Upload
dinhlien
View
253
Download
5
Embed Size (px)
Citation preview
PowerPoint Presentation
Learning to Live with an Advanced Persistent ThreatJohn DenuneIT Security DirectorUniversity of California, San [email protected]
ACT Infrastructure services
E-mailActive DirectoryNetworkingID ManagementSecurityTelecomData CenterDatabase AdministrationUNIX and Windows Support
Decentralized 100 OUs 800 OU Admins2
ACT Security
9 StaffFirewallIntrusion DetectionVulnerability AssessmentForensicsAnti-virus and FDEPatch ManagementSSL CertsIncident ResponsePolicy and ComplianceVPN
Decentralized 100 OUs 800 OU Admins3
What is an APT?
Its not Opportunistic
Low level criminal activitySpam, phishing, WAREZOff the shelf attacks, higher likelihood of AV detection4
APTTargetedPatientSkilledTechnicalSocial EngineeringVaried AttacksPhysical threatsEspionageCorporateState-SponsoredTheftHacktivism
You have something they want and they will spend a lot of time trying to get itMonths or yearsOff the shelf, but also custom malware including zero-day Extremely low detection ratesTechnical, phishing, phone callsDropping infected USB drives in parking lot or keystroke loggers on lab keyboardsOften tied so some sort of espionage, either corporate to get insider information or state sponsored to get military infoHacktivism to expose information or long term DDOS to make a pointGood old fashioned theft5
APT LifecycleComplete Mission
External Recon
Initial Compromise
Establish Foothold
Escalate Privileges
Expand
Internal Recon
Initial DetectionJune 2012
Got luckyAV alert on ACT server.OU Admins compromised through unrelated staff account on VPNOnly 1 of 4 pieces of malware detectedChanged password, rebuild serversHappened again the following night with another unrelated VPN accountAlso found several other computers in unrelated departments, also OU admins compromisedThird time password changes and re-used
7
Initial DetectionJune 2012
Got luckyAV alert on ACT server.OU Admins compromised through unrelated staff account on VPNOnly 1 of 4 pieces of malware detectedChanged password, rebuild serversHappened again the following night with another unrelated VPN accountAlso found several other computers in unrelated departments, also OU admins compromisedThird time password changes and re-used
11
Lesson #1
Pay attention to anti-virus alerts
Too many sysadmins view a detection as AV doing its job IF they even monitor at allModern malware loves company and almost always brings friends
12
Lesson #2
Dont (completely) rely on your anti-virus product
Low detection rates, especially for custom malware13
Lesson #3
Where possible, track IPs instead of blocking them
Only had IP blocks 14
Initial ReconFebruary 2012Initial CompromiseApril 2012
Going through org charts, reading about projects
15
Gh0st RAT
Lesson #4
Make your local FBI agent your new best friend
Insight into goalsAny others being attacked from same groupAssistance analyzing malwareHelp with managementThis attack is different. Not a patch, rebuild and youre doneThere are those who are hacked and know it, and those who are hacked and dontIRPS and Dali Lama17
Lesson #5
Have a secure communications plan in place
Security staff had PGP keys but most sysadmins did notVoice mail unreliable due to unified messaging
Attackers were definitely reading e-mail18
Lesson #6Log everything, especially authentication,netflow and DNS
AD logs are ugly and chatty HUGEInformation spread out over several lines using different infor (IP, system name, etc) so context is difficult
Netflow to understand where they are going within the network. VPN netflow added
DNS is HUGE but can provide a lot of insight, especially when connected through VPN.
Tremendous amount of data
19
Dynamic DNS Beaconing$ nslookup host.somehackedsite.com** server can't find host.somehackedsite.com: NXDOMAIN
$ nslookup host.somehackedsite.comhost.somehackedsite.com has address 10.2.3.4
Attack timing
All attacks took place Sunday Thursday between the hours of 6pm and 3am Pacific
This was somebodys jobInsight on when we could make system changes when the attackers werent active21
Attack Path
Malware ObservationsYou dont need to rely on a lot of malware when youve already got a long list of credentials
You dont need to crack passwords when you can just pass a hash
NTLM Authentication
User provides username and password. Client computes hash, stores it in memory and throws away the plaintext password.
Client sends username to server.
Server sends a challenge to the client.Client encrypts the challenge with the user hash and sends it back to the server. Server sends the username, challenge and encrypted response to the DC.
DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful.
LSASS Local Security Authority Subsystem Service24
Interactive Authentication
Client computes LM and NTLM hash and stores them in memory. Plaintext password is reversibly encrypted and stored in memory.Password hash is salted with username and stored in registry.
