The Return of Cyber UK 2022

For those that don’t know, CyberUK, created by the National Cyber Security Centre (NCSC), is the UK government's flagship security event, designed to inform and educate attendees on the very latest thinking on Cyber Security.

ICC Wales — CyberUK 2022 Venue

Speakers from Industry, Government, and Academia cover topics ranging from technical deep dives to the push to bring more Cyber education into schools.

The event usually has big-name speakers such as UK Government Ministers, leaders from GCHQ or the US National Security Agency as well. This time we had Sir Jeremy Fleming, Director of GCHQ, Steve Barclay, Chancellor of the Duchy of Lancaster, Lindy Cameron CB OBE who is the CEO of the National Cyber Security Centre (Fun fact, both the current and former CEO of the NCSC, Ciaran Martin CB, are from N. Ireland), Damian Hinds, Security Minister, Jen Easterly, Director of US CISA and Rob Joyce, Director of Cyber Security at the US NSA.

This is my 4th visit to a CyberUK event, with previous iterations taking place in Liverpool, Manchester, and Glasgow. It was great to be at the event, and I really do think it sets the UK apart in terms of Cyber Security Leadership and guidance. Well done NCSC.

You can watch a portion of the content on the CYBERUK ONLINE — YouTube channel, and I’ve captured some of my session notes below. Before that though is the TL;DR of general points I found interesting from the event:

TL;DR

• Indications are that Russia’s cyber operatives continue to look for targets in countries that are opposing their actions.
• BT observed a 62% increase in traffic on their networks during lockdown, 6,500 cyber-attacks every 24hrs.
• 921 password attacks happen every second across Microsoft’s estate.
• The National Cyber Force is actively disrupting organised criminal gangs. This means tens of millions of pounds in potential fraud has been avoided.
• For the first time, the UK now has a National Cyber Strategy. We must all work together to raise Cyber Resilience.
• Microsoft RAMP is a great approach to have good practices applied for Privilege Access in a consistent way.
• It’s useful to create a super-strong ‘non-MFA’ enabled account just in case MFA isn’t available and you then get locked out.
• Secure by Design should be the default. We need to move away from a rigid accreditation process to one that balances speed with security.
• “NCSC has seen no evidence that Public Cloud will be able to meet ‘Secret’ level”.
• CyberUK is in Belfast next year! (A much easier destination to get to than Newport, Wales)

Some of my session notes are below for those that are interested. I’ll finish this part by saying that the general vibe from the conference was that:

1. There is no longer any separation between an organisation and the people that work for the organisation. Be aware of what you share. Your organisation may very well be a target for Cyber intrusion.
2. Due to the pandemic, a lot more of our work and lives are online. A huge number of organisations have transitioned successfully to remote working, but that means that we need to be extra vigilant, because we aren’t on secure work environments anymore, we’re at home, using our home networks. See point 1.
3. Industry and Government must continue to work together. Supply chains must be protected. (Author — One panel member wanted to bring in fines for poor supply chain management. I don’t think we’ll get to that stage, because it isn’t practical, but I do expect a lot more diligence being expected on how we construct software, and where we get libraries and frameworks from)

Technical Masterclasses 1: Protecting the keys to the kingdom — Adopting an effective privileged access strategy — Understand the importance of protecting privileged accounts and how to adopt an effective privileged access strategy for your organisation based on Microsoft’s Security Rapid Modernization Plan. This session introduces the roadmap and discusses the key elements for success, allowing delegates to implement effective changes across their own estates.

Microsoft RAMP

This session doesn’t appear to be online, but it focuses on understanding Microsoft Rapid Modernisation Plan (RAMP) (Rapidly modernize your security infrastructure) which is Microsoft’s recommended privilege access strategy.

Interestingly, there are 921 password attacks every second (see This World Password Day consider ditching passwords altogether — Microsoft Security Blog for more details).

A key message before implementing RAMP is that you should focus on getting the basics right first for your organisation. Avoid using only single-factor authentication (e.g., just passwords), implement AD security, harden your endpoints, and apply network segregation. Oh, and limit macro execution. This is all great advice and it’s useful to see it put together in a concise way that explains not just the ‘What’, but the ‘Why, How, Who’ and most importantly, how to measure success. This content could easily be turned into a quick checklist for legacy environment reviews.

