The Non-Advanced Persistent Threat
-
Upload
imperva -
Category
Technology
-
view
341 -
download
3
description
Transcript of The Non-Advanced Persistent Threat
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 1
September 17, 2014
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ APT • Scenario • Infamous APTs
§ Non-APTs • The non-APT • NTLM weaknesses • Demo - Poisoning the Well (File Share) • More attack scenarios
§ Waiting for good things to come § Privilege escalation
• Demo – SharePoint Poisoning § Leftovers § Conclusion
© 2014 Imperva, Inc. All rights reserved.
Advanced Persistent Threats
Confidential 3
What Comes to Mind
© 2014 Imperva, Inc. All rights reserved.
What Is APT?
Confidential 4
Data Center File Share / Database
Initial Compromise
Establish Foothold
Lateral Movement Gather Data Exfiltrate
© 2014 Imperva, Inc. All rights reserved.
Few Infamous APTs From Governments to the People
Confidential 5
§ CHS • Stolen Records ~4,500,000 • Period ~3 months • Initial Compromise – Heartbleed
§ eBay • Stolen Records ~145,000,000 • Period ~ 2 months • Initial Compromise – stolen credentials
(phishing / reuse)
§ Target • Stolen Records ~70,000,000 • Period ~ 3 weeks • Initial Compromise – Credentials from partner (HVAC)
© 2014 Imperva, Inc. All rights reserved.
Non-Advanced Persistent Threats
Confidential 6
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 7
§ What is APT ? • Advanced • Persistent • Threat
§ Show equivalent scenario • Not advanced • Not persistent (not extremely) • Still a threat
© 2014 Imperva, Inc. All rights reserved. Confidential 8
§ Authentication protocol designed by Microsoft § Messages (challenge response):
§ Gives the user the Single Sign On experience • Client stores LM / NT Hash (used for authentication)
§ Used in a variety of protocols: HTTP, SMTP, IMAP, CIFS/SMB, RDP, Telnet, MSSQL, Oracle and more…
§ Microsoft says: • “Although Microsoft Kerberos is the protocol of choice, NTLM is still
supported” • “Applications are generally advised not to use NTLM”
Challenge
Response
Negotiate
Windows NT LAN Manager (NTLM)
© 2014 Imperva, Inc. All rights reserved.
NTLM Vulnerabilities
Confidential 9
§ Pass the Hash APT1 • Because response is calculated using LM / NT hash, it is equivalent to
plaintext password § Weak Response Calculations
• In early versions, attacker that has challenge & response can calculate LM / NT hash (CloudCracker)
• Extract easily with public tools: Windows Credential Editor (WCE) / QuarksPwDump
§ Relay Attack
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 10
Poisoning the Well
© 2014 Imperva, Inc. All rights reserved.
Demo - Poisoning the Well
Confidential 11
Initial Compromise
Poison File Share / SharePoint
Gather Privileges (NTLM Relay)
Exfiltrate
Alice
Bob
CatCorp inc.
© 2014 Imperva, Inc. All rights reserved.
Poisoning the Well
Confidential 12
File Share
Compromised
1 2
3
© 2014 Imperva, Inc. All rights reserved.
Waiting for Good Things to Come
Confidential 13
Compromised 1 2
Firewall Agent
Data Center File Share / Database
© 2014 Imperva, Inc. All rights reserved.
Privilege Escalation
Confidential 14
Compromised
SMB Reflect
SMB relay &
authenticate
Metasploit SMB capture
SMB relay & crack
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 15
SharePoint Poisoning
© 2014 Imperva, Inc. All rights reserved.
Demo – SharePoint Poisoning
Confidential 16
Alice
Bob
CatCorp, Inc.
Easily skip between protocols: HTTP to SMB / RDP / MSSQL, etc.
© 2014 Imperva, Inc. All rights reserved.
Leftovers
Confidential 17
What We Left Out and Why
© 2014 Imperva, Inc. All rights reserved. Confidential 18
§ We didn’t talk about the “edges” • Initial Compromise
§ done with simple methods (phishing, stealing, pay per infection)
§ Security is not equal, attackers go for the weakest link. recently was hacked via a “test server” “That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information”
• Exfiltration § copy stolen data from asset § Use any legitimate cloud service (Google Drive etc.)
Initial Compromise
Establish Foothold
Lateral Movement Gather Data Exfiltrate
Things We Left Out
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 19
What Does It All Mean & How to Mitigate?
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 20
§ APT is not the sole domain of government or sophisticated criminal groups • No need for zero days • Low technical skills
§ NTLM is only a symptom • Patching / upgrading does not always happen, especially when it’s
costly • SSO experience is convenient for attackers : go from file to DB,
Web Server, Exchange, etc.
§ The least confidential locations could prove dangerous • Not strictly monitored
© 2014 Imperva, Inc. All rights reserved.
Mitigations
Confidential 21
§ Upgrade • While a good idea, but not always feasible • Kerberos also has its vulnerabilities (e.g. Pass the Ticket)
§ Monitor authentications to resources • Same machine authenticates with several users • Same user authenticates from several machines
§ Avoid services that logon to large number of assets • Services authentication can leave behind hashes, tickets or used
in a relay / MIM attacks
© 2014 Imperva, Inc. All rights reserved.
www.imperva.com
22