LSASS Local Security Authority Subsystem Service25
NTLM Authentication
Client sends username to server.
LSASS Local Security Authority Subsystem Service26
NTLM Authentication
Server sends a challenge to the client.
LSASS Local Security Authority Subsystem Service27
NTLM Authentication
Client encrypts the challenge with the user hash and sends it back to the server.
LSASS Local Security Authority Subsystem Service28
NTLM Authentication
Server sends the username, challenge and encrypted response to the DC.
LSASS Local Security Authority Subsystem Service29
NTLM Authentication
DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful.
LSASS Local Security Authority Subsystem Service30
Administrator Hash
So, lets say the domain administrator RDPs to the client
Domain Admin NTLM hash now stored in client memory.
Pass the Hash
Attacker compromises clientSteals hashes from memoryAccesses both server and domain controller
Pass the Hash
Attacker compromises clientSteals hashes from memoryAccesses both server and domain controller
GAME OVER
MitigationsChange passwords multiple times per dayFast track two factor authenticationCompartmentalized passwordsSeparate user and admin credentialsMinimize lateral trustScan entire domain for scheduled tasksRebuild Domain Controlers
Authentications that used a hash but didnt have a corresponding interactive login34
Lesson #7
Reconsider traditional password best practices
How often do you change your password?A lot of best practice is based on outdated informationKeystroke loggers and phishing have invalidated most of that thinking
How long do you want the attackers to have access to your systems before kick them a=out and force them to reacquire creds?35
Good passwords?*tecno9654postgresA Matt Hale Tribute CD would be cool..Access-Control-Allow-OriginAbundance4me2dayBulletformyvalentine123ElementarymydearwatsonPutin is nothing but commie scum.Video killed the radio star?antcolonyoptimization
Emergency ActionSeptember 2012
Tried to capture e-mail of upper org chart of one of the targeted departmentsWebmail to check cred, POP to download e-mail
Swatting flies So many compromised credentials Reset the playing field37
Lesson #8
Effectively and securely communicating a password change is hard
Met with campus sysadmins to spread the message internallyhelpdeskCampus announcementsProminent notices on official campus web pages
Just before quarter startedFac, staff, priv role accountsAvoid Sept 11.35000 accounts, Many disabled outright as not been used5 day rolling disable
Huge phishing in the following weeksTry a few, and back off38
We are not alone
Not just a windows problemSome backlash on whether AD could be trustedAs we starting protecting more and more AD creds, attackers tried local accounts in an attempt to hide their activity39
ReengagementJuly 2013
ACT
Parting ThoughtsDetection can be subtle and an artHave a good AD TeamLogging visibility is essentialRegular password changes are a MUSTBe prepared to re-image any systemFirewalls to prevent lateral movementSeparation of user and admin credentialsRequire two-factor for OU Admins
FBI has now confirmed other activity from this particular group
42
A New Hope
A New HopeStrengthened LSASS to prevent credential dumpsMany processes no longer store credentials in memoryBetter ways to restrict local account use over the networkRDP use without putting the credentials on the remote computerAddition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks
Further ReadingKnow Your Digital Enemy Anatomy of a Gh0st RAThttp://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniqueshttp://www.microsoft.com/en-us/download/details.aspx?id=36036
APT1: Exposing One of China's Cyber Espionage Unitshttp://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
45
If ignorant both of your enemy and yourself, you are certain to be in peril. Sun Tzu, The Art of War
1462.8567
** Student*** Temp**** Volunteer
Last Modified 10/15/2013
UniversityofCalifornia,SanDiegoAdministrativeComputing&Telecommunications(ACT)