The session also provided the following key points:

• Separate the management of privilege accounts: Don’t reuse one admin account between on-prem and cloud, don’t sync on-prem admin or service accounts, limit the number of admin accounts and roll out Local Administrator Password Solution (LAPS) from Official Microsoft Download Center.

A really interesting point was to create a super secure non-MFA emergency access account because what happens if MFA goes offline? This ‘has’ happened before… Microsoft 365 MFA outage locks users out of their accounts (bleepingcomputer.com)

• Implement Azure Privilege Access Management: which provides time-based and approval-based activation. Showing the location of where the authentication request is coming from is advised too — it avoids users blindly clicking ‘approve’ on a Monday morning. You can get a weekly summary email of access requests too.
• Use MS Defender for Identity: Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organisation.
• Enable SSPR (Self Service Password Reset): Basically, enable users to reset their own passwords, leading to happier users and lower support desk effort/cost.
• Protect Admin Accounts: Enable Azure MFA across all administrator roles. Require administrators to use passwordless sign-in methods such as FIDO2 security keys or Windows Hello for Business in conjunction with unique, long, complex passwords. Enforce this change with an organisational policy document.
• Block Legacy Authentication: Always a tricky one to know exactly what is accessing your legacy systems. Organic growth has meant that lots of apps could be secretly connecting to your back-end databases. In a previous engagement I was involved in, we determined what legacy apps were accessing sensitive areas by dropping a firewall in front of the legacy app and blocking all ports. Gradually you can then trace the ingress and egress traffic to determine what app is connecting via what port.
• Disable User Consent: In short, stop users from increasing your organisation's risk profile, by prohibiting them from consenting to an app that could maliciously access your organisation's data.
• Manage risk at user sign-on: Enable Azure AD Identity Protection and clean up any risks that it finds. This includes looking for weak or compromised passwords.

The presenters then talked about Microsoft PAWS (Privileged Access Workstations). The key point in this part of the talk is that ‘if your laptop is compromised, then your PAW is compromised’. You need to trust the hardware as well, hence the drive to adopt Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks — Microsoft Security Blog.

The closing points of this session were that all these things mentioned above are useful, but they do come with licensing and administration efforts. That being said, Microsoft RAMP looks like a very useful tool for quickly protecting your organisation's data and assets.

Technical Masterclasses 2: What do attackers do when they get in? This masterclass will cover how attackers move around your network, how you can make that harder and how you can spot them doing it. We’ll cover common lateral movement tools and techniques, how you can safely test to make sure that they won’t work on your estate or how to detect them if blocking them isn’t possible.

This session was ‘ok’. It focused on tooling that an attack would use when they get access to an environment. I’ve listed some of these tools below, but I felt that it focused more on the tooling and less on ‘spotting the attacker or the testing element’. The session also jumped straight to having a foothold on the system, which is missing out a huge part of the pathway to compromising a system.

A useful quote from the session was that often we hear the phrase ‘An attacker only needs to be right once to get access to your system.’ The presenter expanded on this to say ‘While this is true, the inverse happens when the attacker does get a foothold, then the roles are reversed, and the defender only has to spot them once.’. The lesson here is that you need to have robust monitoring and auditing systems in place and act upon the information.

The tools mentioned were:

• Bloodhound — Bloodhound is as a tool allowing for the analysis of AD rights and relations, focusing on the ones that an attacker may abuse.
• PowerView — Enumeration of Users, Computers and Domains via PowerShell*
• HostRecon — Invoke-HostRecon runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, users, and domain information. It does not use any ‘net’, ‘ipconfig’, ‘whoami’, ‘netstat’, or other system commands to help avoid detection.
• Mimikatz — extract plaintext passwords, hashess, PIN code and kerberos tickets from memory. Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

It’s interesting to see the tools and approaches used by a professional penetration tester. The one part that was missing from the presentation was the initial foothold onto a machine. Usually, this would be via a reverse shell connecting back to the attacker’s machine. Maybe that part isn’t in scope of the pentest 😊.

