How Cyber Criminals Steal Passwords via Pass-the-Hash

and Other Attack Methods

Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert

CQURE Academy: Trainer

MVP: Enterprise Security, MCT

Contact: paula@cqure.us | http://cqure.us @paulacqure

@CQUREAcademy

Upcoming Workshops 17th – 19th of October, New York, NY – Troubleshooting and Monitoring Windows

Infrastructure – From Zero to Hero

Please Contact our office in United States and mention BeyondTrust!

info@cqure.us

Exclusive discounts for all attendees in today’s seminar.

What is the most successful path for the attack right now?

:)

THE ANATOMY OF AN ATTACK

Healthy Computer

User Receives Email

User Lured to Malicious Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privs

:)

Healthy Computer

User Receives Email

User Lured to Malicious Site

Device Infected with

Malware

User Lured to Malicious Site

Device Infected with

Malware

HelpDesk Logs into Device

Identity Stolen, Attacker Has

Increased Privs

User Receives Email

“PASS THE HASH” ATTACKS

Today’s security challenge

TODAY’S SECURITY

CHALLENGE

PASS THE HASH ATTACKS

User: Adm...

Hash:E1977

Fred’s Laptop

Fred’s User Session

User: Fred

Password hash: A3D7…

Sue’s Laptop

Sue’s User Session

PASS THE HASH TECHNIQUE

Malware Session

User: Administrator

Password hash: E1977…

Malware User Session

User: Adm…

Hash: E1977

User: Sue

Hash: C9DF

User: Sue

Password hash: C9DF…

File Server

User: Sue

Hash:C9DF

1 3 4

1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR

2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER

3. MALWARE INFECTS SUE’S LAPTOP AS FRED

4. MALWARE INFECTS FILE SERVER AS SUE

2

P-T-H SOLUTION

VSM uses Hyper-V powered secure execution environment to protect derived credentials – you can get things in but can’t get things out

Decouples NTLM hash from logon secret

Fully randomizes and manages full length NTLM hash to prevent brute force attack

Derived credentials that VSM protected LSA Service gives to Windows are non-replayable

PASS THE HASH ATTACKS

VSM isolates sensitive Windows processes in a hardware based Hyper-V container

VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised

Requires processor virtualization extensions (e.g.: VT-X, VT-D)

Virtualization

VIRTUAL SECURE MODE (VSM) VSM runs the Windows Kernel and a series of Trustlets (Processes) within it

Virtual Secure Mode

Virtual Secure Mode (VSM)

Lo

cal Secu

rity

A

uth

Serv

ice

Windows

Apps V

irtu

al TP

M

Hyp

er-

Vis

or

Co

de In

teg

rity

Windows 10: Local Account

Windows 10: Domain Account

…and reboot the machine

VSM Enabled Windows 10: VSM Enabled

Comprehensive network security must address Pass-the-Hash

It still requires attention

The understanding of the problem is necessary

New Windows mitigations are available Local account protections

Domain account protections

Protected domain accounts

Authentication policies and Silos

Is the problem solved? No!

PowerBroker Password Safe

v6.0

Martin Cannard – Product Manager

PAM – A collection of best practices

AD Bridge AD Bridge Privilege

Delegation

Privilege

Delegation

Session

Management

Session

Management

Use AD credentials to access

Unix/Linux hosts Once the user is logged on,

manage what they can do

Managed list of resources the user is

authorized to access. Gateway proxy

capability. Audit of all session activity

Password & SSH

Key Management

Password & SSH

Key Management

Automate the management of functional

account passwords and SSH keys

Comprehensive Security Management

► Secure and automate the process for managing privileged account passwords and keys

► Control how people, services, applications and scripts access managed credentials

► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password

► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail

► Alert in real-time as passwords, and keys are released, and session activity is started

► Monitor session activity in real-time, and immediately lock/terminate suspicious activity

Privileged Password Management

People Services A2A

Privileged

Session

Management

SSH Key

Management

Native desktop tool (MSTSC/PuTTY etc.) connects

to Password Safe which proxies connection through

to requested resource

Protected Resources User authenticates to Password Safe and requests

session to protected resource

RDP/SSH session is proxied through the Password

Safe appliance HTTPS RDP / SSH

RDP / SSH

Password

Safe Proxy Proxy Proxy Proxy

Privileged Session Management

Differentiator:

Adaptive Workflow Control

Adaptive Workflow Control

• Day

• Date

• Time

• Who

• What

• Where

Differentiator:

Controlling Application Access

Automatic Login to ESXi example

Browser

RDP Client

ESXRDP (4489) RDP (3389)

User selects vSphere application

and credentials

vSphere RemoteApp

CredentialCheckout

Credential Management

UserStore

Session Recording / Logging

HTTPS

Automatic Login to Unix/Linux Applications

Typical Use Cases

• Jump host in DMZ

• Menu-driven Apps

• Backup Scripts

• Role-based Apps

Browser

RDP Client

SSH (22) SSH (22)

User selects SSH application and

credentials

SSH Application

CredentialCheckout

Session Recording / Logging

HTTPS

Differentiator:

Reporting & Analytics

Actionable Reporting

Advanced Threat Analytics

What makes Password Safe different?

• Adaptive workflow control to evaluate and intelligently route based on the

who, what, where, and when of the request

• Full network scanning capabilities with built-in auto-onboard capabilities

• Integrated data warehouse and analytics capability

• Smart Rules for building permission sets dynamically according to data

pulled back from scans

• Session management / live monitoring at NO ADDITIONAL COST

• Clean, uncluttered, and intuitive HTML5 interface for end users

Market Validation

• Leader: Forrester PIM Wave, Q3 2016

− Top-ranked Current Offering (product) among all 10

vendors reviewed

− “BeyondTrust excels with its privileged session

management capabilities.”

− “BeyondTrust […] provides the machine learning and

predictive behavior analytics capabilities.”

• Leadership

− Gartner: “BeyondTrust is a representative vendor for all

five key PAM solution categories.”

− OVUM: “BeyondTrust […] provides an integrated, one-

stop approach to PAM… one of only a small band of

PAM providers offering end-to-end coverage.”

− SC Magazine: “Recommended product.”

− … and more from IDC, KuppingerCole, TechNavio, 451Research,

Frost & Sullivan and Forrester

Poll

Q&A

Thank you for attending!