Monday, August 23, 2021

The danger of outbound connections + insider threats

[WhiteHat]

I was working over the weekend to have my OrangePi PC (hence forth will be referred to as SBC) that sits in a DMZ on my network serve dynamic content. As I don't own a public ip. I resorted to having pwncat + AWS EC2 instance work for me to get me a http connection as well as reverse shell on my SBC.

And that got me thinking....

Over the years we have seen an increase in the importance of IT security. Its a welcome change from the simple firewall rules and default security settings that were once the standard.

One area which still does not get much importance OR even if it does, is not heard about or discussed much is the threat of outward connections and insider threats.

Run such connections over port 443+https and you have a connection that is usually very difficult to trace.

Exploiting an insider / piggy banking this using a trojan and you can very easily get into  a secure network and then work your way to elevating your privilege's on a host / expanding your footprint to further hosts.

The solution: HTTP inspection/SSL inspection, but it has its limitations and you can run all sorts of tricks to go around this. eg: Don't use SSH, instead run a http server that can accept specific keywords and perform tasks.

I hope to see much more organizations use an inspection solution so that this threat can be mitigated to quite an extent.

No comments:

Post a Comment

The danger of outbound connections + insider threats

[WhiteHat] I was working over the weekend to have my OrangePi PC (hence forth will be referred to as SBC) that sits in a DMZ on my network s...