The Anatomy of Compromise

One of my demented hobbies is watching old infosec talks and then seeing how well they hold up to modern times. Recently I excavated Metlstorm's 2017 BSides Canberra https://www.youtube.com/watch?v=OjgvP9UB9GI&list=TLGGvAY1CcIr-AcyNjEwMjAyNA talk on "How people get hacked" - a pretty generic topic that gives a lot of room for opinion, and one a lot of people have opined on, but the talk itself has a lot of original things to say. In particular, there's a huge disconnect between how people get hacked and how defenders and policy makers think people get hacked and choose to defend against them - which anyone on this list already knows - I think we are all aware that defensive strategies in cyber are rarely based on available data. [image: image.png]

The Three-Act Play of Compromise

Here is how people get hacked, according to Metlstorm:

1. Find something with 1FA and crack it open (or just phish the creds) (Everything in "Secure By Design" is meant to address this part of the problem) 2. Get Domain Admin and hang onto it 3. Watch the person who does the important stuff (like SWIFT transfers) and secretly do their job for them

Metlstorm goes into the Active Directory hacking that we all know and love in great detail. His toolbox from 2017 (Kerberoasting, Group Policy files, password spraying, etc.) is still largely relevant today, despite Dwizzle's best work - and points out that removing an attacker that has once had domain admin is practically impossible even though we all pretend it is to the SEC (a painful truth we don't deal with at all in industry, unless Wiz has a product line here I don't know about).

But the pattern he's really describing is the understanding that individual vulnerabilities and Active Directory "features" are as relevant to systemic compromise as individual genes are to having an arm with five wiggly bits at the end. Metlstorm picks on Active Directory and its cousin Sharepoint quite a bit, but his point is not that we should blame Active Directory so much as ourselves - we all installed something huge and complex we didn't understand and then put the keys to our kingdoms in it.

Partially he doesn't blame AD because Metlstorm, even before the SolarWinds and Kaseya compromises happened, was obsessed with supply chain weaknesses - or rather he clearly looks at it not as a supply chain but a supply web, where compromise propagates through trust relationships like signals through a neural network.

And this is where Metlstorm's talk becomes particularly interesting in retrospect. While we were all obsessing over Domain Admin and Exchange bugs in 2017, he was pointing at MSPs and software providers saying "that's where the real action is." In the years since, we've seen exactly this pattern play out in increasingly sophisticated ways:

- SolarWinds and Kaseya (2020-2021) showed us what happens when attackers compromise either a build pipeline or an MSP's distribution system - Recent MSSP breaches that none of us will ever hear about unless the GCSB decides to write them up

Each of these compromises followed Metlstorm's basic thesis: why hack 1000 companies when you can hack the one company they all trust? The attackers don't see individual organizations - they see connection points, trust relationships, and privileged channels that can be repurposed. Seven years later, this view has proven devastatingly accurate.

Metlstorm calls himself an "operational hacker" - different from your Brett Moore style "Research Hacker" who's all about finding bugs and writing shellcode and various useless stuff like that. For him, operational hacking is about systems thinking: what does each compromise actually get you? And this, as it turns out, is what the talk is really about.

Digital Ecosystems [image: image.png]

Using New Zealand as his laboratory, Metlstorm somewhat cheekily shows us organizations not as isolated entities but as nodes in a vast supply web:

- Managed service providers spreading their digital mycelia through thousands of organizations - "Liz in accounts payable" unknowingly holding the keys to national security - Domain registrars running code old enough to be geological

This is one of the strengths of the talk - it is backed up by specifics. It is not a vague thought-piece. He takes shots at the whole "I hunt sysadmins" approach as thinking too small! Why hunt sysadmins when you can hunt their managed service providers who already have domain admin? Or, hunt the providers of those providers. It's like a food web of sysadmins.

His best examples are massive US companies (NYT, f.e.) that got owned through tiny companies in NZ- big for NZ standards maybe, but microscopic globally. The Observer Effect

What Metlstorm as an attacker sees everywhere he looks is large systems that are "commercially untestable" - creating a fundamental disconnect between risk and reality. When you outsource your domain admin to a global megacorp (or your local Kiwi-buds), you create a quantum state of security - simultaneously compromised and secure until someone attempts to measure it.

You:

- Can't test their security - May not know if they're compromised - Certainly can't perform incident response - But get a lovely compliance certificate to frame

Recent compromises prove what Metlstorm saw in 2017: while defenders obsess over hardening their membranes via the magic of secure by design (or paying "$6 a month for MFA"), attackers traverse the supply web and pick on whatever provider seems easiest to own.

The reality is that no organization exists in isolation any more than a neuron functions alone. Your security isn't just your controls - it's every provider, vendor, and service in your supply web, each one a potential firing synapse of compromise.

*Solutions* [image: image.png]

He rightfully calls out that we will not solve these problems. So an A for Accuracy. Very fun talk, worth your time, highly recommended, 10/10 would listen to again in the car on the way to a house built at sea level in a hurricane zone.

-dave