Learning to Live with an Advanced Persistent Threat (177900234)
Learning to Live with an Advanced Persistent Threat
description
Transcript of Learning to Live with an Advanced Persistent Threat
![Page 1: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/1.jpg)
Learning to Live with an Advanced Persistent ThreatEDUCAUSE 2013October 17th, 2013
John DenuneIT Security [email protected]
![Page 2: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/2.jpg)
ACT Infrastructure services
Active Directory
NetworkingID Management
SecurityTelecom
Data Center
Database Administration
UNIX and Windows Support
![Page 3: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/3.jpg)
What is an APT?
It’s not Opportunistic
![Page 4: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/4.jpg)
APTTargeted
Patient
Skilled
Technical
Social Engineering
Varied Attacks
Physical threats
Espionage
Corporate
State-Sponsored
TheftHacktivism
![Page 5: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/5.jpg)
External Recon
Initial Compromise
Establish Foothold
Escalate Privileges
Internal Recon
Expand
APT Lifecycle
Complete Mission
![Page 6: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/6.jpg)
Initial DetectionJune 2012
![Page 7: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/7.jpg)
Lesson #1
Pay attention to anti-virus alerts
![Page 8: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/8.jpg)
Lesson #2
Don’t (completely) rely on your
anti-virus product
![Page 9: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/9.jpg)
Lesson #3
Where possible, track IP’s instead of blocking them
![Page 10: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/10.jpg)
Initial ReconFebruary 2012
Initial CompromiseApril 2012
![Page 11: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/11.jpg)
Gh0st RAT
![Page 12: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/12.jpg)
Lesson #4
Make your local FBI agent your new best
friend
![Page 13: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/13.jpg)
Lesson #5
Have a secure communications
plan in place
![Page 14: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/14.jpg)
Lesson #6
Log everything, especially
authentication,netflow and DNS
![Page 15: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/15.jpg)
Dynamic DNS Beaconing
$ nslookup host.somehackedsite.com** server can't find host.somehackedsite.com: NXDOMAIN
$ nslookup host.somehackedsite.comhost.somehackedsite.com has address 10.2.3.4
![Page 16: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/16.jpg)
Attack timing
All attacks took place Sunday –
Thursday between the hours of 6pm
and 3am Pacific
![Page 17: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/17.jpg)
Attack Path
![Page 18: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/18.jpg)
Malware Observations
You don’t need to rely on a lot of malware when
you’ve already got a long list of credentials
You don’t need to crack passwords when you can just pass a hash
![Page 19: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/19.jpg)
NTLM Authentication
User provides username and password. Client computes hash, stores it in memory and throws away the plaintext password.Client sends username to server.
Server sends a challenge to the client.
Client encrypts the challenge with the user hash and sends it back to the server.
Server sends the username, challenge and encrypted response to the DC.
DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful.
![Page 20: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/20.jpg)
Administrator Hash
So, let’s say the domain administrator RDP’s to the client…
Domain Admin NTLM hash now stored in client
memory.
![Page 21: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/21.jpg)
Pass the Hash
Attacker compromises client…
Steals hashes from memory…
Accesses both server and domain controllerGAME OVER
![Page 22: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/22.jpg)
Mitigations
• Change passwords multiple times per day• Fast track two factor authentication• Compartmentalized passwords• Separate user and admin credentials• Minimize lateral trust• Scan entire domain for scheduled tasks• Rebuild Domain Controlers
![Page 23: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/23.jpg)
Emergency ActionSeptember 2012
![Page 24: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/24.jpg)
Lesson #7
Reconsider traditional
password best practices
![Page 25: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/25.jpg)
Lesson #8
Effectively and securely
communicating a password
change is hard
![Page 26: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/26.jpg)
We are not alone
![Page 27: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/27.jpg)
ReengagementJuly 2013
![Page 28: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/28.jpg)
ACT
![Page 29: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/29.jpg)
Parting Thoughts• Detection can be subtle and an art• Have a good AD Team• Logging visibility is essential• Regular password changes are a MUST• Be prepared to re-image any system• Firewalls to prevent lateral movement• Separation of user and admin credentials• Require two-factor for OU Admins
![Page 30: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/30.jpg)
A New Hope• Strengthened LSASS to prevent hash dumps• Many processes no longer store credentials in
memory• Better ways to restrict local account use over
the network• RDP use without putting the credentials on the
remote computer• Addition of a new Protected Users group,
whose members' credentials cannot be used in remote PtH attacks
![Page 31: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/31.jpg)
Further ReadingKnow Your Digital Enemy – Anatomy of a Gh0st RAThttp://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniqueshttp://www.microsoft.com/en-us/download/details.aspx?id=36036
APT1: Exposing One of China's Cyber Espionage Unitshttp://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
![Page 32: Learning to Live with an Advanced Persistent Threat](https://reader037.fdocuments.us/reader037/viewer/2022110102/568142f7550346895daf508f/html5/thumbnails/32.jpg)
“If ignorant both of your enemy and yourself, you are certain to be in peril.”― Sun Tzu, The Art of War