© 2014 Imperva, Inc. All rights reserved.

The Non-Advanced Persistent Threat

Confidential 1

Sagie Dulce, Security Research Engineer, Imperva

© 2014 Imperva, Inc. All rights reserved.

Agenda

Confidential 2

APT

• Scenario

• Infamous APTs

Non-APTs

• The non-APT

• NTLM weaknesses

• Demo - Poisoning the Well (File Share)

• More attack scenarios

Waiting for good things to come

Privilege escalation

• Demo – SharePoint Poisoning

Leftovers

Conclusion

© 2014 Imperva, Inc. All rights reserved.

Sagie Dulce, Security Research Engineer, Imperva

3

10+ years of cyber security experience

Researcher at IDF Intelligence Core

Data Researcher at the ADC group

Frequent contributor to Imperva’s Blog

Authored several Hacker Intelligence

Initiative (HII) Reports

© 2014 Imperva, Inc. All rights reserved.

Advanced Persistent Threats

Confidential 4

What Comes to Mind

© 2014 Imperva, Inc. All rights reserved.

What Is APT?

Confidential 5

Data Center

File Share / Database

Initial Compromise

Establish Foothold

Lateral Movement

Gather Data Exfiltrate

© 2014 Imperva, Inc. All rights reserved.

Few Infamous APTs From Governments to the People

Confidential 6

CHS

• Stolen Records ~4,500,000

• Period ~3 months

• Initial Compromise – Heartbleed

eBay

• Stolen Records ~145,000,000

• Period ~ 2 months

• Initial Compromise – stolen credentials (phishing / reuse)

Target

• Stolen Records ~70,000,000

• Period ~ 3 weeks

• Initial Compromise – Credentials from partner (HVAC)

© 2014 Imperva, Inc. All rights reserved.

Non-Advanced Persistent Threats

Confidential 7

© 2014 Imperva, Inc. All rights reserved.

The Non-Advanced Persistent Threat

Confidential 8

What is APT ?

• Advanced

• Persistent

• Threat

Show equivalent scenario

• Not advanced

• Not persistent (not extremely)

• Still a threat

© 2014 Imperva, Inc. All rights reserved. Confidential 9

Authentication protocol designed by Microsoft

Messages (challenge response):

Gives the user the Single Sign On experience

• Client stores LM / NT Hash (used for authentication)

Used in a variety of protocols: HTTP, SMTP, IMAP, CIFS/SMB, RDP, Telnet, MSSQL, Oracle and more…

Microsoft says:

• “Although Microsoft Kerberos is the protocol of choice, NTLM is still supported”

• “Applications are generally advised not to use NTLM”

Challenge

Response

Negotiate

Windows NT LAN Manager (NTLM)

© 2014 Imperva, Inc. All rights reserved.

NTLM Vulnerabilities

Confidential 10

Pass the Hash APT1

• Because response is calculated using LM / NT hash, it is equivalent to plaintext password

Weak Response Calculations

• In early versions, attacker that has challenge & response can calculate LM / NT hash (CloudCracker)

• Extract easily with public tools: Windows Credential Editor (WCE) / QuarksPwDump

Relay Attack

© 2014 Imperva, Inc. All rights reserved.

Demo

Confidential 11

Poisoning the Well

© 2014 Imperva, Inc. All rights reserved.

Demo - Poisoning the Well

Confidential 12

Initial Compromise

Poison File Share / SharePoint

Gather Privileges

(NTLM Relay) Exfiltrate

Alice

Bob

CatCorp inc.

© 2014 Imperva, Inc. All rights reserved.

Poisoning the Well

Confidential 13

File Share

Compromised

1 2

3

© 2014 Imperva, Inc. All rights reserved.

Waiting for Good Things to Come

Confidential 14

Compromised 1 2

Firewall Agent

Data Center

File Share / Database

© 2014 Imperva, Inc. All rights reserved.

Privilege Escalation

Confidential 15

Compromised

SMB

Reflect

SMB relay

&

authenticate

Metasploit

SMB capture

SMB relay

& crack

© 2014 Imperva, Inc. All rights reserved.

Demo

Confidential 16

SharePoint Poisoning

© 2014 Imperva, Inc. All rights reserved.

Demo – SharePoint Poisoning

Confidential 17

Alice

Bob

CatCorp, Inc.

Easily skip between protocols: HTTP to SMB / RDP / MSSQL, etc.

© 2014 Imperva, Inc. All rights reserved.

Leftovers

Confidential 18

What We Left Out and Why

© 2014 Imperva, Inc. All rights reserved. Confidential 19

We didn’t talk about the “edges”

• Initial Compromise

done with simple methods (phishing, stealing, pay per infection)

Security is not equal, attackers go for the weakest link.

recently was hacked via a “test server” “That means it would have been possible, if difficult, for the intruder to move through the

network and try to view more protected information”

• Exfiltration

copy stolen data from asset

Use any legitimate cloud service (Google Drive etc.)

Initial Compromise

Establish Foothold

Lateral Movement

Gather Data Exfiltrate

Things We Left Out

© 2014 Imperva, Inc. All rights reserved.

Conclusion

Confidential 20

What Does It All Mean & How to Mitigate?

© 2014 Imperva, Inc. All rights reserved.

Conclusion

Confidential 21

APT is not the sole domain of government or

sophisticated criminal groups

• No need for zero days

• Low technical skills

NTLM is only a symptom

• Patching / upgrading does not always happen, especially when it’s

costly

• SSO experience is convenient for attackers : go from file to DB,

Web Server, Exchange, etc.

The least confidential locations could prove dangerous

• Not strictly monitored

© 2014 Imperva, Inc. All rights reserved.

Mitigations

Confidential 22

Upgrade

• While a good idea, but not always feasible

• Kerberos also has its vulnerabilities (e.g. Pass the Ticket)

Monitor authentications to resources

• Same machine authenticates with several users

• Same user authenticates from several machines

Avoid services that logon to large number of assets

• Services authentication can leave behind hashes, tickets or used

in a relay / MIM attacks

© 2014 Imperva, Inc. All rights reserved.

Webinar Materials

23

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link

Join Group

Join Imperva LinkedIn Group,

Imperva Data Security Direct, for…

© 2014 Imperva, Inc. All rights reserved.

Questions?

24

www.imperva.com

© 2014 Imperva, Inc. All rights reserved.

Thank You

25