SIA200: Cyber Security Defenses: What works today

June 14, 2012
in Security, TechEd 2012

This is one of those sessions that you sit back and just don’t know what to say at the end, it’s so good and so profound. The message is if your company hasn’t yet gotten compromised, it will. Once a workstation is compromised, it takes on average only 24-48 hours before the attacker escalates to domain admin and literally owns your entire network. Pass the hash attacks can be done in as little as 6 minutes, or less, and is used in nearly every attack today. Even a single privileged account used on the wrong computer can lead to the compromise of an entire domain. It is extremely critical that you understand these attacks, and the measures required to mitigate them.

They gave one example of Wells Fargo. They are the poster child for securing their environment in such a way that they have no permanently active domain admins, server admins, or workstation admin accounts. Yet they can effectively operate in a highly secure manner. Doing the pass the hash attack against Wells Fargo would be extremely difficult. Yes, you can remove permanent administrator rights from everyone, including all of IT, and still efficiently function. In fact, if you want to mitigate a major attack vector, you MUST do this. Deploy all the IDSes, firewalls and sniffers you want, but they can’t hold a candle to properly locking privileged user accounts and completely rethink how you use them. This is NOT an option.

This session was so jam packed with information that I didn’t get more than 75% of the highlights captured below. If you attended TechEd this is a must watch video for everyone. Hopefully it will be posted on Channel 9 so everyone can watch it. It’s just that good (and scary).

