Learning to Live with an Advanced Persistent Threat (177900234)
Transcript of Learning to Live with an Advanced Persistent Threat (177900234)
![Page 1: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/1.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 1/32
Learning to Live with anAdvanced Persistent Threat
EDUCAUSE 2013October 17th, 2013
John Denune
IT Security Director [email protected]
![Page 2: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/2.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 2/32
ACT Infrastructure services
Active Directory
Networking
ID Management
Security Telecom
Data Center
Database Administration
UNIX and Windows Support
![Page 3: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/3.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 3/32
What is an APT?
It’s notOpportunistic
![Page 4: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/4.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 4/32
APT
Targeted
Patient
Skilled
Technical
Social Engineering
Varied Attacks
Physical threats
Espionage
Corporate
State-Sponsored
TheftHacktivism
![Page 5: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/5.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 5/32
ExternalRecon
InitialCompromi
se
EstablishFoothold
EscalatePrivileges
InternalRecon
Expand
APT Lifecycle
Complete
Mission
![Page 6: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/6.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 6/32
Initial Detection
June
2012
![Page 7: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/7.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 7/32
Lesson #1
Pay attention
to anti-virusalerts
![Page 8: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/8.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 8/32
Lesson #2
Don’t(completely
) rely onyour anti-
virus
product
![Page 9: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/9.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 9/32
Lesson #3
Wherepossible,
track IP’sinstead of blocking them
![Page 10: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/10.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 10/32
Initial ReconFebruary 2012
Initial Compromise April 2012
![Page 11: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/11.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 11/32
Gh0st RAT
![Page 12: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/12.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 12/32
Lesson #4
Make yourlocal FBI
agent yournew bestfriend
![Page 13: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/13.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 13/32
Lesson #5
Have a
securecommunicati
ons plan in
![Page 14: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/14.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 14/32
Lesson #6
Logeverything,
especiallyauthentication,
netflow and
![Page 15: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/15.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 15/32
Dynamic DNS Beaconing$ nslookup host.somehackedsite.com
** server can't find host.somehackedsite.com:NXDOMAIN
$ nslookup host.somehackedsite.comhost.somehackedsite.com has address 10.2.3.4
![Page 16: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/16.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 16/32
Attack timing
All attackstook placeSunday –
Thursday
between thehours of 6pm
and 3am
Pacific
![Page 17: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/17.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 17/32
Attack Path
![Page 18: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/18.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 18/32
Malware Observations
You don’t need to rely ona lot of malware when
you’ve already got a longlist of credentials
You don’t need to crack
passwords when youcan just pass a hash
![Page 19: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/19.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 19/32
NTLM Authentication
User provides usernameand password. Clientcomputes hash, stores it inmemory and throws away
the plaintext password.
Client sends username to server.
Server sends a challengeto the client.
Client encrypts thechallenge with the userhash and sends it back tothe server.
Server sends theusername, challengeand encryptedresponse to the DC.
DC retrieves user hash,
encrypts the challenge andcompares to the clientencrypted response. If theymatch, authentication is
successful.
![Page 20: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/20.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 20/32
Administrator Hash
So, let’s say the
domainadministratorRDP’s to the
client…Domain
Admin NTLMhash nowstored in
client
![Page 21: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/21.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 21/32
Pass the HashAttacker compromises client…
Steals hashes from memory…
Accesses bothserver and domaincontroller
GAME OVER
![Page 22: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/22.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 22/32
Mitigations• Change passwords multiple times per day
• Fast track two factor authentication
• Compartmentalized passwords
• Separate user and admin credentials
• Minimize lateral trust
• Scan entire domain for scheduled tasks
• Rebuild Domain Controlers
![Page 23: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/23.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 23/32
Emergency ActionSeptember 2012
![Page 24: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/24.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 24/32
Lesson #7
Reconsider
traditionalpassword
best
ractices
![Page 25: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/25.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 25/32
Lesson #8
Effectivelyand securelycommunicati
ng apasswordchange is
hard
![Page 26: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/26.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 26/32
We are not alone
![Page 27: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/27.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 27/32
ReengagementJuly 2013
![Page 28: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/28.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 28/32
ACT
![Page 29: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/29.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 29/32
Parting Thoughts• Detection can be subtle and an art
• Have a good AD Team
• Logging visibility is essential
• Regular password changes are a MUST
• Be prepared to re-image any system
• Firewalls to prevent lateral movement
• Separation of user and admin credentials
•Require two-factor for OU Admins
![Page 30: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/30.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 30/32
A New Hope• Strengthened LSASS to prevent hash dumps
• Many processes no longer store credentials in memory
• Better ways to restrict local account use over the network• RDP use without putting the credentials on the remote
computer
• Addition of a new Protected Users group, whose
members' credentials cannot be used in remote PtHattacks
![Page 31: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/31.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 31/32
Further ReadingKnow Your Digital Enemy – Anatomy of a Gh0st RAT
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-e
Mitigating Pass-the-Hash (PtH) Attacks and Other CredentialTheft Techniques
http://www.microsoft.com/en-us/download/details.aspx?id=36036
APT1: Exposing One of China's Cyber Espionage Units
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
![Page 32: Learning to Live with an Advanced Persistent Threat (177900234)](https://reader030.fdocuments.net/reader030/viewer/2022020108/577cd71f1a28ab9e789e1c95/html5/thumbnails/32.jpg)
7/27/2019 Learning to Live with an Advanced Persistent Threat (177900234)
http://slidepdf.com/reader/full/learning-to-live-with-an-advanced-persistent-threat-177900234 32/32
“If ignorant both of your enemy andyourself, you are certain to be in peril.”
― Sun Tzu, The Art of War