@AlienVault
About AlienVault
AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against
today’s modern threats
@AlienVault
The breach – common ways attackers get in
What they do next to infiltrate the network
Why detecting their movements is tricky
Demo: How to detect attackers moving stealthily around your network with AlienVault USM
Agenda
@AlienVault
Client-side vulnerabilities exploited by:• Malicious website, i.e. watering hole attacks• Malicious email attachment
Gives attackers access to the local system with privileges of the local user
The Breach
@AlienVault
Windows Credentials EditorAllows an attacker to list Windows logon sessions and add, change, list and delete associated credentials• Pass-The-Hash on Windows machines• Grab NTLM credentials from cached memory• Grab Kerberos tickets from Windows machines• Dump cleartext passwords stored by Windows authentication
packages
But how is this possible?
@AlienVault
Pass the Hash for using credentials in crafty ways• WMIC (Windows Management Instrumentation Command-line)
- Used to issue queries like running processes- wmic -U demo/administrator%hash //172.16.1.1 "select csname,name,processid,sessionid
from win32_process”
But how is this possible?
@AlienVault
Pass the Hash - using credentials in crafty ways (WMIS)• WMIS (Windows Metadata and Internet Services)
- Can be used to create processes, sky is the limit with this attack vector- wmis -U demo/administrator%hash //172.16.1.1 'cmd.exe /c dir c:\ > c:\windows\temp\
blog.txt’
But how is this possible?
@AlienVault
Pass the Hash - using credentials in crafty ways (SMBGET)
• SMBGET can pull files from Windows using a hash for the password- smbget -w demo -u demo\\administrator -O -p <hash>
smb://172.16.1.1/c$/windows/temp/blog.txt
But how is this possible?
@AlienVault
CURL• Pass the hash and we can view a default sharepoint page, logged in as
john.smith• curl --ntlm -u john.smith:<hash> http://intranet.demo.local/Pages/
Default.aspx
But how is this possible?
@AlienVault
Pass the Hash Toolkit• There is also a toolkit for Windows with several pass the hash utilities
But how is this possible?
@AlienVault
Tricky to detect because…
Firewall won’t catch it• Exploiting client side vulnerabilities causes the victim’s machine to initiate a
connection back to the attacker’s server• Attacker’s domain browsing activities are also originating from the victim’s
machine inside the networkAnti-virus is unlikely to catch it• 82,000 new malware variants released every day*
No suspicious authentication failures• Cached credentials are used to browse the domain so the attacker doesn’t
need to guess passwords
So, what will catch it?Network Intrusion Detection and effective correlation
How do you detect this?
*http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html
@AlienVault
powered by AV Labs Threat
Intelligence
USMASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VULNERABILITY ASSESSMENT• Continuous
Vulnerability Monitoring• Authenticated /
Unauthenticated Active Scanning
BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability Monitoring
SECURITY INTELLIGENCE• SIEM Event Correlation• Incident Response
THREAT DETECTION• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
USM Product Capabilities
@AlienVault
Unified Security Management
Complete. Simple. Affordable.
Delivery Options: Hardware, Virtual, or Cloud-based appliances
Starting at only $3600Open-Source version (OSSIM) also available
AlienVault USM provides asset discovery, vulnerability assessment, threat detection, behavioral monitoring & SIEM in one, pre-integrated platform, plus:
AlienVault Labs Threat Intelligence AlienVault Open Threat Exchange
More Questions? Email
NOW FOR SOME Q&A…
Test Drive AlienVault USMDownload a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Product Sandbox
http://www.alienvault.com/live-demo-site