320 likes | 430 Views
Learning to Live with an Advanced Persistent Threat. EDUCAUSE 2013 October 17th, 2013 John Denune IT Security Director jdenune@ucsd.edu. ACT Infrastructure services. Database Administration. E-mail. Active Directory. Data Center. Security. Telecom. Networking. ID Management.
E N D
Learning to Live with an Advanced Persistent Threat EDUCAUSE 2013 October 17th, 2013 John Denune IT Security Director jdenune@ucsd.edu
ACT Infrastructure services Database Administration E-mail Active Directory Data Center Security Telecom Networking ID Management UNIX and Windows Support
What is an APT? It’s not Opportunistic
Varied Attacks Espionage Technical Targeted APT Patient Corporate State-Sponsored Skilled Theft Hacktivism Physical threats Social Engineering
APT Lifecycle Complete Mission
Initial Detection June 2012
Lesson #1 Pay attention to anti-virus alerts
Lesson #2 Don’t (completely) rely on your anti-virus product
Lesson #3 Where possible, track IP’s instead of blocking them
Initial Recon February 2012 Initial Compromise April 2012
Lesson #4 Make your local FBI agent your new best friend
Lesson #5 Have a secure communications plan in place
Lesson #6 Log everything, especially authentication, netflow and DNS
Dynamic DNS Beaconing $ nslookuphost.somehackedsite.com ** server can't find host.somehackedsite.com: NXDOMAIN $ nslookup host.somehackedsite.com host.somehackedsite.com has address 10.2.3.4
Attack timing All attacks took place Sunday – Thursday between the hours of 6pm and 3am Pacific
Malware Observations • You don’t need to crack passwords when you can just pass a hash You don’t need to rely on a lot of malware when you’ve already got a long list of credentials
NTLM Authentication DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful. Server sends the username, challenge and encrypted response to the DC. Client encrypts the challenge with the user hash and sends it back to the server. User provides username and password. Client computes hash, stores it in memory and throws away the plaintext password. Server sends a challenge to the client. Client sends username to server.
Administrator Hash So, let’s say the domain administrator RDP’s to the client… Domain Admin NTLM hash now stored in client memory.
Pass the Hash Attacker compromises client… Steals hashes from memory… GAME OVER Accesses both server and domain controller
Mitigations Change passwords multiple times per day Fast track two factor authentication Compartmentalized passwords Separate user and admin credentials Minimize lateral trust Scan entire domain for scheduled tasks Rebuild Domain Controlers
Emergency Action September 2012
Lesson #7 Reconsider traditional password best practices
Lesson #8 Effectively and securely communicating a password change is hard
Reengagement July 2013
Parting Thoughts Detection can be subtle and an art Have a good AD Team Logging visibility is essential Regular password changes are a MUST Be prepared to re-image any system Firewalls to prevent lateral movement Separation of user and admin credentials Require two-factor for OU Admins
A New Hope Strengthened LSASS to prevent hash dumps Many processes no longer store credentials in memory Better ways to restrict local account use over the network RDP use without putting the credentials on the remote computer Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks
Further Reading Know Your Digital Enemy – Anatomy of a Gh0st RAT http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques http://www.microsoft.com/en-us/download/details.aspx?id=36036 APT1: Exposing One of China's Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
“If ignorant both of your enemy and yourself, you are certain to be in peril.” ― Sun Tzu, The Art of War