Escalating Privilege Through Better CommunicationWHY STOP AT DOMAIN ADMIN?

@BEAUWOODS

Agenda

0 The Situation: Why we need to be better

1 The Problem

2 What Works

3 Hands On Hacking

0 The Situation: Why we need to be better

1 The Problem

Why won’t [THEY] do the [RIGHT]™ thing?

I’m sure that [THEY] Don’t get it Hate me Are evil

For varying values of [THEY] including Manufacturers Vendors Software and hardware makers Bosses

Why won’t [THEY] do the [RIGHT]™ thing?

I’m sure that [THEY] Don’t get it Hate me Are evil

For varying values of [RIGHT]™ including things That are expensive I can’t present/explain well I don’t understand well Affect operations or strategy Require conceptual shifts

1 What Works

Kill Chain

Hacking: The process we know well

1 Reconnaissance and Network Mapping

2 Vulnerability Discovery

3 Exploitation

4 Persistence

Stakeholder

Enabling Change

Of Influence

Empathy and Understanding

1 What Works

Reconnaissance and Stakeholder Mapping

Official Structure

CEO

CFO COO CMO CIO CxO

Admin

Chain of Command Committees Budget Approvals

Unofficial Structure

Who is liked…or not? Trusted Advisors/Influencers Who drinks together?

Exercise:One does not simply WALK into the executive boardroom

External Stakeholders

What external stakeholders may exist for a medical device manufacturer?

1 What Works

Empathy and Understanding

Factual Background

Work history – industries, roles, etc. Education Passions and hobbies

Motivation

Role models Bonus structure Career ambitions Challenges and priorities

Hopes, Dreams, and Aspirations (and Fears)

What keeps them up at night? What would make them a hero? What triggers fear vs. hope? Why do they do what they do

on a human scale?

Executive Time Budget

Financials

New Ventures

Lunch

IT

HR

Infosec

Physical Security

Lolcats

Regulations Financials Competitors Breaches

…get their attention.

Operational Workflow

Business Intelligence Decisioning

Priorities

DirectionMission

Research

Data

Frame-work

Action

Data Collection

Disciplinary Literacy

1 year 5 years 10 years

Functional Conversant Literate

Functional Illeteracy

Medical Jargon

A 6 French by 26 cm right double-J ureteral stent

was passed over the glidewire, and the glidewire

was removed. A curl was seen in the upper pole

of the right kidney under fluoroscopic vision and a

curl was seen in the bladder under cystoscopic

vision.

Medical Jargon

A 6 French by 26 cm right double-J ureteral

stent was passed over the glidewire, and the

glidewire was removed. A curl was seen in the

upper pole of the right kidney under

fluoroscopic vision and a curl was seen in the

bladder under cystoscopic vision.

Medical Jargon

A blah blah by blah blah blah blah blah blah

was blah blah the blah, and the blah

was removed. A blah was seen in the blah blah

of the right kidney under blah blah and a

blah was seen in the blah under blah

blah.

Interactive Example

The cross domain issue comes in when there is a form that

accepts POST methods only. You can create a page that has

a form that submits to the remote website via POST through

a JavaScript click event. If it’s protected by a nonce that

vulnerability goes away, but most websites aren’t protected

by CSRF in this way.

1 What Works

Enabling Change

Work the system

Up, down, and sideways Adaptation Persistence Riding waves and news

In the terms, and at the level of the audience

Features versus benefits (values and objectives)

Speaking their language Incorporating their ideas

Making action easy

Be two steps ahead Do their work Pilots and proofs of concept

Recap

1 RECONNAISSANCE AND

STAKEHOLDER MAPPING

2 EMPATHY AND

UNDERSTANDING

3 ENABLING CHANGE

4 PERSISTENCE

Example Scenario

Practicing enabling change

What considerations should we think about?What questions might which stakeholders ask?Who might engage with which external

stakeholders?What relationships might make influence

easier or harder?Who are the critical decision-makers?

Practicing enabling change

What strategies and tactics will make this easy?What motivates each stakeholder?Who needs to feel “ownership”?What makes the stakeholder look like a hero?How to avoid making any villains?

Practicing enabling change

Convince the decision-maker of your idea.Clear, concise, impactfulAddress each stakeholder’s fears/goalsBottom Line Up Front (BLUF)

Escalating Privilege Through Better CommunicationWHY STOP AT DOMAIN ADMIN?

@BEAUWOODS