Transcript Learning to Live with an Advanced Persistent Threat PPT Only
Learning to Live with an Advanced Persistent Threat
John Denune IT Security Director University of California, San Diego [email protected]
ACT Infrastructure services
E-mail Data Center Security Networking Database Administration Active Directory UNIX and Windows Support Telecom ID Management
9 Staff Anti-virus and FDE VPN Policy and Compliance SSL Certs Firewall Forensics Incident Response Intrusion Detection Patch Management Vulnerability Assessment
What is an APT?
It’s not Opportunistic
Varied Attacks Espionage Technical Targeted Corporate Patient APT Skilled Hacktivism Theft Social Engineering State-Sponsored Physical threats
Expand Internal Recon External Recon Complete Mission Initial Compromise Establish Foothold Escalate Privileges
Pay attention to anti-virus alerts
Don’t (completely) rely on your anti-virus product
Where possible, track IP’s instead of blocking them
Make your local FBI agent your new best friend
Have a secure communications plan in place
Log everything, especially authentication, netflow and DNS
All attacks took place Sunday – Thursday between the hours of 6pm and 3am Pacific
You don’t need to rely on a lot of malware when you’ve already got a long list of credentials You don’t need to crack passwords when you can just pass a hash
Client computes LM and NTLM hash and stores them in memory. Plaintext password is reversibly encrypted and stored in memory.
Password hash is salted with username and stored in registry.
So, let’s say the domain administrator RDP’s to the client… Domain Admin NTLM hash now stored in client memory.
Pass the Hash
Attacker compromises client… Steals hashes from memory… Accesses both server and domain controller
• • • • • • • Change passwords multiple times per day Fast track two factor authentication Compartmentalized passwords Separate user and admin credentials Minimize lateral trust Scan entire domain for scheduled tasks Rebuild Domain Controlers
Reconsider traditional password best practices
*tecno9654postgres A Matt Hale Tribute CD would be cool..
Access-Control-Allow-Origin Abundance4me2day Bulletformyvalentine123 Elementarymydearwatson Putin is nothing but commie scum.
Video killed the radio star?
Effectively and securely communicating a password change is hard
We are not alone
• • • • • • • • Detection can be subtle and an art Have a good AD Team Logging visibility is essential Regular password changes are a MUST Be prepared to re-image any system Firewalls to prevent lateral movement Separation of user and admin credentials Require two-factor for OU Admins
A New Hope
A New Hope
• • • • • Strengthened LSASS to prevent credential dumps Many processes no longer store credentials in memory Better ways to restrict local account use over the network RDP use without putting the credentials on the remote computer Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks
Know Your Digital Enemy – Anatomy of a Gh0st RAT http://www.mcafee.com/us/resources/white-papers/foundstone/wp know-your-digital-enemy.pdf
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques http://www.microsoft.com/en-us/download/details.aspx?id=36036 APT1: Exposing One of China's Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
“If ignorant both of your enemy and yourself, you are certain to be in peril.” ― Sun Tzu, The Art of War