The Anatomy of Compromise
One of my demented hobbies is watching old infosec talks and then seeing
how well they hold up to modern times. Recently I excavated Metlstorm's
2017 BSides Canberra
<https://www.youtube.com/watch?v=OjgvP9UB9GI&list=TLGGvAY1CcIr-AcyNjEwMjAyNA>
talk on "How people get hacked" - a pretty generic topic that gives a lot
of room for opinion, and one a lot of people have opined on, but the talk
itself has a lot of original things to say. In particular, there's a huge
disconnect between how people get hacked and how defenders and policy
makers think people get hacked and choose to defend against them - which
anyone on this list already knows - I think we are all aware that defensive
strategies in cyber are rarely based on available data.
[image: image.png]
The Three-Act Play of Compromise
Here is how people get hacked, according to Metlstorm:
1. Find something with 1FA and crack it open (or just phish the creds)
(Everything in "Secure By Design" is meant to address this part of the
problem)
2. Get Domain Admin and hang onto it
3. Watch the person who does the important stuff (like SWIFT transfers)
and secretly do their job for them
Metlstorm goes into the Active Directory hacking that we all know and love
in great detail. His toolbox from 2017 (Kerberoasting, Group Policy files,
password spraying, etc.) is still largely relevant today, despite Dwizzle's
best work - and points out that removing an attacker that has once had
domain admin is practically impossible even though we all pretend it is to
the SEC (a painful truth we don't deal with at all in industry, unless Wiz
has a product line here I don't know about).
But the pattern he's really describing is the understanding that individual
vulnerabilities and Active Directory "features" are as relevant to systemic
compromise as individual genes are to having an arm with five wiggly bits
at the end. Metlstorm picks on Active Directory and its cousin Sharepoint
quite a bit, but his point is not that we should blame Active Directory so
much as ourselves - we all installed something huge and complex we didn't
understand and then put the keys to our kingdoms in it.
Partially he doesn't blame AD because Metlstorm, even before the SolarWinds
and Kaseya compromises happened, was obsessed with supply chain weaknesses
- or rather he clearly looks at it not as a supply chain but a supply web,
where compromise propagates through trust relationships like signals
through a neural network.
And this is where Metlstorm's talk becomes particularly interesting in
retrospect. While we were all obsessing over Domain Admin and Exchange bugs
in 2017, he was pointing at MSPs and software providers saying "that's
where the real action is." In the years since, we've seen exactly this
pattern play out in increasingly sophisticated ways:
- SolarWinds and Kaseya (2020-2021) showed us what happens when
attackers compromise either a build pipeline or an MSP's distribution system
- Recent MSSP breaches that none of us will ever hear about unless the
GCSB decides to write them up
Each of these compromises followed Metlstorm's basic thesis: why hack 1000
companies when you can hack the one company they all trust? The attackers
don't see individual organizations - they see connection points, trust
relationships, and privileged channels that can be repurposed. Seven years
later, this view has proven devastatingly accurate.
Metlstorm calls himself an "operational hacker" - different from your Brett
Moore style "Research Hacker" who's all about finding bugs and writing
shellcode and various useless stuff like that. For him, operational hacking
is about systems thinking: what does each compromise actually get you? And
this, as it turns out, is what the talk is really about.
Digital Ecosystems
[image: image.png]
Using New Zealand as his laboratory, Metlstorm somewhat cheekily shows us
organizations not as isolated entities but as nodes in a vast supply web:
- Managed service providers spreading their digital mycelia through
thousands of organizations
- "Liz in accounts payable" unknowingly holding the keys to national
security
- Domain registrars running code old enough to be geological
This is one of the strengths of the talk - it is backed up by specifics. It
is not a vague thought-piece. He takes shots at the whole "I hunt
sysadmins" approach as thinking too small! Why hunt sysadmins when you can
hunt their managed service providers who already have domain admin? Or,
hunt the providers of those providers. It's like a food web of sysadmins.
His best examples are massive US companies (NYT, f.e.) that got owned
through tiny companies in NZ- big for NZ standards maybe, but microscopic
globally.
The Observer Effect
What Metlstorm as an attacker sees everywhere he looks is large systems
that are "commercially untestable" - creating a fundamental disconnect
between risk and reality. When you outsource your domain admin to a global
megacorp (or your local Kiwi-buds), you create a quantum state of security
- simultaneously compromised and secure until someone attempts to measure
it.
You:
- Can't test their security
- May not know if they're compromised
- Certainly can't perform incident response
- But get a lovely compliance certificate to frame
Recent compromises prove what Metlstorm saw in 2017: while defenders obsess
over hardening their membranes via the magic of secure by design (or paying
"$6 a month for MFA"), attackers traverse the supply web and pick on
whatever provider seems easiest to own.
The reality is that no organization exists in isolation any more than a
neuron functions alone. Your security isn't just your controls - it's every
provider, vendor, and service in your supply web, each one a potential
firing synapse of compromise.
*Solutions*
[image: image.png]
He rightfully calls out that we will not solve these problems. So an A for
Accuracy. Very fun talk, worth your time, highly recommended, 10/10 would
listen to again in the car on the way to a house built at sea level in a
hurricane zone.
-dave
I spent some time watching all the Grace Hopper videos on the youtubes, as
I prepared for what up North is a horrible storm, but here in Miami is, so
far, a breezy and clear day. You can hear her talk about how subroutines
used to be literal handwritten pages of instructions in notebooks. When you
wanted SIN or COS you would go over to whoever had the notebook with the
working version, and copy it out into your code.
It was this experience that guided her as she wrote the first compilers,
but as you listen to her stories you can see her ponder the meta-questions
of computation as well - she uses as the example how a game of basketball
sparked her solution to a troublesome issue in her first single pass
compiler, leading to her writing what must have been the first jump table.
How, she asked herself, can we get a computer to capture this geometry of
the mind. What was it that made her brain think of jump tables while
playing basketball?
When asked about AI, she poo-pooed theoretical work, and emphasized
practical needs: data processing and expert systems for field commanders.
Hopper's journey from abstract thought to concrete application mirrors our
ongoing struggle in computer science, as does her struggle to get the
military to adopt new technology, which she relates with anecdote after
anecdote - clearly the hardest thing she did in her career was get support
for computers into the Navy bureaucracy.
This year I've attended a birthday and a funeral, and a lot of our
community was at both. But there hasn't been a good offensive-minded
conference for us to attend in the States after INFILTRATE ended. We've
needed one. Our collective knowledge, like Hopper's compiler, builds upon
itself, each pass adding depth and functionality.
Two upcoming conferences, RE:VERSE in Orlando and District:CON in DC, have
now arisen to continue this tradition. They're not just tech showcases, but
gatherings of minds, a hive of soldier ants collected around a temporary
bivouak, each attendee contributing to our shared codebase of ideas, as if
scribbled in a 1950's coders notebook. We're still trying to capture the
geometry of thought, one exploit at a time. And I hope to see everyone
there!
-dave
Grace Hopper video (best version imho because it includes Q&A - link is to
the AI question):
https://youtu.be/WyGtNvBZ6kk?si=aF4b3elx2vDPPNax&t=5054
Conferences (please buy tickets now before they run out and I am sad):
1. https://re-verse.io/ - Feb 28th in Orlando, FL
2. https://www.districtcon.org/ Feb 21 in Washington DC
