IT Security Horrors That Keep You Up at Night · IT Security Horrors That Keep You Up at Night and...
85
IT Security Horrors That Keep You Up at Night and How to Stop Them! Brian Johnson 7 Minute Security Jeff Melnick Systems Engineer
Transcript of IT Security Horrors That Keep You Up at Night · IT Security Horrors That Keep You Up at Night and...
IT Security Horrors That Keep You Up at Night
and How to Stop Them!
Brian Johnson
7 Minute Security
Jeff Melnick
Systems Engineer
Agenda
• Introductions
• My epic breach response fail
(a tale of tears and fears)
• IT security horrors that keep you up at night…and how to stop ‘em!
• Prize Drawing
Who’s this guy?
• Security engineer for 7 Minute Security
• Podcaster
• Not famous
• Jumpy hunter
My First Breach ResponseA Tale of Tears and Fears
Application log
System log
Security log
Firewall log
Which made me feel like…
If that wasn’t bad enough…
• Spotty AV deployment
• Cringe-worthy patching
• No logging of anything
• Weak password policy
Verdict: “burn and rebuild”
Let us not suffer the same fate!
Chucky VS Andy
Lets defend Child’s Play Inc.!
Chucky’s attack playbook
Phish Andy
Abuse bad domain passwords
Abuse bad local admin passwords
Responder attack
SMB signing attack
Subject: Pictures of Tiffany!
Deleted!
Subject: Chucky lives!
Subject: Chucky lives!
Subject: Chucky lives!
Abusing weak passwords
1. Try “Winter2017!” for all domain users
2. Wait a while
3. Try another weak password
4. Repeat steps 1-3 as necessary
Winter2017…
Spring2018…
Summer2018…Password1…
P@ssword1...
How do we fix bad passwords?
Up the minimum to…15? 20? 30?
Fixing bad passwords (per Microsoft)
• 8+ characters (longer not always better – i.e. WinterWinter2017)
• Educate users to use unique passwords per account
• Turn on MFA everywhere you can
• Ban bad passwords (whaaa? How?)
Setting your Active Directory password
Andy Domain controller
“Hi, I’d like to change my password to Winter2017!”
“Sure one sec, let me check the password requirements!”
Setting your Active Directory password
Andy Domain controller
“That works – thanks much!
Banning bad passwords: 3 options
1. CredDefense
2. Pwned Passwords DLL
3. SafePass.me
A suite of tools to help you boost your network defenses!
My favorite feature?
A better password filter!
Option 1: CredDefense
Setting your Active Directory password
Andy Domain controller“Hi, I’d like to change my password to Winter2017!”
“Sure one sec, let me check the password requirements!”
+
Setting your Active Directory password
Andy Domain controller
“Ok. Let me query CredDefense’s “bad passwords” list…”
+
Setting your Active Directory password
Andy Domain controller
“No can do! This password is on the naughty list!”
+
Option 2: PwnedPasswords
Option 2: PwnedPasswords
Pros:• Open source
Cons:• Requires Visual Studio tinkering
Setting your Active Directory password
Andy Domain controller“Hi, I’d like to change my password to Winter2017!”
“Sure one sec, let me check the password requirements!”
+
Setting your Active Directory password
Andy Domain controller
“Ok. Let me query the “Pwned Passwords” list…
+
Setting your Active Directory password
Andy Domain controller
“Sorry! Try again!”
+
Option 2: PwnedPasswords – making custom lists
Option 2: PwnedPasswords
A word of warning:
Option 2: PwnedPasswords
Some real world “PwnedPasswords” stats
Company with 11k users:
• Passwords cracked: 6,000
• Passwords in PwnedPasswords database: 1,500
25% of cracked passwords were already pwned!
Option 3: SafePass.me
Pros:• Single ~500mb download in MSI format• Easy to install
Cons:• ~$700 USD• Closed source (“What’s it doing?”)
Chucky’s attack playbook
Phish Andy – worked!
Abuse bad domain passwords – worked!
Abuse bad local admin passwords
Responder attack
SMB signing attack
Abusing bad local admin passwords
Often the same password across many/all machines!
Abusing bad local admin passwords
Abusing bad local admin passwords
Nica’s PC
Andy’s PC
File server
Database server
Email server
ihatechucky
App server
LAPS (Local Administrator Password Solution)
• Free (!) from Microsoft
• Creates strong/random Administrator password per machine
• Creds are stored securely in Active Directory
LAPS (Local Administrator Password Solution)
Requirements:
• A few GPOs to push LAPS install
• A workstation to manage LAPS from
LAPS (Local Administrator Password Solution)
LAPS (Local Administrator Password Solution)
Lateral movement? NOPE!
