Learning to Live with an Advanced Persistent Threat

John Denune IT Security Director University of California, San Diego [email protected]

ACT Infrastructure services

E-mail Data Center Security Networking Database Administration Active Directory UNIX and Windows Support Telecom ID Management

ACT Security

9 Staff Anti-virus and FDE VPN Policy and Compliance SSL Certs Firewall Forensics Incident Response Intrusion Detection Patch Management Vulnerability Assessment

What is an APT?

It’s not Opportunistic

Varied Attacks Espionage Technical Targeted Corporate Patient APT Skilled Hacktivism Theft Social Engineering State-Sponsored Physical threats

APT Lifecycle

Expand Internal Recon External Recon Complete Mission Initial Compromise Establish Foothold Escalate Privileges

Initial Detection

June 2012

Lesson #1

Pay attention to anti-virus alerts

Lesson #2

Don’t (completely) rely on your anti-virus product

Lesson #3

Where possible, track IP’s instead of blocking them

Initial Recon

February 2012

Initial Compromise

April 2012

Gh0st RAT

Lesson #4

Make your local FBI agent your new best friend

Lesson #5

Have a secure communications plan in place

Lesson #6

Log everything, especially authentication, netflow and DNS

Attack timing

All attacks took place Sunday – Thursday between the hours of 6pm and 3am Pacific

Attack Path

Malware Observations

You don’t need to rely on a lot of malware when you’ve already got a long list of credentials You don’t need to crack passwords when you can just pass a hash

Interactive Authentication

Client computes LM and NTLM hash and stores them in memory. Plaintext password is reversibly encrypted and stored in memory.

Password hash is salted with username and stored in registry.

Administrator Hash

So, let’s say the domain administrator RDP’s to the client… Domain Admin NTLM hash now stored in client memory.

Pass the Hash

Attacker compromises client… Steals hashes from memory… Accesses both server and domain controller

Mitigations

• • • • • • • Change passwords multiple times per day Fast track two factor authentication Compartmentalized passwords Separate user and admin credentials Minimize lateral trust Scan entire domain for scheduled tasks Rebuild Domain Controlers

Lesson #7

Reconsider traditional password best practices

Good passwords?

*tecno9654postgres A Matt Hale Tribute CD would be cool..

Access-Control-Allow-Origin Abundance4me2day Bulletformyvalentine123 Elementarymydearwatson Putin is nothing but commie scum.

Video killed the radio star?

antcolonyoptimization

Emergency Action

September 2012

Lesson #8

Effectively and securely communicating a password change is hard

We are not alone

Reengagement

July 2013

Parting Thoughts

• • • • • • • • Detection can be subtle and an art Have a good AD Team Logging visibility is essential Regular password changes are a MUST Be prepared to re-image any system Firewalls to prevent lateral movement Separation of user and admin credentials Require two-factor for OU Admins

A New Hope

A New Hope

• • • • • Strengthened LSASS to prevent credential dumps Many processes no longer store credentials in memory Better ways to restrict local account use over the network RDP use without putting the credentials on the remote computer Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks

Further Reading

Know Your Digital Enemy – Anatomy of a Gh0st RAT http://www.mcafee.com/us/resources/white-papers/foundstone/wp know-your-digital-enemy.pdf

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques http://www.microsoft.com/en-us/download/details.aspx?id=36036 APT1: Exposing One of China's Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

“If ignorant both of your enemy and yourself, you are certain to be in peril.” ― Sun Tzu, The Art of War