PCIT304
1. numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&
5 The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, s, files — replacing all of it with an image of a burning American flag. “… I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network...”
ws-console-breach-leads-to-demise-of- service-with-proven-backup-plan/
w.com/legal-regulatory- issues/stolen-laptop-leads-to- 20-year-ftc-oversight-for- accretive-health.html
u.s.-officials-charge-chinese-wind-firm-for- committing-corporate-homicide
User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server Sue’s User Session 4 1.Sue enters username and password 2.PC creates Sue’s user session 3.PC proves knowledge of Sue’s hash to Server 4.Server creates a session for Sue
User: Fred Hash:A3 D7 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Malware User Session User: Fred Password hash: A3D7… Malware User Session User: Fred Hash: A3D7 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9 DF Fred runs malware 2.Malware infects Sue’s laptop as Fred 3.Malware infects File Server as Sue
User: Sue Hash: C9DF4E… Sue’s Laptop PTHDemo-DC Local Security Authority (LSASS) NTLM Digest Kerberos NTOWF: C9DF4E56A2D1… Password: a1b2c3 Ticket- Granting Ticket Service Ticket Password: a1b2c3 User: Sue Service Ticket “Credential footprint” PTHDemo-DC
Sue’s Laptop Local Security Authority (LSASS) NTLM Digest Kerberos NTOWF: C9DF4E56A2D1… Password: a1b2c3 Ticket- Granting Ticket Credential Store Service Ticket NTOWF: A3D723B95DA…
Fred’s Laptop Security Accounts Manager User: Admin Hash:A2 DF… User: Admin Hash:A2 DF… Sue’s Laptop Security Accounts Manager User: Admin Hash:A2 DF…
ObjectiveHowOutcome This mitigation restricts the ability of attackers to use local administrator accounts or their equivalents for lateral movement PtH attacks. Enforce the restrictions available in Windows Vista and later versions, preventing local accounts from being used for remote administration. Explicitly deny network and Remote Desktop logon rights for all administrative local accounts. Create unique passwords for local accounts with administrative privileges. An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network. Built-in SIDs for local accounts and local administrators
Get Credentials Social engineering and phishing schemes are used to trick personnel and obtain credentials. Most organizations do not recognize when attackers are already within the network and have access to information such as s, confidential documents and other intellectual property. Get Data The attack doesn’t stop there. Attackers look for the next set of credentials with elevated permissions to access servers. Once elevated credentials are obtained and servers are compromised, organizations risk losing revenue, brand reputation and business continuity. Get Control The ultimate goal of the attacker may be to gain access to the domain controllers, the central clearing hub for all credentials and identities. Once compromised, an attacker has complete control over an entire organization. All assets, intellectual property, physical property and personal information are in jeopardy.
Sue’s Laptop Local Security Authority (LSASS) NTLM Digest Kerberos NTOWF: C9DF4E56A2D1… Password: a1b2c3 Ticket- Granting Ticket Credential Store Service Ticket
User: Sue Pass:a1b 2c3 Fred’s Laptop Sue’s Helpdesk PC Remote Desktop Client LSASS NTLM NTOWF: C9… Digest Pass: a1b2c3 Kerberos Tick et Mimikatz Credential Store
ObjectiveHowOutcome This mitigation reduces the risk of administrators from inadvertently exposing privileged credentials to higher risk computers. Restrict DA/EA accounts from authenticating to lower trust computers Provide admins with accounts to perform administrative duties Assign dedicated workstations for administrative tasks. Mark privileged accounts as “sensitive and cannot be delegated” Do not configure services or schedule tasks to use privileged domain accounts on lower trust computers An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer. Addition of authentication policies
ObjectiveHowOutcome This mitigation restricts the ability of attackers from initiating lateral movement from a compromised workstation by blocking inbound connections. Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources, such as helpdesk workstations, security compliance scanners and servers. An attacker who successfully obtains any type of account credentials will not be able to connect to other workstations. No technical changes
Attributed to Dean Rusk, US Secretary of State,
Mission Threats
Identify High Value Assets Consider Attacker Mindset Baseline Normal Behavior
Architect a complete credential theft defense Consider usability a security feature
Create hardened and restricted administrative hosts Develop a containment strategy
Focus on High Value Assets Monitor Event IDs Of Interest Collect and Correlate Events
