Upload
educause
View
221
Download
0
Embed Size (px)
Citation preview
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 1/32
Learning to Live with anAdvanced Persistent Threat
EDUCAUSE 2013October 17th, 2013
John Denune
IT Security Director [email protected]
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 2/32
ACT Infrastructure services
Active Directory
Networking
ID Management
Security Telecom
Data Center
Database Administration
UNIX and Windows Support
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 3/32
What is an APT?
It’s notOpportunistic
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 4/32
APT
Targeted
Patient
Skilled
Technical
Social Engineering
Varied Attacks
Physical threats
Espionage
Corporate
State-Sponsored
TheftHacktivism
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 5/32
ExternalRecon
InitialCompromi
se
EstablishFoothold
EscalatePrivileges
InternalRecon
Expand
APT Lifecycle
Complete
Mission
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 6/32
Initial Detection
June
2012
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 7/32
Lesson #1
Pay attention
to anti-virusalerts
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 8/32
Lesson #2
Don’t(completely
) rely onyour anti-
virus
product
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 9/32
Lesson #3
Wherepossible,
track IP’sinstead of blocking them
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 10/32
Initial ReconFebruary 2012
Initial Compromise April 2012
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 11/32
Gh0st RAT
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 12/32
Lesson #4
Make yourlocal FBI
agent yournew bestfriend
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 13/32
Lesson #5
Have a
securecommunicati
ons plan in
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 14/32
Lesson #6
Logeverything,
especiallyauthentication,
netflow and
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 15/32
Dynamic DNS Beaconing$ nslookup host.somehackedsite.com
** server can't find host.somehackedsite.com:NXDOMAIN
$ nslookup host.somehackedsite.comhost.somehackedsite.com has address 10.2.3.4
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 16/32
Attack timing
All attackstook placeSunday –
Thursday
between thehours of 6pm
and 3am
Pacific
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 17/32
Attack Path
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 18/32
Malware Observations
You don’t need to rely ona lot of malware when
you’ve already got a longlist of credentials
You don’t need to crack
passwords when youcan just pass a hash
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 19/32
NTLM Authentication
User provides usernameand password. Clientcomputes hash, stores it inmemory and throws away
the plaintext password.
Client sends username to server.
Server sends a challengeto the client.
Client encrypts thechallenge with the userhash and sends it back tothe server.
Server sends theusername, challengeand encryptedresponse to the DC.
DC retrieves user hash,
encrypts the challenge andcompares to the clientencrypted response. If theymatch, authentication is
successful.
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 20/32
Administrator Hash
So, let’s say the
domainadministratorRDP’s to the
client…Domain
Admin NTLMhash nowstored in
client
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 21/32
Pass the HashAttacker compromises client…
Steals hashes from memory…
Accesses bothserver and domaincontroller
GAME OVER
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 22/32
Mitigations• Change passwords multiple times per day
• Fast track two factor authentication
• Compartmentalized passwords
• Separate user and admin credentials
• Minimize lateral trust
• Scan entire domain for scheduled tasks
• Rebuild Domain Controlers
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 23/32
Emergency ActionSeptember 2012
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 24/32
Lesson #7
Reconsider
traditionalpassword
best
ractices
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 25/32
Lesson #8
Effectivelyand securelycommunicati
ng apasswordchange is
hard
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 26/32
We are not alone
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 27/32
ReengagementJuly 2013
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 28/32
ACT
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 29/32
Parting Thoughts• Detection can be subtle and an art
• Have a good AD Team
• Logging visibility is essential
• Regular password changes are a MUST
• Be prepared to re-image any system
• Firewalls to prevent lateral movement
• Separation of user and admin credentials
•Require two-factor for OU Admins
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 30/32
A New Hope• Strengthened LSASS to prevent hash dumps
• Many processes no longer store credentials in memory
• Better ways to restrict local account use over the network• RDP use without putting the credentials on the remote
computer
• Addition of a new Protected Users group, whose
members' credentials cannot be used in remote PtHattacks
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 31/32
Further ReadingKnow Your Digital Enemy – Anatomy of a Gh0st RAT
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-e
Mitigating Pass-the-Hash (PtH) Attacks and Other CredentialTheft Techniques
http://www.microsoft.com/en-us/download/details.aspx?id=36036
APT1: Exposing One of China's Cyber Espionage Units
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 32/32
“If ignorant both of your enemy andyourself, you are certain to be in peril.”
― Sun Tzu, The Art of War