HD Moore, Founder and CEO of runZero, stops by the Dark Reading News Desk during Black Hat USA 2024 to talk about runZero's role in the the cyber asset attack surface management (CAASM) ecosystem and SSHamble, a new open-source tool that can nudge various parts of the SSH protocol stack to drop shells out of devices that would otherwise be secure. Tune in to hear about surprises and unexpected findings during runZero's research leading up to the SSHamble launch.
Transcript
Terry Sweeney: Welcome back to the Dark Reading News Desk It's Terry Sweeney with Dark Reading. I'm happy to welcome to the podium HD Moore, CEO and Founder of runZero. Welcome sir!
HD Moore: Thanks for having me.
Terry: Thank you for doing this. runZero of course operates in the cyber asset attack surface management space, aka CAASM. Can we start just with some context about CAASM and what differentiates it from other security management solutions?
HD: Yeah sure thing. The concept behind CAASM is you can't protect what you don't know about. So obviously if you have part of your estate you're not aware of, you can't really defend it very well. I started runZero because as a pentester I worked on Metasploit for 15 years with lots of vulnerability assessment background, we kept breaking into well-funded, very secure organizations through assets they didn't know they had.
With runZero we took a very different approach in that instead of using integrations only to gather data about what was there, we built a world-class scan engine, passive discovery engine that actually finds networks you don't know about assets you weren't even aware of, assets that no existing system would be able to tell you about through an integration.
So we started off with the hard thing first which is we want to precisely identify assets anywhere in your environment with no credentials, no setup, no access. So if you're going to an environment that's post-M&A and there are no IT people to help out, we can find everything really quick.
Terry: I can imagine especially through acquisitions and networks that really didn't show up on schematics that sort of thing, but also stealth IT, equipment that employees bring in and just set up their own Wi-Fi for example. Is this a fairly common occurrence?
HD: Yeah absolutely. Often your security team walks in, gets handed a spreadsheet by IT and says ‘here's what we have, here's our vuln scan scope, here's your EDR’, but they're obviously missing a large portion of the network. For customers of runZero they typically find 25 percent more assets than they knew about before, even if they're using another CAASM solution, because we actually go find them.
Terry: So the hunt and discovery aspect of CAASM is obviously a big selling point?
HD: Yeah it's critical. I mean obviously if you don't know about the thing you can't defend it. You can only protect devices that you have an endpoint agent on, some kind of security control on, and for the device you don't know about typically there are no security controls.
Terry: All right. Gaze into your crystal ball if you will, and tell us what you can see evolving in the CAASM category, say over the next 12 to 24 months. What do you see there?
HD: The thing we're seeing right now is that integration data is not enough. You have to go get good data to tell customers things they don't know. You can't just sell them their own data back to them basically. And so what we're seeing in the CAASM market it's really becoming a subset of attack surface management, of exposure management. At the end of the day customers care about preventing a breach and being able to quickly respond to a breach of what happens, and that's what we're focused on are those two problems.
Terry: All right runZero recently unveiled new research and an open source tool. Let's start with that research first. Tell us about the subject and some of the key findings.
HD: Sure thing. So we took a really hard look at the Secure Shell ecosystem. So every type of secure shell you can imagine, not just OpenSSH, not the regreSSHion vulnerabilities, but literally everything that speaks the protocol. We found a long tail of problems that just no one else had run across yet, because it requires really kind of deep testing of the protocol stack in the library.
So we built a tool that we call SSHamble, which is SSH-amble, and the idea behind it is that we'll poke and prod various parts of the protocol stack to be able to basically drop shells out of devices that no would otherwise be secure.
Terry: Alright, anything that was surprising in there that maybe was unexpected or counterintuitive?
HD: Quite a lot. We found a lot of ICS devices that would just give you a remote shell pre-authentication by tricking the state engine, the protocol, to say ‘hey just give me a session now’ pre-authentication. We also found machines that would allow you to do port forwarding on machines even before you authenticate. We found all sorts of just misconfigurations, exposures across the board.
One of the more surprising parts though is if you look at OpenSSH as an ecosystem, it's not just one thing. Apple has their own version of it, Debian and Ubuntu have their own version, Red Hat has its own version. The regreSSHion vulnerabilities recently reported by Qualys only affected some variants because of things. The libxz back door only affected things that linked to system D. And if you look at OpenSSH for Windows in particular, over 350 files were modified and one of the most critical functions in OpenSSH source code have been modified and effectively backdoored by accident through this modification. So just because something is OpenSSH doesn't mean it's actually secure. All those modifications really matter.
Terry: Excellent. Let's turn to the open source tool that you introduced. Talk about who it was designed for and some of its major functions.
HD: Yeah sure thing. I mean just like my background in Metasploit, we want to provide tools both for people who are testing their security systems as well as for researchers and engineers and developers who want to extend it. So this toolkit is a way to, one, just quickly scan your network, and say are any of these common misconfigurations that we found exposed to any of your equipment and your devices as a vendor or as a product security person. But also, do you have ideas for how to find new bugs? Is there another cool technique on a state that you want to implement? You can drop it into this code, extend it, modularize it, just like you would with something like MetaSploit.
Terry: Why did you choose open source? Just because of its wide adaptability?
HD: I love open source. I spent about 20 years doing mostly open source stuff, and this is the first company where we weren't open source first. But we want to contribute back. We really want to collaborate with the bigger resource community. We want to help find more cool bugs, we want to shake out all those insecurities and the best way to do that is with the community.
Terry: Excellent! How can viewers access this tool and get more information about it?
HD: Go to runzero com there's a link to the SSHamble tool. Our GitHub repo is live right now. The code's a little messy but it works great today, and we'd love to see your pull request or feedback.
Terry: Excellent, thanks so much for this, really great deep dive into the CAASM space. Thanks for joining us on the Dark Reading News Desk.
HD: Thank you Terry.
Terry: We've been talking with HD Moore of runZero. This has been Terry Sweeney for the Dark Reading News Desk. Thanks for joining us for this segment. We'll see you next time.
Get the latest news and expert insights delivered in your inbox.