  • Determined Adversaries and Targeted Attacks (DA/TA)
    • Think “organizations stealing data with full-time employees (FTEs)” not casual hackers or viruses
    • If you are targeted, they want (and may already have) your IP
    • Even if you don’t think you could be targeted, you probably are a target. They may not want the secrets to your widgets, but maybe they want something else you have like banking contract details for a business partner. Or maybe they really DO want the secret to your widgets.
  • DA/TA Common Technical Tactics
    • Gain control of your identity store – Find out who is who, who works for who, what groups people are in, etc. Capturing credentials are secondary, since they already own your network. Knowing who is who in your org is key for the adversary.
    • Public Data – Admin rights, interesting projects/groups. Even without domain admin rights, AD provides a lot of data to authenticated users with the right tools.
    • Secrets – passwords/hashes for users
    • Download terabytes of your data
      • Large initial exfiltrations typically
      • Then target specific data
    • Hide custom malware on multiple hosts. Some only calls back every few weeks or months. Very, very hard to detect.
  • Cyber Attack Techniques
    • Targeting, phishing, pass the hash, custom malware, application exploit.
      • Note: Pass the hash is extremely worrisome. Pentesters can get domain admin in 6 minutes, and the average APT can get domain admin in 24-48 hours.
      • Only ONE instance the MS team is aware of that the attacker did NOT use pass the hash. Everyone knows it and uses pass the hash.
      • SQL injection is HUGE and extremely scary.
    • Pass the Hash – Here’s how it works
      • Bad guy targets workstations en masse
      • Users running as local admin compromised, bad guy harvests credentials
      • Bad guy starts ‘credential crabwalk’
      • Bad guy finds host with domain privileged credentials, steals, and elevated privileges
      • Bad guy owns the network  and can harvest whatever they want
      • Bad guys can create workstation problems so the helpdesk has to login and fix it, thus capturing credentials
      • *Windows Credential Editor* (security researcher tool) Demo
        • wce -e (sits and waits to grab credentials)
        • wce -s (used to inject hash and access resource like fileshare)
        • wce -w (pulls plaintext password out of memory)
      • Windows stores passwords with reversible encryption in memory, regardless of password length or whether you disable the “reversible encryption” GPO option
  • What can be done?
    • Know what matters
    • Effective workstation and server defenses
    • Protect Key identities and roles
  • Protecting the Crown Jeweles
    • Do not try to protect all assets equally – you can’t
    • Identify and protect intellectual property that is valuable to the org and to potential attackers
      • Foreign and domestic competitors
      • Would-be competitors
      • Governments, etc.
    • Multi-factor authentication (smart cards, etc.)
    • Strict security requirements
    • Hardened systems
    • Asset isolation
    • Concentric rings of security
  • Protect your Hosts
    • Move users out of local admins groups
    • Get current / stay current
    • Implement exploit mitigation
    • Patching, compliance, and configuration management
    • End-user education
  • Get Current/Stay Current
    • All applications must be updated
    • #1 patch, patch, patch. Don’t take months to update software.
    • Not just OS patches – OS only attacked 15% of the time, 85% are app attacks
    • Firmware attacks are now a concern – HP printers need a firmware update for a remote firmware exploit
    • Make sure the devices and appliances that protect your network
    • Windows 8 secure boot protects against firmware attacks
    • Printers are a huge problem…update firmware!!!!!
  • Microsoft EMET (Enhanced Mitigation Experience Toolkit)
    • No application re-compile required
    • Mitigations apply to opted-in application and its plug-ins
    • Strongly recommended
    • With Windows XP and using EMET, the number of exploitable attacks went from 120 to 7
  • Effective End-User Education
    • Do your end-users know that the most likely way they can be exploited is by visiting a website you go to all the time and trust?
    • Do your end users know what their anti-malware warning looks like? Include screenshot of virus warnings in your user training materials.
  • Asset Isolation
    • Firewalls are old news
    • Do traffic analysis, who needs to talk to what?
    • Should server A speak to server B?
    • Should workstation A be able to connect to all servers?
    • It not, isolate!
    • Do detailed traffic flow analysis for internal traffic. Bing netflow analysis.
  • Creative Destruction
    • Gartner term for a method decommissioning legacy applications and systems
    • Catalogue the entire environment (most customers do not have, and what they do)
    • Identify redundancies (FedEx did this)
    • Create new specs for what their applications need to do x, then identify a cloud provider and do a whole sale migration effort
  • Protect your AD and key identities
    • Practice credential hygiene
    • Implement multi-factor authentication
    • Reduce broad and deep privileges
  • Credential Hygiene
    • Privileged accounts log onto sufficiently secured hosts
    • Domain admin logs on to Internet connected workstation = Security of entire domain entrusted that workstation
    • ***Separate the risk from privileged credentials
    • Can require detailed design/re-design of privileges, host security, and logon rights GPOs
    • Rule of thumb: Protect admin workstations at the same level of the servers/apps administered by accounts using them
  • Compartmentalization
    • Production domain admins – Very infrequently used
    • High Business Impact server admins (HBI)
    • Server Admins
      • SQL admins
      • Exchange Admins
      • SharePoint Admins
      • Server Admins
    • Workstation admins
  • Multi-factor authentication
    • What you know (password, PIN, etc.)
    • What you have (smart card, token, cell phone, etc.)
    • Biometric measurement (fingerprint, retina, etc.)
    • Ensure remote attackers can’t use identity over internet
      • Smart cards can be remotely duplicated
  • Privilege Reduction
    • Why? Because it only takes one privileged account to:
      • Modify GPOs
      • Place malware on DCs
      • sID history manipulation
      • Migration APIs
      • Debugger attacks
      • Disk editors
      • A lot of other bad stuff
    • Eliminate accounts that have both broad and deep privilege
    • Have NO permanent enterprise admins, domain admins, administrators. You SHOULD have to check out the password every time you need to use it.
    • Wells Fargo is a case study for an admin free active directory. If someone gets added, lots of people are paged. Company can function normally!!
  • Role-Based Access Controls (RBAC) for IT
    • Least privilege model for IT operations
  • Use jump servers
    • Domain admins cannot logon to any server, workstations,
    • Give each admin their own personal jump box VM and power it down after it is used so cached credentials are not kept.
  • Privileged Identity Management
    • Time-bound, workflow generated, monitored and reported
  • Mechanics of RBAC (IT) and PIM
    • Powerful proxy accounts are NOT preferable
    • Push back on vendors that require “domain admin” or other powerful service accounts. Customers have the power to change vendor’s behavior, not Microsoft.
  • Sample Approaches to secure built-in Administrator Accounts
    • Set administrator account flags
      • Account is disabled
      • Smar card is required for interactive logon (even if you don’t use smartcards)
      • Account is sensitive and cannot be delegated
      • Audit and laert on any changes to account
      • Create/modify domain-level GPO and deny computer access
  • Microsoft offers a whole host of security based services to help implement best practices and help organizations recover from compromises, and help harden against them.
Print Friendly, PDF & Email
Buy me a coffee

Related Posts

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments