Learning to Live with an Advanced Persistent Threat (177900234)

7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)

http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 1/32

Learning to Live with anAdvanced Persistent Threat

EDUCAUSE 2013October 17th, 2013

John Denune

IT Security Director [email protected]



ACT Infrastructure services

E-mail

Active Directory

Networking

ID Management

Security Telecom

Data Center

Database Administration

UNIX and Windows Support



What is an APT?

It’s notOpportunistic



APT

Targeted

Patient

Skilled

Technical

Social Engineering

Varied Attacks

Physical threats

Espionage

Corporate

State-Sponsored

TheftHacktivism



ExternalRecon

InitialCompromi

se

EstablishFoothold

EscalatePrivileges

InternalRecon

Expand

APT Lifecycle

Complete

Mission



Initial Detection

June

2012



Lesson #1

Pay attention

to anti-virusalerts



Lesson #2

Don’t(completely

) rely onyour anti-

virus

product



Lesson #3

Wherepossible,

track IP’sinstead of blocking them



Initial ReconFebruary 2012

Initial Compromise April 2012



Gh0st RAT



Lesson #4

Make yourlocal FBI

agent yournew bestfriend



Lesson #5

Have a

securecommunicati

ons plan in



Lesson #6

Logeverything,

especiallyauthentication,

netflow and



Dynamic DNS Beaconing$ nslookup host.somehackedsite.com

** server can't find host.somehackedsite.com:NXDOMAIN

$ nslookup host.somehackedsite.comhost.somehackedsite.com has address 10.2.3.4



Attack timing

All attackstook placeSunday –

Thursday

between thehours of 6pm

and 3am

Pacific



Attack Path



Malware Observations

You don’t need to rely ona lot of malware when

you’ve already got a longlist of credentials

You don’t need to crack

passwords when youcan just pass a hash



NTLM Authentication

User provides usernameand password. Clientcomputes hash, stores it inmemory and throws away

the plaintext password.

Client sends username to server.

Server sends a challengeto the client.

Client encrypts thechallenge with the userhash and sends it back tothe server.

Server sends theusername, challengeand encryptedresponse to the DC.

DC retrieves user hash,

encrypts the challenge andcompares to the clientencrypted response. If theymatch, authentication is

successful.



Administrator Hash

So, let’s say the

domainadministratorRDP’s to the

client…Domain

Admin NTLMhash nowstored in

client



Pass the HashAttacker compromises client…

Steals hashes from memory…

Accesses bothserver and domaincontroller

GAME OVER



Mitigations• Change passwords multiple times per day

• Fast track two factor authentication

• Compartmentalized passwords

• Separate user and admin credentials

• Minimize lateral trust

• Scan entire domain for scheduled tasks

• Rebuild Domain Controlers



Emergency ActionSeptember 2012



Lesson #7

Reconsider

traditionalpassword

best

ractices



Lesson #8

Effectivelyand securelycommunicati

ng apasswordchange is

hard



We are not alone



ReengagementJuly 2013



ACT



Parting Thoughts• Detection can be subtle and an art

• Have a good AD Team

• Logging visibility is essential

• Regular password changes are a MUST

• Be prepared to re-image any system

• Firewalls to prevent lateral movement

• Separation of user and admin credentials

•Require two-factor for OU Admins



A New Hope• Strengthened LSASS to prevent hash dumps

• Many processes no longer store credentials in memory

• Better ways to restrict local account use over the network• RDP use without putting the credentials on the remote

computer

• Addition of a new Protected Users group, whose

members' credentials cannot be used in remote PtHattacks



Further ReadingKnow Your Digital Enemy – Anatomy of a Gh0st RAT

http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-e

Mitigating Pass-the-Hash (PtH) Attacks and Other CredentialTheft Techniques

http://www.microsoft.com/en-us/download/details.aspx?id=36036

APT1: Exposing One of China's Cyber Espionage Units

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf



“If ignorant both of your enemy andyourself, you are certain to be in peril.”

― Sun Tzu, The Art of War

Documents

Learning to Live with an Advanced Persistent Threat (177900234)