1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker...
-
Upload
chester-quinn -
Category
Documents
-
view
262 -
download
2
Transcript of 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker...
![Page 1: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/1.jpg)
![Page 2: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/2.jpg)
TWC: Pass-the-Hash and Credential Theft Mitigation Architectures Mark Simos, Nicholas DiCola
DCIM-B213
![Page 3: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/3.jpg)
AgendaMicrosoft Cybersecurity TeamDetermined Adversaries and Targeted AttacksPass the Hash and Credential TheftCredential Theft Mitigation Architectures
![Page 4: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/4.jpg)
Detecting ThreatsAdvanced tools to find new attacksDeep expertise hunting for the Determined Adversary
Innovative MitigationsMake the most of your existing assetsNew approaches to counter threats
Custom SolutionsSpecialized security solutions from tailored assessments to integrating the Security Development Lifecycle into your software development
Recovery & Mitigations
Sensors & Intelligence
Response & Investigation
Architecture & Advisory
Expert SDL Developer Services
Cybersecurity PracticeGlobal Reach and Delivery with World Class Architects, Consultants, and Engineers
Technology Experts
![Page 5: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/5.jpg)
Key LearningsAstronomical Adversary ROI for internet attacksCheap, effective, relatively easyNo alternate espionage method has comparable ROI
Increased adversary maturityMany are well-resourced, mission-focused, determinedSophisticated targeting of organizations, people, data
Ubiquitous use of credential theft (Pass the hash)Elevate to mission, shareholder value, existential threatExternals effectively conducting insider attacks
![Page 6: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/6.jpg)
Targeted Attacks—Strategies and TacticsEstablish Persistence
Gain control of your identity storePublic: administrator rights, interesting projects and groupsSecrets: passwords and hashes
Hide malware on multiple hostsCustom compiled for attack campaign
Execute MissionDownload terabytes of your data (~99% of cases)Initially: large exfiltration of many typesThen: target specific data (new, valuable, strategic)
Implement the wrecking ball (~1% of cases)
![Page 7: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/7.jpg)
Defender TrendsIT environments not designed for credential-theft class of attacks
IT security resources trying to defend every system equally
Reputation impact concerns hamper defender collaboration
![Page 8: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/8.jpg)
Pass the Hash48 hours (or less)
1. Attacker targets workstations en
masse 2. User running as local admin is compromised, attacker harvests credentials3. Attacker uses credentials for lateral movement or privilege escalation
4. Attacker acquires domain admin credentials
5. Attacker exercises full control of data and systems in the environment
![Page 9: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/9.jpg)
Potential Attacker Pathways
WorkstationAdministrator
User Access
Patient Zero
Servers
User Access
Acc
ess
Data
Server Administrator
User Credential
System or Administrator
Server Admin
PTH
All Local Data
Cre
den
tial R
e-u
sePass the Hash(Local
Accounts)
All Workstations
Domain Administrator Access
All Data
All Active Directory Data (Full Control)All Credentials
(NT Hashes)
Domain Controllers
Domain Admin
Pass the hash (PTH)
Domain Admin
PTH
Domain Admin Logon
PTH
User Action
SAM: NT Hashes
Active User Credentials
Malware Install
Beacon, Command & Control
Vulnerability & ExploitUser = Administrator
Ele
vati
on
All Local Data
Active User Credentials SAM: NT
Hashes
All Local Data
Active User Credentials Security
Accounts Manager (SAM): NT Hashes
All Active Directory Data (Read)
EstablishBeachhead
User’s Data and Keystrokes
![Page 10: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/10.jpg)
DemoPass the Hash Attack
DC Client
Domain.Local
DomainAdmin
Attack Operator
![Page 11: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/11.jpg)
Smartcards alone will not stop PTHSmartcards logon sessions have a NTLM hash:…of the user password…of a random 128 bit value (if smartcard required)
Account attribute restricts interactive logon only:
Smartcard remotely available to attacker when:Malware installedSmartcard inserted in readerPIN captured from a keystroke logger (most malware includes these)
![Page 12: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/12.jpg)
Effective Mitigations1. Credential Theft
Ensure high privileged account credentials aren’t available to be stolen
No Domain Admins on workstations servers
No Server Admins on workstations
2. Credential Re-Use (Illicit)Reduce the usefulness of credentials exposed to high risks (internet)
Local SAM database (NT Hash only)Machine account passwordsServices passwords (if present)
1. Prevent Exposure
2. Limit Usefulness
High Exposure (to Internet/Risk)High Privilege/Value
![Page 13: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/13.jpg)
Credential Theft Mitigation Strategy
1. Privilege escalation• Credential Theft• Application Agents• Service Accounts
2. Lateral traversal• Credential Theft• Application Agents• Service Accounts
Tier 0
Tier 2
Tier 1
![Page 14: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/14.jpg)
Tier Model Restrictions
Tier 2
Tier 1
Tier 0
Domain Controllers
Servers
WorkstationsWorkstation Admins
Server Admins
Forest/Domain AdminsAdmin
Workstation
Admin
Workstation
Admin
Workstation
Same Tier Logon
Higher TierLogon
Lower TierLogon
Blocked
![Page 15: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/15.jpg)
Enhanced Security Admin Environment
Access: Users and Workstations
Admin EnvironmentProduction
Power: Domain Controllers
Management and Monitoring
Production Domain Admins
IPsec Credential Partitioning Hardened Admin
Environment Known Good Media Network security Hardened Workstations Accounts and
smartcards Auto-Patching Security Alerting Tamper-resistant audit Offline Administration
(enforces governance) Assist with mitigating risks
Services and applications
Lateral traversal
Break Glass Account(s)
Red CardAdmins
Data: Servers and Applications
![Page 16: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/16.jpg)
Self-maintaining (to extent possible)Automatic software update application (and reboots)
