Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 1
Sagie Dulce, Security Research Engineer, Imperva
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
APT
• Scenario
• Infamous APTs
Non-APTs
• The non-APT
• NTLM weaknesses
• Demo - Poisoning the Well (File Share)
• More attack scenarios
Waiting for good things to come
Privilege escalation
• Demo – SharePoint Poisoning
Leftovers
Conclusion
© 2014 Imperva, Inc. All rights reserved.
Sagie Dulce, Security Research Engineer, Imperva
3
10+ years of cyber security experience
Researcher at IDF Intelligence Core
Data Researcher at the ADC group
Frequent contributor to Imperva’s Blog
Authored several Hacker Intelligence
Initiative (HII) Reports
© 2014 Imperva, Inc. All rights reserved.
Advanced Persistent Threats
Confidential 4
What Comes to Mind
© 2014 Imperva, Inc. All rights reserved.
What Is APT?
Confidential 5
Data Center
File Share / Database
Initial Compromise
Establish Foothold
Lateral Movement
Gather Data Exfiltrate
© 2014 Imperva, Inc. All rights reserved.
Few Infamous APTs From Governments to the People
Confidential 6
CHS
• Stolen Records ~4,500,000
• Period ~3 months
• Initial Compromise – Heartbleed
eBay
• Stolen Records ~145,000,000
• Period ~ 2 months
• Initial Compromise – stolen credentials (phishing / reuse)
Target
• Stolen Records ~70,000,000
• Period ~ 3 weeks
• Initial Compromise – Credentials from partner (HVAC)
© 2014 Imperva, Inc. All rights reserved.
Non-Advanced Persistent Threats
Confidential 7
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 8
What is APT ?
• Advanced
• Persistent
• Threat
Show equivalent scenario
• Not advanced
• Not persistent (not extremely)
• Still a threat
© 2014 Imperva, Inc. All rights reserved. Confidential 9
Authentication protocol designed by Microsoft
Messages (challenge response):
Gives the user the Single Sign On experience
• Client stores LM / NT Hash (used for authentication)
Used in a variety of protocols: HTTP, SMTP, IMAP, CIFS/SMB, RDP, Telnet, MSSQL, Oracle and more…
Microsoft says:
• “Although Microsoft Kerberos is the protocol of choice, NTLM is still supported”
• “Applications are generally advised not to use NTLM”
Challenge
Response
Negotiate
Windows NT LAN Manager (NTLM)
© 2014 Imperva, Inc. All rights reserved.
NTLM Vulnerabilities
Confidential 10
Pass the Hash APT1
• Because response is calculated using LM / NT hash, it is equivalent to plaintext password
Weak Response Calculations
• In early versions, attacker that has challenge & response can calculate LM / NT hash (CloudCracker)
• Extract easily with public tools: Windows Credential Editor (WCE) / QuarksPwDump
Relay Attack
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 11
Poisoning the Well
© 2014 Imperva, Inc. All rights reserved.
Demo - Poisoning the Well
Confidential 12
Initial Compromise
Poison File Share / SharePoint
Gather Privileges
(NTLM Relay) Exfiltrate
Alice
Bob
CatCorp inc.
© 2014 Imperva, Inc. All rights reserved.
Poisoning the Well
Confidential 13
File Share
Compromised
1 2
3
© 2014 Imperva, Inc. All rights reserved.
Waiting for Good Things to Come
Confidential 14
Compromised 1 2
Firewall Agent
Data Center
File Share / Database
© 2014 Imperva, Inc. All rights reserved.
Privilege Escalation
Confidential 15
Compromised
SMB
Reflect
SMB relay
&
authenticate
Metasploit
SMB capture
SMB relay
& crack
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 16
SharePoint Poisoning
© 2014 Imperva, Inc. All rights reserved.
Demo – SharePoint Poisoning
Confidential 17
Alice
Bob
CatCorp, Inc.
Easily skip between protocols: HTTP to SMB / RDP / MSSQL, etc.
© 2014 Imperva, Inc. All rights reserved.
Leftovers
Confidential 18
What We Left Out and Why
© 2014 Imperva, Inc. All rights reserved. Confidential 19
We didn’t talk about the “edges”
• Initial Compromise
done with simple methods (phishing, stealing, pay per infection)
Security is not equal, attackers go for the weakest link.
recently was hacked via a “test server” “That means it would have been possible, if difficult, for the intruder to move through the
network and try to view more protected information”
• Exfiltration
copy stolen data from asset
Use any legitimate cloud service (Google Drive etc.)
Initial Compromise
Establish Foothold
Lateral Movement
Gather Data Exfiltrate
Things We Left Out
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 20
What Does It All Mean & How to Mitigate?
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 21
APT is not the sole domain of government or
sophisticated criminal groups
• No need for zero days
• Low technical skills
NTLM is only a symptom
• Patching / upgrading does not always happen, especially when it’s
costly
• SSO experience is convenient for attackers : go from file to DB,
Web Server, Exchange, etc.
The least confidential locations could prove dangerous
• Not strictly monitored
© 2014 Imperva, Inc. All rights reserved.
Mitigations
Confidential 22
Upgrade
• While a good idea, but not always feasible
• Kerberos also has its vulnerabilities (e.g. Pass the Ticket)
Monitor authentications to resources
• Same machine authenticates with several users
• Same user authenticates from several machines
Avoid services that logon to large number of assets
• Services authentication can leave behind hashes, tickets or used
in a relay / MIM attacks
© 2014 Imperva, Inc. All rights reserved.
Webinar Materials
23
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link
Join Group
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
© 2014 Imperva, Inc. All rights reserved.
Questions?
24
www.imperva.com
© 2014 Imperva, Inc. All rights reserved.
Thank You
25