Upload
fancy
View
31
Download
0
Embed Size (px)
DESCRIPTION
Learning to Live with an Advanced Persistent Threat. EDUCAUSE 2013 October 17th, 2013 John Denune IT Security Director [email protected]. ACT Infrastructure services. Database Administration. E-mail. Active Directory. Data Center. Security. Telecom. Networking. ID Management. - PowerPoint PPT Presentation
Citation preview
Learning to Live with an Advanced Persistent ThreatEDUCAUSE 2013October 17th, 2013
John DenuneIT Security [email protected]
ACT Infrastructure services
Active Directory
NetworkingID Management
SecurityTelecom
Data Center
Database Administration
UNIX and Windows Support
What is an APT?
It’s not Opportunistic
APTTargeted
Patient
Skilled
Technical
Social Engineering
Varied Attacks
Physical threats
Espionage
Corporate
State-Sponsored
TheftHacktivism
External Recon
Initial Compromise
Establish Foothold
Escalate Privileges
Internal Recon
Expand
APT Lifecycle
Complete Mission
Initial DetectionJune 2012
Lesson #1
Pay attention to anti-virus alerts
Lesson #2
Don’t (completely) rely on your
anti-virus product
Lesson #3
Where possible, track IP’s instead of blocking them
Initial ReconFebruary 2012
Initial CompromiseApril 2012
Gh0st RAT
Lesson #4
Make your local FBI agent your new best
friend
Lesson #5
Have a secure communications
plan in place
Lesson #6
Log everything, especially
authentication,netflow and DNS
Dynamic DNS Beaconing
$ nslookup host.somehackedsite.com** server can't find host.somehackedsite.com: NXDOMAIN
$ nslookup host.somehackedsite.comhost.somehackedsite.com has address 10.2.3.4
Attack timing
All attacks took place Sunday –
Thursday between the hours of 6pm
and 3am Pacific
Attack Path
Malware Observations
You don’t need to rely on a lot of malware when
you’ve already got a long list of credentials
You don’t need to crack passwords when you can just pass a hash
NTLM Authentication
User provides username and password. Client computes hash, stores it in memory and throws away the plaintext password.Client sends username to server.
Server sends a challenge to the client.
Client encrypts the challenge with the user hash and sends it back to the server.
Server sends the username, challenge and encrypted response to the DC.
DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful.
Administrator Hash
So, let’s say the domain administrator RDP’s to the client…
Domain Admin NTLM hash now stored in client
memory.
Pass the Hash
Attacker compromises client…
Steals hashes from memory…
Accesses both server and domain controllerGAME OVER
Mitigations
• Change passwords multiple times per day• Fast track two factor authentication• Compartmentalized passwords• Separate user and admin credentials• Minimize lateral trust• Scan entire domain for scheduled tasks• Rebuild Domain Controlers
Emergency ActionSeptember 2012
Lesson #7
Reconsider traditional
password best practices
Lesson #8
Effectively and securely
communicating a password
change is hard
We are not alone
ReengagementJuly 2013
ACT
Parting Thoughts• Detection can be subtle and an art• Have a good AD Team• Logging visibility is essential• Regular password changes are a MUST• Be prepared to re-image any system• Firewalls to prevent lateral movement• Separation of user and admin credentials• Require two-factor for OU Admins
A New Hope• Strengthened LSASS to prevent hash dumps• Many processes no longer store credentials in
memory• Better ways to restrict local account use over
the network• RDP use without putting the credentials on the
remote computer• Addition of a new Protected Users group,
whose members' credentials cannot be used in remote PtH attacks
Further ReadingKnow Your Digital Enemy – Anatomy of a Gh0st RAThttp://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniqueshttp://www.microsoft.com/en-us/download/details.aspx?id=36036
APT1: Exposing One of China's Cyber Espionage Unitshttp://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
“If ignorant both of your enemy and yourself, you are certain to be in peril.”― Sun Tzu, The Art of War