31
Advanced Persistent Threats K. K. Mookhey Principal Consultant Network Intelligence India Pvt. Ltd.

Advanced persistent threats

Embed Size (px)

Citation preview

Page 1: Advanced persistent threats

Advanced Persistent Threats

K. K. Mookhey

Principal Consultant

Network Intelligence India Pvt. Ltd.

Page 2: Advanced persistent threats

Speaker Introduction

Founder & Principal Consultant

Network Intelligence

Institute of Information Security

Certified as CISA, CISSP and CISM

Speaker at Blackhat 2004, Interop 2005, IT Underground

2005, OWASP Asia 2008,2009

Co-author of book on Metasploit Framework (Syngress),

Linux Security & Controls (ISACA)

Author of numerous articles on SecurityFocus, IT Audit, IS

Controls (ISACA)

Over a decade of experience in pen-tests, application security

assessments, forensics, compliance, etc.

Page 3: Advanced persistent threats

Agenda

Ground-level Realities

Compliance & Regulations

Case Study of Privileged Identity Challenges

Solutions

Policy

Process

Technology

Page 4: Advanced persistent threats

Background

Page 5: Advanced persistent threats

Further background…

―Fraud worries Indian outsourcing firms... Industry executives

and officials at Nasscom, … say they are worried that exposés

of recent incidents of fraud are damaging India's reputation as

a high-skilled, low-cost location…‖

―Infosys wrestles with India IT worker turnover…the Indian outsourcing firm is wrestling with a 25 percent spike in employee attrition—the

highest mark since 2004, analysts say.‖

―In India, the average annual attrition rate in the business process outsourcing

(BPO) sector hit a high of close to 50% a few years ago.‖

―Laterals attrition worrying IT biggies... some companies are now battling

attrition as high as 40% among their project managers, threatening to

disrupt ongoing engagements. ―

Page 6: Advanced persistent threats

Acct Type Scope Used by Used for

Elevated

Personal Accts(SUPM)

•Personal Accounts

elevated permissions– JSmith_admin

– SUDO

• IT staff •Privileged operations

•Access to sensitive

information

Shared

Privileged

Accounts(SAPM)

•Administrator

•UNIX root

•Cisco Enable

•Oracle SYS

•Local Administrators

•ERP admin

• IT staff

• System Admins

• Network Admins

• DBAs

• Help Desk, etc

• Developers

• Legacy Apps

•Emergency

•Fire-call

•Disaster recovery

•Privileged operations

•Access to sensitive

information

Application

Accounts(AIM)

•Hard-Coded, and

Embedded Application

IDs

•Service Accounts

•Applications

•Scripts

•Windows Services

•Scheduled Tasks

•Batch jobs, etc

•Developers

•Online database access

•Batch processing

•App-2-App communication

Highly Powerful

Difficult to Control, Manage & Monitor

Usage is Not ‘Personalized’

Pose Devastating Risk if Misused

What are Privileged Accounts?

Page 7: Advanced persistent threats

86% of the insiders held technical positions (CERT)

90% of them were granted system administrators orprivileged system access when hired (CERT)

64% used remote access (CERT)

50% of those people were no longer supposed to have this privileged access(Source: Carnegie Mellon, DOD)

92% of all the insiders attacked following a negative work-related event like termination, dispute, etc. (CERT)

The Insider Threat…

No. 1 security concern of large companies is…

THE INSIDER THREAT (IDC Analyst Group)

Page 8: Advanced persistent threats

Crucial question…

Quis custodiet ipsos custodies

=

Who will guard the guards?

Page 9: Advanced persistent threats

How sys admins really operate!

And how passwords get compromised!

Ground Level Realities

Page 10: Advanced persistent threats

SQL Server to Enterprise 0wned!

Entry Point – 172.16.1.36

Vulnerability -> SQL Server

Default username and password

Username: sa

Password: password

Use xp_cmdshell to

‗net user kkm kkm /add‘

‗net localgroup administrators kkm /add‘

Page 11: Advanced persistent threats

Hash Dump

Administrator:500:A8367713FF9D45CE45F37A6:::

Guest:501:NO PASSWORD*********************:NO

PASSWORD*********************:::

GP2010STGLocal:1012:3ED3C0B9BB7B5091BC4186920:

AC4FFE38A7582D2A46E36865B:::

Page 12: Advanced persistent threats

Privilege Escalation on the Network

Using the Administrator account logon to other machines

Login to the domain server was not possible

Check for Impersonating Users

Page 13: Advanced persistent threats

―Most organizations have more privileged accounts than personal accounts‖ (Sally Hudson, IDC)

Typical use case - mid-size company IT profile: ~10,000 employees

8,000+ desktops/laptops

200 Windows servers

10 Windows domains

500 Unix/Linux servers

20 WebSphere/Weblogic/Jboss/Tomcat servers

100 Oracle/DB2/Sqlserver databases

50 Cisco/Juniper/Nortel routers and switches

20 firewalls

1,000 application accounts

150 Emergency and break-glass accounts

The Scope of the Problem...

Page 14: Advanced persistent threats

What happened at RSA?