Don’t look back in anger — Start as you mean to go on — unpacking Secure by Design principles — an opportunity to highlight benefits and debunk myths. An introduction to the SbyD concept. Focusing on the benefits of breaking out of the traditional accreditation approach and highlighting the risks where programme delivery drives out security considerations. Why designing-in is preferable to retro-fitting. The audience will have the opportunity to ask questions to a panel representing the NCSC, Cabinet Office (CDDO), MoD, Google and Microsoft.

Secure by Design is a super initiative. Instead of treating security as the thing that comes at the end of building software, it should be a first-class citizen during development. I have opinions on this, which are basically that security should begin before you even start formally on the project by understanding the threat to your service.

This is worthy of a blog post in its own right, but essentially it boils down to understanding who wants to attack your systems, identifying the weaker parts of your designs and applying ‘proportional’ security measures. The proportional bit is important here because security must be in balance with usability and cost.

This panel discussion has some great quotes, such as:

• “Treat security more than a non-functional requirement. It’s a functional requirement now.” [Author — this is a fair point. Every single user story in your backlog should consider security against it. That innocuous postcode lookup you have, what happens if it’s requested 200,000 times a minute?]
• “It’s not about making an Accreditor happy” [Author — indeed. I’ve seen many organisations focus on just getting past the “Authority to Operate” gates. Security issues can happen at any time, and you may need to react faster than an Accreditor is available. If it takes you 1 day to get a fix in place, and 2 days to get it accredited, something is wrong.]
• “We go faster on the motorway, but there are no traffic lights. Statistically, motorways are safer. We need to apply this thinking to security” [Author — I absolutely love this quote from a Panel member from Google. If a vulnerability becomes prevalent in the wild, you have a limited window to address it. You need to be able to deploy software changes quickly to patch and mitigate.]

For more information on Secure By Design, have a look at the NCSC website here:

• Secure design principles — NCSC.GOV.UK
• Cyber security design principles — NCSC.GOV.UK

Big risk thinking — Hyperscale to pocket sized, these risks are everywhere — Four short Big Risk Thinking talks on some of our more pervasive Cyber Security technology topics for both now and future, covering: high sensitivity data processing in Cloud environments, why we consider some devices trustable and not others, the benefits and shortcomings in Cloud native processing compared to Cloud portable techniques, and the UK’s advances, position, and direction for Cross Domain Solutions.

Device Security — This was a really interesting session covering whether Apple or Android is more secure (I wrote a paper on this a few years ago you can read here — not much has changed really. Apple has more vetting, and Android has more flexibility.

Cloud Security — This was probably one of my favourite talks from the session. Really straight-talking presenter from the NCSC delivering clear unambiguous updates.

NCSC thinking on SECRET data and workloads in Public Cloud

In short ‘The NCSC does not believe that cloud-native technologies will be available in the public cloud — even on a 10+ year timescale — that will provide adequate protection for SECRET data and workloads.

The presenter went on to explain 3 options if this is absolutely needed, and these are as follows:

1. Host data and services in a SECRET level Private cloud.
2. Appropriately protect data, e.g. encryption at various levels.
3. Reduce risk, reduce data, and dial the security up to the maximum (Author — obviously this has a cost and usability impact).

Cross Domain Solutions — I’d not really heard it described as such before, but a cross-domain solution is one that connects systems with different threat models, risk profiles or data sensitivities. In short, it’s an integration pattern that covers 3 things: Transform, Verify, Reconstruct.

To give an example, if you uploaded a PDF to a site, there could be executable code within it. The way to neutralise the threat is to transform the file into something innocuous, such as a simple text file. You would then verify the file, and then rebuild it again.

The NCSC has written about this before Pattern: Safely Importing Data — NCSC.GOV.UK and this guidance goes to the level of protocol breaks, whereby if you upload a file via TCP, you then continue its journey into your system using another protocol, to protect against TCP having a vulnerability.

These techniques are at the highest level thinking of security, and probably not as applicable to general applicability. But still, it’s excellent to have guidance like this available. Well done NCSC.

About the Author:
Davey McGlade is a UK Digital Data and Cloud Practice Lead here at Version 1.