Small footprintSingle ESAE domain/forestDCs, System Center Operations Manager (Security Alerting)One Administrative Workstation per administrator
Smartcard enforcement and regular NT Hash cycling for all active accounts
Typical Administrative Environment
![Page 17: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/17.jpg)
ESAE - Managing Multiple Forests/Domains
Admin Environment
![Page 18: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/18.jpg)
Privileged Account Workstation (PAW) – On Premises
Workstations& Users
Production Domain(s)
Domain & Forest
Servers and Applications
Domain Admins
Increase Security Protections Enterprise threats Known internet threats
Hardened Workstations Known Good Media 20+ security controls Network Traffic
Restrictions Admin smartcards
(optional)
Server& AppAdmins
![Page 19: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/19.jpg)
SaaS
Privileged Account Workstation (PAW) – Cloud Security
Privileged Account Workstations Increase Security Protections
Enterprise threats Known internet threats
Security Protections include Known Good Media 20+ security controls Smartcards (Optional) Security Alerting (Optional)
IaaSPaaS
Cloud Infrastructure & Services Administration
Social Media, Publishing,
Brand Management
![Page 20: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/20.jpg)
What are these 20+ Security Controls?UEFI/TPM/Secure Boot enabled
BitLocker
Standard User Configuration
AppLocker
USB Media Restrictions
Outbound Traffic restrictions (no Internet)
Inbound Traffic restrictions (default block)
Automatic patching
EMET
System Center Endpoint Protection
Rapid rebuild process
Known Good Media Build Process
Logon Restrictions
Microsoft Security Baselines (SCM)
Unsigned code analysis
Attack Surface Analysis
OU and GPO ACL Lockdowns
Lateral Traversal Mitigation(s)
Restricted administrators membership
Only authorized management tools
Etc.
![Page 21: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/21.jpg)
How MARS works (Auto-Approval example)
Configure Workflows for each RoleNotificationsApproval Requirements Custom Actions
MARS Server
Resource(s)• Managed
Servers• Domain Admin • Schema Admin• Top Secret
Project
12:00
10:00
1. Request Access (10:00)
2a. Auto-Approve (10:00)
3. Access Resource (10:01)
5. Attempt Access (3:15)CandidateAccount
11:00
1:00
2:00
3:00
9:00
Managed Privilege
(Group Membershipor Custom Actions)
2b. E-mail Notification (10:00)4. Privilege Expires (12:00)
![Page 22: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/22.jpg)
Platform UpdatesCore platform changes (Automatically On)Remove LM hashes from LSASSRemove plaintext-equivalent passwords from LSASS (for domain credentials)Enforce credential removal after logoff
Facilitate restriction of local admin accountsS-1-5-113 – Local accountS-1-5-114 – Local account and member of Administrators group
New Configurable FeaturesProtected UsersRestricted Admin Mode Remote DesktopAuthentication Policies & Silos
![Page 23: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/23.jpg)
Enhanced Security Admin Environment (ESAE)
Domain and Forest AdministrationProduction Domain(s)
Domain and Forest
Security Alerting
Server and System Management
Hardened Hosts and Accounts
Managed Access Request System (MARS)
App and Data Management
Privileged AccountWorkstation (PAW)
User Assistance and Support
Lateral Traversal
Mitigations
Application & Service
Hardening
Helpdesk and Workstation Management
Credential Theft Mitigations
RDP w/Restricted Admin
Protected
Users
With 8.1/2012 R2 Features
Auth Policies and Silos
![Page 24: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/24.jpg)
Application and Service Hardening
24
Upstream Risks (Controlling the Application)
Downstream Control
Important: upstream risks also includes hosts where upstream administrator credentials are exposed.
ApplicationApplication agents or
software
Application service
accounts
Business critical data?
Backup and storage administrators
Baseboard Management Controllers (BMCs)
Local operating system administrators
Physical access and virtual machine administrators
ACLs on Computer account, OU, GPO, GPO Content
Management agents on server and scheduled tasks
Application administrator roles
Unpatched Software Vulnerability, Weak OS Configuration
Host Installation Media/Process
![Page 25: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/25.jpg)
Importance of Known Good MediaMedia attack vectorsInfecting gold master imagesInjecting malicious software to download bit-streamsInfecting software packages
Validate Media SourceVerify Printed MediaVerify Downloaded Media (certutil –hashfile) Compare binary to published hashes
Compare from two independent downloads (different machines, internet connections)
Transfer and Storage of Media Save onto read-only media such as a locked DVD (not USB drive)Label as Known Good Media or “KGM.”
![Page 26: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/26.jpg)
Lessons LearnedCredential theft is different than a normal vulnerabilityAttack surface is determined by operational practices
It all starts from host integrityIt only takes one tool to automate a new/difficult attack
Prevention is cheaper than recovery!Recovery still requires preventing reinfection (similar to proactive defenses)Recovery also requires cleaning up attacker presence (never guaranteed)Residual risk is higher in recovery mode
![Page 27: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/27.jpg)
Questions?
Ask now or….
Mark.Simos @ Microsoft.comNicholas.DiCola @ Microsoft.com
![Page 28: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/28.jpg)
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure PackAzure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
![Page 29: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/29.jpg)
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
![Page 30: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/30.jpg)
Complete an evaluation and enter to win!
![Page 31: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/31.jpg)
Evaluate this session
Scan this QR code to evaluate this session.
![Page 32: 1.Attacker targets workstations en masse 2.User running as local admin is compromised, attacker harvests credentials 3.Attacker uses credentials.](https://reader036.fdocuments.net/reader036/viewer/2022081801/56649cc55503460f9498f2f1/html5/thumbnails/32.jpg)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.