Page 15: Advanced persistent threats

Spear Phishing

Page 16: Advanced persistent threats

Compliance & Regulations

Page 17: Advanced persistent threats

Current Audit Questions around Privileged Accounts:

―Can you prove that you are protecting access to key accounts?‖

―Who is acting as System Administrator for this activity?‖

―Can you prove that Rahul Mehta‘s access to the netAdmin ID was properly approved?‖

―Can you show me what Rahul Mehta did within his session as root last week?‖

―Are you changing the Exchange Admin password inline with company policy?‖

―Have you removed hard-coded passwords from your applications?‖

PCI, SOX, Basel II & HIPAA are all

diving deeper into Privileged Accounts

Compliance and Regulation

Page 18: Advanced persistent threats

Telecom Regulations

DOT circular (31st May 2011) states in 5.6 A (vi) c.

that

The Licensee shall keep a record of all the operation and

maintenance command logs for a period of 12 months,

which should include the actual command given, who gave

the command, when was it given and from where. For

next 24 months the same information shall be

stored/retained in a non-online mode.

Page 19: Advanced persistent threats

Corporate Liability

‗43A. Where a body corporate, possessing, dealing or

handling any sensitive personal data or information in a

computer resource which it owns, controls or operates, is

negligent in implementing and maintaining

reasonable security practices and procedures and

thereby causes wrongful loss or wrongful gain to any

person, such body corporate shall be liable to pay

damages, not exceeding five crore rupees, by way

of compensation to the person so affected.

Page 20: Advanced persistent threats

RBI Guidelines on Technology Risks

April 29, 2011, the Reserve Bank of India released the

―Guidelines on Information security, Electronic Banking,

Technology risk management and cyber frauds‖.

Close supervision of personnel with elevated

system privileges

Personnel with elevated system access privileges should

be closely supervised

Page 21: Advanced persistent threats

• App2App interaction requires an authentication process

– Calling application needs to send credentials to target application

• Common use cases

– Applications and Scripts connecting to databases

– 3rd Party Products accessing network resources

– Job Scheduling

– Application Server Connection Pools

– Distributed Computing Centers

– Application Encryption Key Management

– ATM, Kiosks, etc.

App2App Communication

Page 22: Advanced persistent threats

Solutions!

Or why SIEM’s are not the answer

Page 23: Advanced persistent threats

Decipher this!

OS_USERNAME

--------------------------------------------------------------------------------

USERNAME

------------------------------

USERHOST

--------------------------------------------------------------------------------

TIMESTAMP RETURNCODE

------------------- ----------------

MRMESSIN\Mike Messina

DUMMYWORKGROUP\MRMESSIN

11/08/2007 09:07:54 1017

Page 24: Advanced persistent threats

Control superuser access for in-depth unix security

Manage the commands Unix admins can run with granular access control

Enforce ‗least privilege‘ - elevate to ‗root‘ only when necessary

Monitor individual superuser activity with text recording

Unified audit of superuser activity and password access

On-Demand Privileges Manager: Tightening Unix Security

When Who What Where

Page 25: Advanced persistent threats

Company : Telco with over 100M subscribers

Regulation : Multiple

Driver : Compliance, control & monitor access to production environment, reduce operational costs

Scope : Integrated Privileged ID and Session Management implementation on 15,000 machines, tens of thousands of accounts.

Benefits :

Privileged ‘Session’ ExamplePrivileged ‗Session‘ Example

Minimized security risks

• Detailed audit logging & recording – 26,000 PSM recorded

sessions within first 60 days

Met compliance goals

Reduced TCO

• Avoid performance impact of end-point logging agents – savings

of around 4% of total CPU power!

Operational efficiency

• Integrated solution with central management & unified

reporting & policies

• Improved IT work efficiency with privileged single-sign-on

Page 26: Advanced persistent threats

A comprehensive platform for isolating and preemptively

protecting your datacenter – whether on premise or in the

cloud

Discover all privileged accounts across datacenter

Manage and secure every credential

Enforce policies for usage

Record and monitor privileged activities

React and comply

Integrate with IDAM

Summary: Privileged Identity & Session Management

Page 27: Advanced persistent threats

Before we get to the technology…

Page 28: Advanced persistent threats

Controls Framework

Page 29: Advanced persistent threats

Policies

Privileged ID Management Policy & Procedures

Privileged ID allocation – process of the approval mechanism

for it

Privileged ID periodic review – procedure for this

Monitoring of privileged ID activities – mechanisms, and

procedures for logging and monitoring privileged IDs

Revocation of a privileged ID – what happens when an

Administrator leaves the organization?

How are vendor-supplied user IDs managed

Managing shared/generic privileged IDs

Page 30: Advanced persistent threats

Take Aways

Privileged IDs represent the highest risk for data leakage

in the organization

Such IDs are numerous due to the large number of

systems and devices in any network

Managing the access of these IDs and monitoring their

activities is of crucial importance!

Technology solutions such as Privileged Identity

Management make this task easier

But these need to be combined with the right policy

framework and comprehensive procedures

Page 31: Advanced persistent threats

Thank you!

Questions?

[email protected]