-to-date. If you receive an e-mail or a message, be cautious and precisely check the sender (misspelling, different domain, …) and the content (Is the person typically writing like this? Is there something strange with the message? Is the attachment doing strange stuff like showing uncommon dialogs, security warnings, …? Does the message ask for actions like to open a document, download a file, enter credentials, …?). In general, common sense together with a little bit of paranoia is a good combination to stay safe on the internet.”
That healthy paranoia is almost always accompanied by a strong passion for infosec when it comes to DefCamp speakers. René makes no exception when he talks about what fascinates him the most about his field of work.
“We are currently living in exciting times. There is so much research and impressive work available on the internet from awesome people from which we can learn. At the same time, there is a huge field of unexplored knowledge where new, previously unknown topics can be researched. I think that is what fascinates me the most – I can start my computer, read weeks, months or even years about a topic, then work on an idea where I think I can implement something better, then detect that someone else on the other side of the globe already had the same or a similar idea, then read his thoughts on the topic and after that combine the ideas to come up with something completely new.
We are also living at a time when software has many bugs which we as researchers and security consultants can hunt and exploit.
At the same time, most low hanging fruits are eliminated which means that the required skill level and effort are at a good height. If exploitation is possible in 5 minutes, the hack would be simple and boring. If on the other side, exploitation requires weeks or even months of work and the combination of several smaller vulnerabilities (like browser exploits or chained web vulnerabilities), it can become a really cool hack and the happiness when it is finally working is much bigger. If the discovery of a vulnerability would require too much time, most people would get frustrated and stop trying. And this is exactly what makes the current time so exciting. It’s hard to find interesting flaws in standard software (which was maybe already audited several times) but, at the same time, it’s not too hard to get frustrated. And because it’s hard it makes fun when the exploit is finally working.”
Right at the very end, we asked René to envision what he’d work on today if he were to start anew in the infosec field. His answer might help provide some guidance for the young researchers who will attend DefCamp this year.
“I would no longer start with memory corruption exploitation or reverse engineering because this field is getting harder and harder every year”, says René. “Instead, I would nowadays start with research on web topics, social engineering, crypto or internal network/domain security. Because of the excellent work from operating system, compiler, and browser developers, new memory corruption protections are developed every year which makes exploitation harder and harder. IoT (and kernel vulnerabilities) counteracts this because many devices do not support these protections, but I think in some years the required skill level and workload to find and exploit bugs will be relatively high in this field. Moreover, it’s a good idea to start in a big security company because the technical security team is diverse and therefore it’s possible to learn from many colleagues which are experts in different fields. This helped me a lot when I joined SEC Consult five years ago. ”
René will be at DefCamp this year not only to give a presentation on Fuzzing closed source applications but also to “meet awesome people, share ideas and thoughts and learn new things”. It’s not too late to join him!
The interview & editing was made by Andra Zaharia.
DefCamp 2017 is powered by Orange România and it’s organized by the Cyber Security Research Center from Romania (CCSIR) with the support of Ixia, a Keysight Business as a Platinum Partner, and with the help of Bitdefender, SecureWorks, Amazon, Enevo Group and Bit Sentinel.