Download - The Non-Advanced Persistent Threat

© 2014 Imperva, Inc. All rights reserved.

The Non-Advanced Persistent Threat

Confidential 1

September 17, 2014


Agenda

Confidential 2

§  APT •  Scenario •  Infamous APTs

§  Non-APTs •  The non-APT •  NTLM weaknesses •  Demo - Poisoning the Well (File Share) •  More attack scenarios

§  Waiting for good things to come §  Privilege escalation

•  Demo – SharePoint Poisoning §  Leftovers §  Conclusion


Advanced Persistent Threats

Confidential 3

What Comes to Mind


What Is APT?

Confidential 4

Data Center File Share / Database

Initial Compromise

Establish Foothold

Lateral Movement Gather Data Exfiltrate


Few Infamous APTs From Governments to the People

Confidential 5

§ CHS •  Stolen Records ~4,500,000 •  Period ~3 months •  Initial Compromise – Heartbleed

§  eBay •  Stolen Records ~145,000,000 •  Period ~ 2 months •  Initial Compromise – stolen credentials

(phishing / reuse)

§  Target •  Stolen Records ~70,000,000 •  Period ~ 3 weeks •  Initial Compromise – Credentials from partner (HVAC)


Non-Advanced Persistent Threats

Confidential 6


The Non-Advanced Persistent Threat

Confidential 7

§ What is APT ? •  Advanced •  Persistent •  Threat

§ Show equivalent scenario •  Not advanced •  Not persistent (not extremely) •  Still a threat

© 2014 Imperva, Inc. All rights reserved. Confidential 8

§  Authentication protocol designed by Microsoft §  Messages (challenge response):

§  Gives the user the Single Sign On experience •  Client stores LM / NT Hash (used for authentication)

§  Used in a variety of protocols: HTTP, SMTP, IMAP, CIFS/SMB, RDP, Telnet, MSSQL, Oracle and more…

§  Microsoft says: •  “Although Microsoft Kerberos is the protocol of choice, NTLM is still

supported” •  “Applications are generally advised not to use NTLM”

Challenge

Response

Negotiate

Windows NT LAN Manager (NTLM)


NTLM Vulnerabilities

Confidential 9

§  Pass the Hash APT1 •  Because response is calculated using LM / NT hash, it is equivalent to

plaintext password §  Weak Response Calculations

•  In early versions, attacker that has challenge & response can calculate LM / NT hash (CloudCracker)

•  Extract easily with public tools: Windows Credential Editor (WCE) / QuarksPwDump

§  Relay Attack


Demo

Confidential 10

Poisoning the Well


Demo - Poisoning the Well

Confidential 11

Initial Compromise

Poison File Share / SharePoint

Gather Privileges (NTLM Relay)

Exfiltrate

Alice

Bob

CatCorp inc.


Poisoning the Well

Confidential 12

File Share

Compromised

1 2

3


Waiting for Good Things to Come

Confidential 13

Compromised 1 2

Firewall Agent

Data Center File Share / Database


Privilege Escalation

Confidential 14

Compromised

SMB Reflect

SMB relay &

authenticate

Metasploit SMB capture

SMB relay & crack


Demo

Confidential 15

SharePoint Poisoning


Demo – SharePoint Poisoning

Confidential 16

Alice

Bob

CatCorp, Inc.

Easily skip between protocols: HTTP to SMB / RDP / MSSQL, etc.


Leftovers

Confidential 17

What We Left Out and Why

© 2014 Imperva, Inc. All rights reserved. Confidential 18

§ We didn’t talk about the “edges” •  Initial Compromise

§  done with simple methods (phishing, stealing, pay per infection)

§  Security is not equal, attackers go for the weakest link. recently was hacked via a “test server” “That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information”

•  Exfiltration §  copy stolen data from asset §  Use any legitimate cloud service (Google Drive etc.)

Initial Compromise

Establish Foothold

Lateral Movement Gather Data Exfiltrate

Things We Left Out


Conclusion

Confidential 19

What Does It All Mean & How to Mitigate?


Conclusion

Confidential 20

§ APT is not the sole domain of government or sophisticated criminal groups •  No need for zero days •  Low technical skills

§ NTLM is only a symptom •  Patching / upgrading does not always happen, especially when it’s

costly •  SSO experience is convenient for attackers : go from file to DB,

Web Server, Exchange, etc.

§  The least confidential locations could prove dangerous •  Not strictly monitored


Mitigations

Confidential 21

§ Upgrade •  While a good idea, but not always feasible •  Kerberos also has its vulnerabilities (e.g. Pass the Ticket)

§ Monitor authentications to resources •  Same machine authenticates with several users •  Same user authenticates from several machines

§ Avoid services that logon to large number of assets •  Services authentication can leave behind hashes, tickets or used

in a relay / MIM attacks


www.imperva.com

22