1 / 34

Learning to Live with an Advanced Persistent Threat

Learning to Live with an Advanced Persistent Threat. John Denune IT Security Director University of California, San Diego jdenune@ucsd.edu. ACT Infrastructure services. Database Administration. E-mail. Active Directory. Data Center. Security. Telecom. Networking. ID Management.

leal
Download Presentation

Learning to Live with an Advanced Persistent Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Learning to Live with an Advanced Persistent Threat John Denune IT Security Director University of California, San Diego jdenune@ucsd.edu

  2. ACT Infrastructure services Database Administration E-mail Active Directory Data Center Security Telecom Networking ID Management UNIX and Windows Support

  3. ACT Security Policy and Compliance SSL Certs 9 Staff Firewall Anti-virus and FDE Forensics VPN Patch Management Incident Response Vulnerability Assessment Intrusion Detection

  4. What is an APT? It’s not Opportunistic

  5. Varied Attacks Espionage Technical Targeted APT Patient Corporate State-Sponsored Skilled Theft Hacktivism Physical threats Social Engineering

  6. APT Lifecycle Complete Mission

  7. Initial Detection June 2012

  8. Lesson #1 Pay attention to anti-virus alerts

  9. Lesson #2 Don’t (completely) rely on your anti-virus product

  10. Lesson #3 Where possible, track IP’s instead of blocking them

  11. Initial Recon February 2012 Initial Compromise April 2012

  12. Gh0st RAT

  13. Lesson #4 Make your local FBI agent your new best friend

  14. Lesson #5 Have a secure communications plan in place

  15. Lesson #6 Log everything, especially authentication, netflow and DNS

  16. Attack timing All attacks took place Sunday – Thursday between the hours of 6pm and 3am Pacific

  17. Attack Path

  18. Malware Observations • You don’t need to crack passwords when you can just pass a hash You don’t need to rely on a lot of malware when you’ve already got a long list of credentials

  19. Interactive Authentication Client computes LM and NTLM hash and stores them in memory. Plaintext password is reversibly encrypted and stored in memory. Password hash is salted with username and stored in registry.

  20. Administrator Hash So, let’s say the domain administrator RDP’s to the client… Domain Admin NTLM hash now stored in client memory.

  21. Pass the Hash Attacker compromises client… Steals hashes from memory… GAME OVER Accesses both server and domain controller

  22. Mitigations Change passwords multiple times per day Fast track two factor authentication Compartmentalized passwords Separate user and admin credentials Minimize lateral trust Scan entire domain for scheduled tasks Rebuild Domain Controlers

  23. Lesson #7 Reconsider traditional password best practices

  24. Good passwords? *tecno9654postgres A Matt Hale Tribute CD would be cool.. Access-Control-Allow-Origin Abundance4me2day Bulletformyvalentine123 Elementarymydearwatson Putin is nothing but commie scum. Video killed the radio star? antcolonyoptimization

  25. Emergency Action September 2012

  26. Lesson #8 Effectively and securely communicating a password change is hard

  27. We are not alone

  28. Reengagement July 2013

  29. ACT

  30. Parting Thoughts Detection can be subtle and an art Have a good AD Team Logging visibility is essential Regular password changes are a MUST Be prepared to re-image any system Firewalls to prevent lateral movement Separation of user and admin credentials Require two-factor for OU Admins

  31. A New Hope

  32. A New Hope Strengthened LSASS to prevent credential dumps Many processes no longer store credentials in memory Better ways to restrict local account use over the network RDP use without putting the credentials on the remote computer Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks

  33. Further Reading Know Your Digital Enemy – Anatomy of a Gh0st RAT http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques http://www.microsoft.com/en-us/download/details.aspx?id=36036 APT1: Exposing One of China's Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

  34. “If ignorant both of your enemy and yourself, you are certain to be in peril.” ― Sun Tzu, The Art of War

More Related