Why the heck are you still using a DMZ segment???

It doesn’t matter how talented the developer is, every Application facing the internet can be breached, will be breached or already breached.

DMZ is an old concept where you have less secure/untrusted network segment which is reachable through the internet to provide some services to your corporate users like mail gateway, vpn, webApp, etc… but the problem is that in most cases it has backend connection to the internal network, through firewall, like it supposed to help… :-(

Hackers has basically 3 common ways to breach your network:

1. Social engineer and send phishing email, client side attack.

2. Compromise public websites and upload malware to be used for drive-by-download, client side attack.

3. Hack your DMZ or any Application facing the internet and from there finding a way to pivot to your internal network.

*There are more ways of course but this is as of today definitely the majority.

Let’s base my “theory” with some real life examples:

In nutshell Hacking Team was a company that helped governments hack and spy on journalists, activists, political opposition, and other threats to their power.

The hacker (according to his version) didn’t choose phishing email technique because hacking team was using phishing as their day-to-day operation to hack other people so he wanted a more stealthy method and not raising any flag for the first intrusion.

He found out that on their public network segment there’s a web server running Joomla, a mail server, a couple routers, two VPN appliances, and a spam filtering appliance.

Personally I would choose Joomla, tons of exploits and ways to get in but he chooses eventually to write 0day for one of the embedded devices there.

From that point where the hacker has physical access from the DMZ to the internal network it’s not the easiest job but for a professional hacker it’s just a matter of time to find the right vulnerability, mis-configuration or any credential to lead to the crown jewels on the internal network, Game-Over.

Sources:

http://pastebin.com/raw/0SNSvyjJ

OWA

Outlook-Web-Access is another old concept where you are exposing your mail server as an http/https server to provide remote email access to your corporate users, it’s a real “candy” for hackers since exchange server is usually connected to the Domain Controller which means from an attacker point of view I can intercept pretty easily Domain Admin and other high privileged accounts.

A real live attack example was captured by Cybereason, they found a dll injection backdoor in their customer OWA server which managed to capture 11,000 corporate identities and from there the attacker can access any resource which belong to any user in the domain.

Another allegedly incident was Panama Papers where their OWA was last update on 2009 which makes it easy intrusion and later access to any email on that exchange server.

**on the panama papers incident it’s unclear what was the first intrusion, it has some other shameful entry points like joomla and wordpress connected to the internal network.

Sources:

http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Webmail-Sever-APT.pdf

http://www.wired.co.uk/article/panama-papers-mossack-fonseca-website-security-problems

Remote VPN’s

Most of the popular VPN’s today are using “agent-less” SSL VPN option which means you have https server facing the entire world exposed to web and injection attacks.

This is one of the most popular and powerful attack vector since you can have an immediate access to Admin credentials and then you basically have an easy pivoting and clear path to anywhere in the network.

One of the easiest hack is just paying to a corporate user for a legitimate identity so I can access remotely through the VPN to the internal network and install whatever I want without being physically in the company’s offices.

A more complex attack scenario is hacking the VPN http server and place a backdoor to intercept credentials, because it is very common to connect your Domain Controller to your VPN in order to provide a single-sign-on to your users, placing a backdoor inside the VPN makes it very powerful to attackers.

Sources:

http://www.securityweek.com/attackers-target-organizations-cisco-webvpn

http://www.theverge.com/2015/12/22/10638482/juniper-networks-vpn-vulnerability-backdoor

Conclusions

Today almost any possible service has SAAS implementation which means you don’t need to risk your internal network anymore, you can move almost any App or service to the cloud very easily, so please please stop exposing your network to the internet like it’s 2005!!!

Isolate your production Data-Center network from the Enterprise network and use different management identities, it makes hacker’s life much harder.

I agree that in some rare cases you need to have remote services to your corporate users but there’s no justification to provide hackers easy access like username and password only to compromise your entire network only because it’s easier from operation admin point of view.

You have to treat your remote co-workers as an hostile environment which need to limit the access for any service they use remotely(also internally but it requires a different post).

Think worst case scenario for every service you have and every part in your network as hacker owned.