1

Advanced targeted attacks

Protecting Against

with IAM Best Practices

2

▪ Strategic Advisor – CyberArk Software

▪ B.S. Information Systems – University of Texas at Arlington

▪ COMPTIA A+ & Sec+

▪ VMWare VCA-DCV

▪ (ISC)2 SSCP & CISSP

▪ GIAC GPEN (Taking exam tomorrow!)

▪ Married, Father of 2 girls.

▪ Member of Shadow Systems Hacker Collective

▪ Member of Dallas Hackers Association

Hello Friend - Andy Thompson

@R41nM4kr

3

▪ Golden Ticket PoC

▪ Defense using IAM Best Practices

▪ Q&A

▪ Mass Applause

Agenda

4

Golden Ticket Attack

Golden Ticket AttackProof of Concept in Under 6 Minutes.

(4 Minutes if I weren’t so bad at typing)

5

▪ It didn’t actually go

down like this.

▪ More than one way to

skin a cat.

▪ No 1337 H4X here.

Just a warning here. . . …

6

So simple, you don’t have to be a 400lb hacker

living in your parents’ basement to do it!

7

What is a Golden Ticket Attack

8

9

10

The Bangladesh Bank Heist

11

FOUNDATIONFUNDANTION

12

What makes an attack advanced?

An advanced attack is…

a targeted attack against a specific organization, during

which an attacker operates extensively inside the network

Contrary to:

Distributed Denial of

Service (DDoS)

Opportunistic endpoint

attacks (ex. Ransomware)Quick, targeted attacks

(ex: Support Call

Scams)

13

Phases of an Advanced Attack

External Recon

•OSINT

•Passive Scanning

Breach

•Phishing

•USB Drops

•Exploits

Internal Recon

•Network Queries

•Passive Listening

•Probing

Lateral Movement

•Seek Creds

•See Access

Domain Compromise

•Golden Ticket

•Persistence

Endgame

•Exfiltration

•DoS

•Corrupt

14

Breach

Email with malicious attachment

15

16

Domain Controller

File Server 1

Admin Workstation

Web Server 3

Help Desk

Workstation

Internal Recon

WHAT computers are there in the network?

WHO are the privileged users?

WHERE are they connected?

What privileges can I GET?

nmap bloodhound

COMMON TOOLS USED FOR RECON

Powershell

17

18

Domain Controller

Web Server 3

Help Desk

Workstation

Lateral Movement

Connect to the shared machine

Search for credentials

Steal privileged credentials

File Server 1

Admin Workstation

mimikatz

COMMON TOOLS USED FOR LATERAL MOVEMENT

*****

Domain Admin

credentials found!

PsExec

19

20

Domain Compromise

Connect to Domain Controller

Steal krbtgt hash

Create a Golden Ticket with required privileges

Locate and access desired system: SWIFTNet Domain Controller

NEXT: Steal the krbtgt hashGenerate golden

ticket for full

domain access

!

SWIFTNet

21

22

Recipient Bank

SWIFTNet

SWIFT User 1

SWIFT User 2

Actions on target

!

SWIFTNet Server

Access the SWIFT server

Locate pending transaction file

Inject fraudulent transaction

23

25

Profit!

26

IAM Best Practices

27

▪ Remove Unnecessary Privileges

￭ Local Admin

￭ Implement Least Privilege

▪ Manage Application Access

￭ Block applications running by

unauthorized accounts

￭ Allow others.

Endpoint Least Privilege

28

▪ Not really IAM, but still a Best

Practice recommendation.

￭ Prevents lateral movement.

▪ Route Privileged Identities

through isolated jump servers.

￭ Can’t pass the hash if you

can’t get a hash!

￭ Accountability & Auditing

• Privileged Internal Users

• Vendors & 3rd Parties too!

Network Segmentation

29

Routers and

SwitchesVault

Windows/UNIX

Servers

Web Sites

1. Logon through PVWA

2. Connect

3. Fetch credential from Vault

4. Connect using native protocols

5. Store session recording

6. Logs forwarded to SIEM/Syslog

4

5

Databases

6

SIEM/Syslog

ESX\vCenters

1

HTTPS

2

RDP over HTTPS

PSM

3

Privileged Session Management Explained.

30

▪ Secure and Manage your Credentials

￭ Unique

￭ Complex

￭ Ever-changing!

▪ Require MFA

▪ Credential Boundaries

￭ See MSFT Whitepaper: Mitigating Pass the Hash Attacks and Other Credential Theft Version 2

Credentials

31

Tier 0

Tier 1

Tier 2

Tier 0 – Forest Admins: Direct of indirect administrative control

of Active Directory forests, domains, or domain controllers.

Tier 1 – Server Admins: Direct or indirect administrative control

over a single or multiple servers.

Tier 2 – Workstation Admins: Direct or indirect administrative

control over a single or multiple devices.

32

IdentityFlesh & Blood Individual

AccountDefined Permissions

Key concept here…(Write this down!)

34

35

AThompson

JVealey

NLiran

KJermyn

PLi

ADM-AThompson

ADM-JVealey

ADM-NLiran

ADM-KJermyn

ADM-PLI

5 Privileged Accounts

ADM-Functional-Account

1 Privileged Account

AThompson

JVealey

NLiran

KJermyn

PLi

36

The whole-shabang!

Unbounded Network

Financial Databases PCI Databases

ESX ServersDomain Controllers

Workstations/Laptops

Network w/Credential Boundaries

Financial Databases PCI Databases

ESX ServersDomain Controllers

Workstations/Laptops

Further Reduce Risk of Theft

With EPM

37

Monitor privileged users

Internal employees & 3rd Party Access

Alerting on high risk or malicious

events

DCSync

IOC behavior.

Alert on behavior anomalies

Logons outside your IAM controls.

Monitoring

38

Endpoint Network Credentials Monitoring

Remove local

privileges

Control applications

Segment off

sensitive assets

Route access

through jump servers

Enforce credential

tiers

Require multi-factor

authentication

Secure and manage

privileged credentials

Set alerts on

malicious events

Monitor behavior to

detect anomalies

Monitor privileged

users

Iam Best Practices . . . In review.

39

Thank

You!

40

▪ Email:

Andy.Thompson@CyberArk.com

▪ Website:

CyberArk.com

▪ Twitter:

R41nM4kr

▪ LinkedIn:

AndyThompsonInfoSec

Andy Thompson