Out-of-band (or “OoB”) networks are usually dedicated to management tasks. Many security appliances and servers have dedicated management interfaces that are used to set up, control, and monitor the device. A best practice is to connect those management interfaces to a dedicated network that is not directly connected to the network used to carry applications/users’ data. If a physically separated network is always best, a dedicated VLAN could do the job in most cases (if properly configured). What we typically find on OoB networks are:
Network devices (switches, routers, access-points)
IPMI (ILO, DRAC, etc)
Appliances management interfaces
Management interfaces of servers
They also carry sensitive protocols like SNMP, backup traffic to not interfere with the “production” traffic. OoB networks are, based on their criticality, pretty well hardened with very limited access through bastion hosts. Sometimes, they are so well protected that remote access is not allowed and could lead to critical situations like the recent Facebook downtime due to a BGP issue.
But OoB networks can also be used for other purposes: during a security incident. It’s recommended to not allow Incident Handlers to use the corporate network to exchange information.
A few days ago, an interesting tweet has been posted by @vxunderground. Apparently, the Ragnar Locker ransomware group was able to access a Slack channel used by the organization in charge of the investigations.
(Image source: vxunderground’s Twitter account)
As you can see on top of the screenshot, there is the classic Remote Desktop Client banner. Probably, an Incident Handler was connected to the Slack channel from a workstation on the compromised network and the attacker was still present… Slack is an “external service” and traffic to Slack is encrypted but if the client or the browser can be accessed, it’s too late!
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: Read More (SANS Internet Storm Center, InfoCON: green)