Assessing Outbound Traffic to Uncover Advanced Persistent Threat
The Non-Advanced Persistent Threat
-
Upload
imperva -
Category
Technology
-
view
348 -
download
3
description
Transcript of The Non-Advanced Persistent Threat
![Page 1: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/1.jpg)
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 1
September 17, 2014
![Page 2: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/2.jpg)
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ APT • Scenario • Infamous APTs
§ Non-APTs • The non-APT • NTLM weaknesses • Demo - Poisoning the Well (File Share) • More attack scenarios
§ Waiting for good things to come § Privilege escalation
• Demo – SharePoint Poisoning § Leftovers § Conclusion
![Page 3: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/3.jpg)
© 2014 Imperva, Inc. All rights reserved.
Advanced Persistent Threats
Confidential 3
What Comes to Mind
![Page 4: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/4.jpg)
© 2014 Imperva, Inc. All rights reserved.
What Is APT?
Confidential 4
Data Center File Share / Database
Initial Compromise
Establish Foothold
Lateral Movement Gather Data Exfiltrate
![Page 5: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/5.jpg)
© 2014 Imperva, Inc. All rights reserved.
Few Infamous APTs From Governments to the People
Confidential 5
§ CHS • Stolen Records ~4,500,000 • Period ~3 months • Initial Compromise – Heartbleed
§ eBay • Stolen Records ~145,000,000 • Period ~ 2 months • Initial Compromise – stolen credentials
(phishing / reuse)
§ Target • Stolen Records ~70,000,000 • Period ~ 3 weeks • Initial Compromise – Credentials from partner (HVAC)
![Page 6: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/6.jpg)
© 2014 Imperva, Inc. All rights reserved.
Non-Advanced Persistent Threats
Confidential 6
![Page 7: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/7.jpg)
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 7
§ What is APT ? • Advanced • Persistent • Threat
§ Show equivalent scenario • Not advanced • Not persistent (not extremely) • Still a threat
![Page 8: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/8.jpg)
© 2014 Imperva, Inc. All rights reserved. Confidential 8
§ Authentication protocol designed by Microsoft § Messages (challenge response):
§ Gives the user the Single Sign On experience • Client stores LM / NT Hash (used for authentication)
§ Used in a variety of protocols: HTTP, SMTP, IMAP, CIFS/SMB, RDP, Telnet, MSSQL, Oracle and more…
§ Microsoft says: • “Although Microsoft Kerberos is the protocol of choice, NTLM is still
supported” • “Applications are generally advised not to use NTLM”
Challenge
Response
Negotiate
Windows NT LAN Manager (NTLM)
![Page 9: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/9.jpg)
© 2014 Imperva, Inc. All rights reserved.
NTLM Vulnerabilities
Confidential 9
§ Pass the Hash APT1 • Because response is calculated using LM / NT hash, it is equivalent to
plaintext password § Weak Response Calculations
• In early versions, attacker that has challenge & response can calculate LM / NT hash (CloudCracker)
• Extract easily with public tools: Windows Credential Editor (WCE) / QuarksPwDump
§ Relay Attack
![Page 10: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/10.jpg)
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 10
Poisoning the Well
![Page 11: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/11.jpg)
© 2014 Imperva, Inc. All rights reserved.
Demo - Poisoning the Well
Confidential 11
Initial Compromise
Poison File Share / SharePoint
Gather Privileges (NTLM Relay)
Exfiltrate
Alice
Bob
CatCorp inc.
![Page 12: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/12.jpg)
© 2014 Imperva, Inc. All rights reserved.
Poisoning the Well
Confidential 12
File Share
Compromised
1 2
3
![Page 13: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/13.jpg)
© 2014 Imperva, Inc. All rights reserved.
Waiting for Good Things to Come
Confidential 13
Compromised 1 2
Firewall Agent
Data Center File Share / Database
![Page 14: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/14.jpg)
© 2014 Imperva, Inc. All rights reserved.
Privilege Escalation
Confidential 14
Compromised
SMB Reflect
SMB relay &
authenticate
Metasploit SMB capture
SMB relay & crack
![Page 15: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/15.jpg)
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 15
SharePoint Poisoning
![Page 16: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/16.jpg)
© 2014 Imperva, Inc. All rights reserved.
Demo – SharePoint Poisoning
Confidential 16
Alice
Bob
CatCorp, Inc.
Easily skip between protocols: HTTP to SMB / RDP / MSSQL, etc.
![Page 17: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/17.jpg)
© 2014 Imperva, Inc. All rights reserved.
Leftovers
Confidential 17
What We Left Out and Why
![Page 18: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/18.jpg)
© 2014 Imperva, Inc. All rights reserved. Confidential 18
§ We didn’t talk about the “edges” • Initial Compromise
§ done with simple methods (phishing, stealing, pay per infection)
§ Security is not equal, attackers go for the weakest link. recently was hacked via a “test server” “That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information”
• Exfiltration § copy stolen data from asset § Use any legitimate cloud service (Google Drive etc.)
Initial Compromise
Establish Foothold
Lateral Movement Gather Data Exfiltrate
Things We Left Out
![Page 19: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/19.jpg)
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 19
What Does It All Mean & How to Mitigate?
![Page 20: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/20.jpg)
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 20
§ APT is not the sole domain of government or sophisticated criminal groups • No need for zero days • Low technical skills
§ NTLM is only a symptom • Patching / upgrading does not always happen, especially when it’s
costly • SSO experience is convenient for attackers : go from file to DB,
Web Server, Exchange, etc.
§ The least confidential locations could prove dangerous • Not strictly monitored
![Page 21: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/21.jpg)
© 2014 Imperva, Inc. All rights reserved.
Mitigations
Confidential 21
§ Upgrade • While a good idea, but not always feasible • Kerberos also has its vulnerabilities (e.g. Pass the Ticket)
§ Monitor authentications to resources • Same machine authenticates with several users • Same user authenticates from several machines
§ Avoid services that logon to large number of assets • Services authentication can leave behind hashes, tickets or used
in a relay / MIM attacks
![Page 22: The Non-Advanced Persistent Threat](https://reader033.fdocuments.net/reader033/viewer/2022051322/546c3b87b4af9f932c8b4ef4/html5/thumbnails/22.jpg)
© 2014 Imperva, Inc. All rights reserved.
www.imperva.com
22