Presentation is loading. Please wait.

Presentation is loading. Please wait.

Learning to Live with an Advanced Persistent Threat John Denune IT Security Director University of California, San Diego

Similar presentations


Presentation on theme: "Learning to Live with an Advanced Persistent Threat John Denune IT Security Director University of California, San Diego"— Presentation transcript:

1

2 Learning to Live with an Advanced Persistent Threat John Denune IT Security Director University of California, San Diego

3 ACT Infrastructure services Active Directory Networking ID Management Security Telecom Data Center Database Administration UNIX and Windows Support

4 ACT Security 9 Staff Firewall Intrusion Detection Vulnerability Assessment Forensics Anti-virus and FDE Patch Management SSL Certs Incident Response Policy and Compliance VPN

5 What is an APT? It’s not Opportunistic

6 APT Targeted Patient Skilled Technical Social Engineering Varied Attacks Physical threats Espionage Corporate State-Sponsored Theft Hacktivism

7 External Recon Initial Compromise Establish Foothold Escalate Privileges Internal Recon Expand APT Lifecycle Complete Mission

8 Initial Detection June 2012

9

10

11

12 Initial Detection June 2012

13 Lesson #1 Pay attention to anti-virus alerts

14 Lesson #2 Don’t (completely) rely on your anti-virus product

15 Lesson #3 Where possible, track IP’s instead of blocking them

16 Initial Recon February 2012 Initial Compromise April 2012

17 Gh0st RAT

18 Lesson #4 Make your local FBI agent your new best friend

19 Lesson #5 Have a secure communications plan in place

20 Lesson #6 Log everything, especially authentication, netflow and DNS

21 Dynamic DNS Beaconing $ nslookup host.somehackedsite.com ** server can't find host.somehackedsite.com: NXDOMAIN $ nslookup host.somehackedsite.com host.somehackedsite.com has address

22 Attack timing All attacks took place Sunday – Thursday between the hours of 6pm and 3am Pacific

23 Attack Path

24 Malware Observations You don’t need to rely on a lot of malware when you’ve already got a long list of credentials You don’t need to crack passwords when you can just pass a hash

25 NTLM Authentication User provides username and password. Client computes hash, stores it in memory and throws away the plaintext password. Client sends username to server. Server sends a challenge to the client. Client encrypts the challenge with the user hash and sends it back to the server. Server sends the username, challenge and encrypted response to the DC. DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful.

26 Interactive Authentication Client computes LM and NTLM hash and stores them in memory. Plaintext password is reversibly encrypted and stored in memory. Password hash is salted with username and stored in registry.

27 NTLM Authentication Client sends username to server.

28 NTLM Authentication Server sends a challenge to the client.

29 NTLM Authentication Client encrypts the challenge with the user hash and sends it back to the server.

30 NTLM Authentication Server sends the username, challenge and encrypted response to the DC.

31 NTLM Authentication DC retrieves user hash, encrypts the challenge and compares to the client encrypted response. If they match, authentication is successful.

32 Administrator Hash So, let’s say the domain administrator RDP’s to the client… Domain Admin NTLM hash now stored in client memory.

33 Pass the Hash Attacker compromises client… Steals hashes from memory… Accesses both server and domain controller

34 Pass the Hash Attacker compromises client… Steals hashes from memory… Accesses both server and domain controller

35 Mitigations Change passwords multiple times per day Fast track two factor authentication Compartmentalized passwords Separate user and admin credentials Minimize lateral trust Scan entire domain for scheduled tasks Rebuild Domain Controlers

36 Lesson #7 Reconsider traditional password best practices

37 Good passwords? *tecno9654postgres A Matt Hale Tribute CD would be cool.. Access-Control-Allow-Origin Abundance4me2day Bulletformyvalentine123 Elementarymydearwatson Putin is nothing but commie scum. Video killed the radio star? antcolonyoptimization

38 Emergency Action September 2012

39 Lesson #8 Effectively and securely communicating a password change is hard

40 We are not alone

41 Reengagement July 2013

42

43 Parting Thoughts Detection can be subtle and an art Have a good AD Team Logging visibility is essential Regular password changes are a MUST Be prepared to re-image any system Firewalls to prevent lateral movement Separation of user and admin credentials Require two-factor for OU Admins

44 A New Hope

45 Strengthened LSASS to prevent credential dumps Many processes no longer store credentials in memory Better ways to restrict local account use over the network RDP use without putting the credentials on the remote computer Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks

46 Further Reading Know Your Digital Enemy – Anatomy of a Gh0st RAT know-your-digital-enemy.pdf Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques APT1: Exposing One of China's Cyber Espionage Units

47 “If ignorant both of your enemy and yourself, you are certain to be in peril.” ― Sun Tzu, The Art of War


Download ppt "Learning to Live with an Advanced Persistent Threat John Denune IT Security Director University of California, San Diego"

Similar presentations


Ads by Google