1 / 32

Learning to Live with an Advanced Persistent Threat

Learning to Live with an Advanced Persistent Threat. EDUCAUSE 2013 October 17th, 2013 John Denune IT Security Director jdenune@ucsd.edu. ACT Infrastructure services. Database Administration. E-mail. Active Directory. Data Center. Security. Telecom. Networking. ID Management.

fancy
Download Presentation

Learning to Live with an Advanced Persistent Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Learning to Live with an Advanced Persistent Threat EDUCAUSE 2013 October 17th, 2013 John Denune IT Security Director jdenune@ucsd.edu

  2. ACT Infrastructure services Database Administration E-mail Active Directory Data Center Security Telecom Networking ID Management UNIX and Windows Support

  3. What is an APT? It’s not Opportunistic

  4. Varied Attacks Espionage Technical Targeted APT Patient Corporate State-Sponsored Skilled Theft Hacktivism Physical threats Social Engineering

  5. APT Lifecycle Complete Mission

  6. Initial Detection June 2012

  7. Lesson #1 Pay attention to anti-virus alerts

  8. Lesson #2 Don’t (completely) rely on your anti-virus product

  9. Lesson #3 Where possible, track IP’s instead of blocking them

  10. Initial Recon February 2012 Initial Compromise April 2012

  11. Gh0st RAT

  12. Lesson #4 Make your local FBI agent your new best friend

  13. Lesson #5 Have a secure communications plan in place

  14. Lesson #6 Log everything, especially authentication, netflow and DNS

  15. Dynamic DNS Beaconing $ nslookuphost.somehackedsite.com ** server can't find host.somehackedsite.com: NXDOMAIN $ nslookup host.somehackedsite.com host.somehackedsite.com has address 10.2.3.4

  16. Attack timing All attacks took place Sunday – Thursday between the hours of 6pm and 3am Pacific

  17. Attack Path

  18. Malware Observations • You don’t need to crack passwords when you can just pass a hash You don’t need to rely on a lot of malware when you’ve already got a long list of credentials

  19. NTLM Authentication DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful. Server sends the username, challenge and encrypted response to the DC. Client encrypts the challenge with the user hash and sends it back to the server. User provides username and password. Client computes hash, stores it in memory and throws away the plaintext password. Server sends a challenge to the client. Client sends username to server.

  20. Administrator Hash So, let’s say the domain administrator RDP’s to the client… Domain Admin NTLM hash now stored in client memory.

  21. Pass the Hash Attacker compromises client… Steals hashes from memory… GAME OVER Accesses both server and domain controller

  22. Mitigations Change passwords multiple times per day Fast track two factor authentication Compartmentalized passwords Separate user and admin credentials Minimize lateral trust Scan entire domain for scheduled tasks Rebuild Domain Controlers

  23. Emergency Action September 2012

  24. Lesson #7 Reconsider traditional password best practices

  25. Lesson #8 Effectively and securely communicating a password change is hard

  26. We are not alone

  27. Reengagement July 2013

  28. ACT

  29. Parting Thoughts Detection can be subtle and an art Have a good AD Team Logging visibility is essential Regular password changes are a MUST Be prepared to re-image any system Firewalls to prevent lateral movement Separation of user and admin credentials Require two-factor for OU Admins

  30. A New Hope Strengthened LSASS to prevent hash dumps Many processes no longer store credentials in memory Better ways to restrict local account use over the network RDP use without putting the credentials on the remote computer Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks

  31. Further Reading Know Your Digital Enemy – Anatomy of a Gh0st RAT http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques http://www.microsoft.com/en-us/download/details.aspx?id=36036 APT1: Exposing One of China's Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

  32. “If ignorant both of your enemy and yourself, you are certain to be in peril.” ― Sun Tzu, The Art of War

More Related