Assistant Vice ChancellorMin Yao
PMO, Communications & QALynn Underwood
Benjamin HodsonCharlie Chen**
Telecom PlanningEddie Mardon
Joy GacuyaRafael GonzalesGordon HammanKen Jossenberger
Jim VallettaBuck Wilmerding
Finance, Administration, and HelpdeskSheryl Gerbracht
Helpdesk , Directory Services & Desktop SupportParrish Nnambi
Desktop SupportDan AudishRichie Cruz
Loren Kim ****Mike Schwartz
Directory ServicesFema Grable
Mayra Anaya **Cherie Doria **Carolyn MasonJudy J. Sohn**
Help DeskChristopher Alarcon
Justin ClowDarryl Evangelista
Ron GalacgacGeraldine Powell
Robert RiosIsaac SerranoTom Twomey
Michael Henick**Doris Liu **
Nam Rayabphand **
HR & Administration SupportRashmi Umdekar
Linda BolesJennifer ComfortLinda KnarreborgRenae Moua **
Wendy Salazar ***Eunice Scotto
PurchasingBryan Hurley
FinanceAlison Kibble Koshi
Cathie BarneyVirginia BogtongMonica Bunnay**Cyndi HumphreyNicole Kumabe**
Theresa Pham
StorekeeperJason Traynum
IT Infrastructure / CISP OfficerCharlotte Klock
Telecom OperationsDon McLaughlin
Data CommunicationsJames Seddon
Jason CrisostomoJanet Keith
Nicole LewisDavid RamirezMalerie SamadiRobert Serocki
Lorenzo SugasteRyan A. SullivanPatrick Swiontek
Will ThomasLuis Tirado
Customer SupportVeronica Garcia
Annette ParkerLisa Schwartz
Installation and RepairYnez Hicks
James Leo-CastilloMatthew Chavez
Andrew MackCecil Nolan
Ethan Olvera ***Ronnie Ramierez
Josh SalazarDale Serpas
Randy Totanes
Voice and VideoAlf Bloxham
Damon LittleMicheline Stuyck
Network Architecture/Research LiaisonJim Madden
Valerie PolicharDavid Rapp
System Administrator OutreachJessica Hilt
Data CenterRebecca Sipili
Data Center OperationsStephen Mariani
Corey BuhrerElmer JonesFelice Lococo
Burleigh MannathSteven Pasinski
Jay RogersLedo Sayson
Production ControlDoug Meserve
Perlina BabcockDaron ChockNick Cowell
Estrella ErminoVang Michael Her
Joe Loranca
Mainframe Technical SupportLev Gilik
Bruce HecklerTom Redgrave
Enterprise Infrastructure Data ManagementJerry Singer
Kevin GaoLing He
Leandro HerreraMarian Lambkin-Motter
James PallaRoque Obusan
Chun QianJulieta Uriarte
Hiep VuMay Xu
External Affairs DWLori Barry
Anjelica BakerGreg BoyerYing Chang
Russia MaddenMonica MarLynn Sikora
IT Network SecurityJohn Denune
Network Security OperationsLowell Kinzer
Patrick BurkeFerdie EscuderoCooper NelsonJoe PomianekIsaiah Schisler
Network Security InfrastructureStephen FigueroaEverett Stauffer
Enterprise Infrastructure Systems & ServicesErik Strahm
PostMaster & Email SupportRonise Zenon
Teresa CrespinoAime Inman-Cox
Janice GabrielKaren Przywara
AD/Messaging and Windows SystemsNguyen Trieu
Ted ChiouJames Dotson
Robert FabianoTom Guptill
Claudio LombardoThomas MaddockNick MarangellaCarlos MendozaJaren Thorsen
Network ApplicationsCrys Harris
UNIX SupportJuliet Ensign
Nathalie GholmiehSoo Hom
Alan MoxleyKamlesh Mungekar
Network ApplicationsRyan AustinKevin Bowen
Michael CribbsSteven Misrack
Dan NguyenHector Ordorica Jr.
IT ApplicationsEmily Deere
Academic ApplicationsJohn Baker
Ron BlockDee ChilcoatJendy DennisMed DiramiAnna RuanBeth Surrell
Academic ApplicationsChristina Ivany
Roy HermerSunshine SunBarbara Spear
Academic Personnel Online (APOL)Viet Truong
Lin ChenDavid LittleGail Mikels
Financial ApplicationsKian Colestock
David EdmondsonMarilyn Jewett
Jennifer KramerMatthew Koral **
Mike McGillTim Morse
Nelson PenalosaYvonne Radsmikham **
Marina RusakoffLuis Valdez
James Woodruff
FinancialLinkBill Sweetman
Adrianne AntikollJianJun "JJ" LiDouglas ShiehLong Ton-That
Technical ProjectsSusan Eng
External Affairs/Research ApplicationsKevin Chou
Robert DiasHamed Foroozanfard
Siwei KuangTejas Parikh
Ge Zhang
External Affairs ApplicationsKaniel Meas
Jeff SmithThuan Vo
Campus Web OfficeBrett Pollak
Allisa BeckerAndrew Oh
Tariku TessemaJeremy Wiles
Justin Wright**
Campus Web TechnologiesAlex Wu
Suki ChuiCristian Horta Gonzalez
Middleware & Id Management ServicesMojgan Amini
John GunvaldsonAlan Kim
Ashish PanditRoger PhillipsDavid SolenoLouis Zelus