Pay It Forward: Don’t get lazy!
I was brutally reminded yesterday how important it is to keep an eye on things when you are updating systems rapidly.
I’ve been updating my vulnerability scanners almost as quickly as the vendor has been releasing updates. To date I’ve run numerous scans using one of their canned scanning policies. However, with one of their updates they changed the default behavior of the policy and it now aggressively attacks domain accounts by default.
The scan I happened to be running was of a server subnet in one of our offices overseas. It was after-hours for the local office so I knew I had time to recover if anything happened. However, we have a domain controller in that office and the vulnerability scanner enumerated domain accounts and started attacking them, locking them out very quickly.
Offices started calling the enterprise admin, who sits next to me, complaining to him that AD was going berserk and accounts were locking themselves out. Luckily we figured out what was going on quick enough for me to stop the scan and for him to do a wide-scale unlocking of accounts.
Lessons learned:
- Don’t use the canned policies if they get replaced with new, updated versions. Copy the policy and work with the renamed copy.
- Always check what has changed with vendor updates before you implement the updates. Don’t let yourself get comfortable and lazy.
Additional thoughts I had after the fact:
- This would be a great diversion for a real attack. Make some noise over here, while I attack a file server over there.
- This would also be a great way to get a single account unlocked for you. Say you were attacking one account but just can’t get in and now its locked out. Well, launch a massive attack on a large number of accounts and the organization will have to choose wether to leave those accounts locked out while they investigate, leaving numerous users idle, or unlock all accounts and try to investigate afterwards.
Granted that is noisy and sloppy, but in some organizations that don’t have the resources or skills to do proper investigations it might just do the trick.