Nica’s PCNope!
Andy’s PCNope!
File serverNope!
Database serverNope!
Email serverNope!
ihatechucky
App serverNope!
Full LAPS install write-up
Chucky’s attack playbook
Phish Andy – worked!
Abuse bad domain passwords – worked!
Abuse bad local admin passwords – worked!
Responder attack
SMB signing attack
Responder attack
Responder attack
Responder attacks
Andy’s PC“Hey, do you know CP-SRVV01?”
DNS server
“Sorry, no.”
“Anybody else?” (NBT-NS & LLMNR broadcast)
Chucky
“Yes! That’s me! Send credentials!”
“You got it! Here it comes!”
“EhhehaeehaheAHAHAHEHAHAOHOAHA!!!”
Defending against Responder
Defending against Responder
Careful!
Stuff can break!
Defending against Responder
Comes armed with….
“ResponderGuard!”
Defending against Responder
Defending against Responder
Defending against Responder
Chucky’s attack playbook
Phish Andy – worked!
Abuse bad domain passwords – worked!
Abuse bad local admin passwords – worked!
Responder attack – worked!
SMB signing attack
Abusing SMB signing
• SMB (Server Message Block) is the file protocol commonly used by Windows
• Used for client/server file sharing
• SMB is unsigned in many networks (maybe yours?)
Abusing SMB signing
Abusing SMB signing
Abusing SMB signing
Abusing SMB signing
Powershell Empire + Responder + Ntlmrelay + DeathStar = FUN!
Abusing SMB signing
Wait for it…
Chucky’s attack playbook
Phish Andy – worked!
Abuse bad domain passwords – worked!
Abuse bad local admin passwords – worked!
Responder attack – worked!
SMB signing attack – worked!
Chucky wins!
What else could we do to catch him?
One more thing: stop Chucky with WEFFLES!
Not this!
WEFFLES(Windows Event Logging Forensic Logging
Enhancement Services)
Collecting logs with WEFFLES
Nica’s PC
Andy’s PC
File server
Database server
Email server
WEFFLES server
App server
WEFFLES
Event 1102:“Somebody cleared the security log!”
WEFFLES
Event 4720:“New user accounts created”
WEFFLES
Recap
• Use good passwords – on domain and local accounts• CredDefense / PwnedPasswords / LAPS can help!
• Respond to “Responder” attacks
• Turn on SMB signing
• Not collecting logs? Start free w/WEFFLES!
• Scan and patch all your network things!
Identify, Classify and Secure Sensitive Data
NETWRIX AUDITOR
About Netwrix Auditor
A visibility platform for user behavior analysis and risk mitigation
that enables control over changes, configurations and access in hybrid IT environments.
It provides security intelligence to identify security holes, detect anomalies in user behavior
and investigate threat patterns in time to prevent real damage.
Netwrix Auditor
Netwrix Auditor Unified Platform
Netwrix Auditor for Office 365
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Windows Server
Netwrix Auditor for VMware
Netwrix Auditor for Exchange
Netwrix Auditor for SQL Server
Netwrix Auditor for SharePoint
Netwrix Auditor for NetApp
Netwrix Auditor for EMC
Netwrix Auditor Platform
Netwrix Auditor for Azure AD
Netwrix Auditor for Network Devices
Netwrix Auditor forActive Directory
Netwrix Auditor for Oracle Database
INTRODUCING NETWRIX AUDITOR 9.7
Detect and Block Attacks on Your Network Devices
Thursday, November 8 | @ 11AM PT / 2 PM ET
PRODUCT DEMONSTRATION
Next Steps
Free trial: Set up Netwrix Auditor in your own test environment netwrix.com/auditor9.7
Virtual appliance: Get Netwrix Auditor up and running in minutes netwrix.com/go/appliance
In-browser demo: Run a demo right in your browser with no need to install anythingnetwrix.com/go/browser_demo
Upcoming and on-demand webinars : Join upcoming webinars or watch recorded ones
netwrix.com/webinars
netwrix.com/webinars#featured
Questions?
Thank you!
@7MinSec
www.7MinSec.comwww.7ms.us
(podcast)
www.netwrix.com