Closely Observe Affected Hosts Ensure Attack Vectors Are Properly Addressed Regularly Update Protection and Detection Mechanisms Follow Up On Lessons Learned
Regain Control Over Accounts Change compromised account passwords or Disable an account and remove group memberships Considerations: Only effective against future authentication Offline attackers can still use cached logon pv Attacker may be able to re-obtain password Attacker may persist using malware in user context
Tactical RecoveryStrategic Recovery A short-term operation designed to disrupt a known adversary operation Useful intelligence on the adversary presence Stealth operation that the adversary is unaware of Properly scoped defender operation A long-term plan that consists of multiple operations focused on recovering integrity at a high assurance level Risk of migration Risk of coexistence Planned end state Consider professional incident response services
FeaturesDescription AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 8.1 / Server 2012 R2 REQUIRES DOMAIN UPGRADE Windows Server 2012 R2 Domain Functional Level Remove LAN Manager (LM) hashes and plaintext credentials from LSASS LAN Manager legacy hashes and (reversibly encrypted) plaintext passwords are no longer stored in LSASS Enforce credential removal after logoff New mechanisms have been implemented to eliminate session leaks in LSASS, thereby preventing credentials from remaining in memory Logon restrictions with new well- known security identifiers (SIDs) Use the new SIDs to block network logon for local users and groups by account type, regardless of what the local accounts are named
FeaturesDescription AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 7 / Windows Server 2008 R2 AVAILABLE ON Windows 8.1 / Server 2012 R2 REQUIRES DOMAIN UPGRADE Windows Server 2012 R2 Domain Functional Level Restricted Admin mode for Remote Desktop Connection The Remote Desktop application and service have been updated to support authentication without providing credentials to the remote host Protected Users security group The new Protected Users security group enables administrators to restrict authentication to the Kerberos protocol only for group members within a domain Authentication Policy and Authentication Policy Silos New Authentication policies provide the ability to restrict account authentication to specific hosts and resources LSA Protection Allows the LSASS process to be turned into a Protected Process, thus preventing other processes (including processes running as SYSTEM\Administrator) that are not signed by Microsoft from tampering with the LSASS process
HelpdeskRecommendations Domain administration Operations and service management Service accounts Business group isolation Bring your own device (BYOD) Separate administrative accounts from user accounts Use hardened and restricted hosts Limit exposure of administrative credentials RDP /RestrictedAdmin Tools that only use network logon (Type 3) Add accounts to Protected Users security group (if Kerberos only is feasible) Create authentication policies and silos (if protected users is feasible)
Recommendations Separate administrative accounts from user accounts Use hardened and restricted hosts Limit exposure of administrative credentials RDP /RestrictedAdmin Tools that only use network logon (Type 3) Add accounts to Protected Users security group (if Kerberos only is feasible) Create authentication policies and silos (if protected users is feasible)
Recommendations Reduce privileges and privilege use Only use DA/EA for DC Maintenance and Delegation Separate administrative accounts from user accounts Use hardened and restricted hosts Strengthen authentication assurance Implement security monitoring Add accounts to Protected Users security group (if Kerberos only is feasible) Create authentication policies and silos (if protected users is feasible)
Recommendations Grant the least privilege Never add to Domain Admins or Enterprise Admins Use managed service accounts Change passwords regularly Strengthen authentication assurance Monitor service account activity Contain credential exposure
Recommendations Define Use Cases Use hardened and restricted hosts Restrict account logons Consider blocking Internet access Do not share accounts or passwords Ensure unique local administrative passwords on workstations and servers
Recommendations Define use cases and policies Ensure risks are understood and accepted Do not use BYOD devices for administration Ensure that high business impact (HBI) data is not being stored on these devices No shared password for corporate and personal accounts No use of privileged service accounts on BYOD devices Deploy available security policies Isolate network access Create response/recovery strategies
Subscribe to our fortnightly newsletter Free Virtual Hands-on Labs Free Online Learning Sessions on Demand