How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods
-
Upload
beyondtrust -
Category
Software
-
view
519 -
download
1
Transcript of How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods
How Cyber Criminals Steal Passwords via Pass-the-Hash
and Other Attack Methods
Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert
CQURE Academy: Trainer
MVP: Enterprise Security, MCT
Contact: [email protected] | http://cqure.us @paulacqure
@CQUREAcademy
Upcoming Workshops 17th – 19th of October, New York, NY – Troubleshooting and Monitoring Windows
Infrastructure – From Zero to Hero
Please Contact our office in United States and mention BeyondTrust!
Exclusive discounts for all attendees in today’s seminar.
What is the most successful path for the attack right now?
:)
THE ANATOMY OF AN ATTACK
Healthy Computer
User Receives Email
User Lured to Malicious Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privs
:)
Healthy Computer
User Receives Email
User Lured to Malicious Site
Device Infected with
Malware
User Lured to Malicious Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privs
User Receives Email
“PASS THE HASH” ATTACKS
Today’s security challenge
TODAY’S SECURITY
CHALLENGE
PASS THE HASH ATTACKS
User: Adm...
Hash:E1977
Fred’s Laptop
Fred’s User Session
User: Fred
Password hash: A3D7…
Sue’s Laptop
Sue’s User Session
PASS THE HASH TECHNIQUE
Malware Session
User: Administrator
Password hash: E1977…
Malware User Session
User: Adm…
Hash: E1977
User: Sue
Hash: C9DF
User: Sue
Password hash: C9DF…
File Server
User: Sue
Hash:C9DF
1 3 4
1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR
2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER
3. MALWARE INFECTS SUE’S LAPTOP AS FRED
4. MALWARE INFECTS FILE SERVER AS SUE
2
P-T-H SOLUTION
VSM uses Hyper-V powered secure execution environment to protect derived credentials – you can get things in but can’t get things out
Decouples NTLM hash from logon secret
Fully randomizes and manages full length NTLM hash to prevent brute force attack
Derived credentials that VSM protected LSA Service gives to Windows are non-replayable
PASS THE HASH ATTACKS
VSM isolates sensitive Windows processes in a hardware based Hyper-V container
VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised
Requires processor virtualization extensions (e.g.: VT-X, VT-D)
Virtualization
VIRTUAL SECURE MODE (VSM) VSM runs the Windows Kernel and a series of Trustlets (Processes) within it
Virtual Secure Mode
Virtual Secure Mode (VSM)
Lo
cal Secu
rity
A
uth
Serv
ice
Windows
Apps V
irtu
al TP
M
Hyp
er-
Vis
or
Co
de In
teg
rity
Windows 10: Local Account
Windows 10: Domain Account
…and reboot the machine
VSM Enabled Windows 10: VSM Enabled
Comprehensive network security must address Pass-the-Hash
It still requires attention
The understanding of the problem is necessary
New Windows mitigations are available Local account protections
Domain account protections
Protected domain accounts
Authentication policies and Silos
Is the problem solved? No!
PowerBroker Password Safe
v6.0
Martin Cannard – Product Manager
PAM – A collection of best practices
AD Bridge AD Bridge Privilege
Delegation
Privilege
Delegation
Session
Management
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Password & SSH
Key Management
Automate the management of functional
account passwords and SSH keys
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected Resources User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance HTTPS RDP / SSH
RDP / SSH
Password
Safe Proxy Proxy Proxy Proxy
Privileged Session Management
Differentiator:
Adaptive Workflow Control
Adaptive Workflow Control
• Day
• Date
• Time
• Who
• What
• Where
Differentiator:
Controlling Application Access
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
Differentiator:
Reporting & Analytics
Actionable Reporting
Advanced Threat Analytics
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on the
who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester
Poll
Q&A
Thank you for attending!