Learning to Live with an Advanced Persistent ThreatEDUCAUSE 2013October 17th, 2013

John DenuneIT Security Directorjdenune@ucsd.edu

ACT Infrastructure services

E-mail

Active Directory

NetworkingID Management

SecurityTelecom

Data Center

Database Administration

UNIX and Windows Support

What is an APT?

It’s not Opportunistic

APTTargeted

Patient

Skilled

Technical

Social Engineering

Varied Attacks

Physical threats

Espionage

Corporate

State-Sponsored

TheftHacktivism

External Recon

Initial Compromise

Establish Foothold

Escalate Privileges

Internal Recon

Expand

APT Lifecycle

Complete Mission

Initial DetectionJune 2012

Lesson #1

Pay attention to anti-virus alerts

Lesson #2

Don’t (completely) rely on your

anti-virus product

Lesson #3

Where possible, track IP’s instead of blocking them

Initial ReconFebruary 2012

Initial CompromiseApril 2012

Gh0st RAT

Lesson #4

Make your local FBI agent your new best

friend

Lesson #5

Have a secure communications

plan in place

Lesson #6

Log everything, especially

authentication,netflow and DNS

Dynamic DNS Beaconing

$ nslookup host.somehackedsite.com** server can't find host.somehackedsite.com: NXDOMAIN

$ nslookup host.somehackedsite.comhost.somehackedsite.com has address 10.2.3.4

Attack timing

All attacks took place Sunday –

Thursday between the hours of 6pm

and 3am Pacific

Attack Path

Malware Observations

You don’t need to rely on a lot of malware when

you’ve already got a long list of credentials

You don’t need to crack passwords when you can just pass a hash

NTLM Authentication

User provides username and password. Client computes hash, stores it in memory and throws away the plaintext password.Client sends username to server.

Server sends a challenge to the client.

Client encrypts the challenge with the user hash and sends it back to the server.

Server sends the username, challenge and encrypted response to the DC.

DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful.

Administrator Hash

So, let’s say the domain administrator RDP’s to the client…

Domain Admin NTLM hash now stored in client

memory.

Pass the Hash

Attacker compromises client…

Steals hashes from memory…

Accesses both server and domain controllerGAME OVER

Mitigations

• Change passwords multiple times per day• Fast track two factor authentication• Compartmentalized passwords• Separate user and admin credentials• Minimize lateral trust• Scan entire domain for scheduled tasks• Rebuild Domain Controlers

Emergency ActionSeptember 2012

Lesson #7

Reconsider traditional

password best practices

Lesson #8

Effectively and securely

communicating a password

change is hard

We are not alone

ReengagementJuly 2013

ACT

Parting Thoughts• Detection can be subtle and an art• Have a good AD Team• Logging visibility is essential• Regular password changes are a MUST• Be prepared to re-image any system• Firewalls to prevent lateral movement• Separation of user and admin credentials• Require two-factor for OU Admins

A New Hope• Strengthened LSASS to prevent hash dumps• Many processes no longer store credentials in

memory• Better ways to restrict local account use over

the network• RDP use without putting the credentials on the

remote computer• Addition of a new Protected Users group,

whose members' credentials cannot be used in remote PtH attacks

Further ReadingKnow Your Digital Enemy – Anatomy of a Gh0st RAThttp://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniqueshttp://www.microsoft.com/en-us/download/details.aspx?id=36036

APT1: Exposing One of China's Cyber Espionage Unitshttp://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

“If ignorant both of your enemy and yourself, you are certain to be in peril.”― Sun Tzu, The Art of War