preventing advanced targeted attacks with iam best practices
TRANSCRIPT
2
▪ Strategic Advisor – CyberArk Software
▪ B.S. Information Systems – University of Texas at Arlington
▪ COMPTIA A+ & Sec+
▪ VMWare VCA-DCV
▪ (ISC)2 SSCP & CISSP
▪ GIAC GPEN (Taking exam tomorrow!)
▪ Married, Father of 2 girls.
▪ Member of Shadow Systems Hacker Collective
▪ Member of Dallas Hackers Association
Hello Friend - Andy Thompson
@R41nM4kr
4
Golden Ticket Attack
Golden Ticket AttackProof of Concept in Under 6 Minutes.
(4 Minutes if I weren’t so bad at typing)
5
▪ It didn’t actually go
down like this.
▪ More than one way to
skin a cat.
▪ No 1337 H4X here.
Just a warning here. . . …
12
What makes an attack advanced?
An advanced attack is…
a targeted attack against a specific organization, during
which an attacker operates extensively inside the network
Contrary to:
Distributed Denial of
Service (DDoS)
Opportunistic endpoint
attacks (ex. Ransomware)Quick, targeted attacks
(ex: Support Call
Scams)
13
Phases of an Advanced Attack
External Recon
•OSINT
•Passive Scanning
Breach
•Phishing
•USB Drops
•Exploits
Internal Recon
•Network Queries
•Passive Listening
•Probing
Lateral Movement
•Seek Creds
•See Access
Domain Compromise
•Golden Ticket
•Persistence
Endgame
•Exfiltration
•DoS
•Corrupt
16
Domain Controller
File Server 1
Admin Workstation
Web Server 3
Help Desk
Workstation
Internal Recon
WHAT computers are there in the network?
WHO are the privileged users?
WHERE are they connected?
What privileges can I GET?
nmap bloodhound
COMMON TOOLS USED FOR RECON
Powershell
18
Domain Controller
Web Server 3
Help Desk
Workstation
Lateral Movement
Connect to the shared machine
Search for credentials
Steal privileged credentials
File Server 1
Admin Workstation
mimikatz
COMMON TOOLS USED FOR LATERAL MOVEMENT
*****
Domain Admin
credentials found!
PsExec
20
Domain Compromise
Connect to Domain Controller
Steal krbtgt hash
Create a Golden Ticket with required privileges
Locate and access desired system: SWIFTNet Domain Controller
NEXT: Steal the krbtgt hashGenerate golden
ticket for full
domain access
!
SWIFTNet
22
Recipient Bank
SWIFTNet
SWIFT User 1
SWIFT User 2
Actions on target
!
SWIFTNet Server
Access the SWIFT server
Locate pending transaction file
Inject fraudulent transaction
27
▪ Remove Unnecessary Privileges
■ Local Admin
■ Implement Least Privilege
▪ Manage Application Access
■ Block applications running by
unauthorized accounts
■ Allow others.
Endpoint Least Privilege
28
▪ Not really IAM, but still a Best
Practice recommendation.
■ Prevents lateral movement.
▪ Route Privileged Identities
through isolated jump servers.
■ Can’t pass the hash if you
can’t get a hash!
■ Accountability & Auditing
• Privileged Internal Users
• Vendors & 3rd Parties too!
Network Segmentation
29
Routers and
SwitchesVault
Windows/UNIX
Servers
Web Sites
1. Logon through PVWA
2. Connect
3. Fetch credential from Vault
4. Connect using native protocols
5. Store session recording
6. Logs forwarded to SIEM/Syslog
4
5
Databases
6
SIEM/Syslog
ESX\vCenters
1
HTTPS
2
RDP over HTTPS
PSM
3
Privileged Session Management Explained.
30
▪ Secure and Manage your Credentials
■ Unique
■ Complex
■ Ever-changing!
▪ Require MFA
▪ Credential Boundaries
■ See MSFT Whitepaper: Mitigating Pass the Hash Attacks and Other Credential Theft Version 2
Credentials
31
Tier 0
Tier 1
Tier 2
Tier 0 – Forest Admins: Direct of indirect administrative control
of Active Directory forests, domains, or domain controllers.
Tier 1 – Server Admins: Direct or indirect administrative control
over a single or multiple servers.
Tier 2 – Workstation Admins: Direct or indirect administrative
control over a single or multiple devices.
35
AThompson
JVealey
NLiran
KJermyn
PLi
ADM-AThompson
ADM-JVealey
ADM-NLiran
ADM-KJermyn
ADM-PLI
5 Privileged Accounts
ADM-Functional-Account
1 Privileged Account
AThompson
JVealey
NLiran
KJermyn
PLi
36
The whole-shabang!
Unbounded Network
Financial Databases PCI Databases
ESX ServersDomain Controllers
Workstations/Laptops
Network w/Credential Boundaries
Financial Databases PCI Databases
ESX ServersDomain Controllers
Workstations/Laptops
Further Reduce Risk of Theft
With EPM
37
Monitor privileged users
Internal employees & 3rd Party Access
Alerting on high risk or malicious
events
DCSync
IOC behavior.
Alert on behavior anomalies
Logons outside your IAM controls.
Monitoring
38
Endpoint Network Credentials Monitoring
Remove local
privileges
Control applications
Segment off
sensitive assets
Route access
through jump servers
Enforce credential
tiers
Require multi-factor
authentication
Secure and manage
privileged credentials
Set alerts on
malicious events
Monitor behavior to
detect anomalies
Monitor privileged
users
Iam Best Practices . . . In review.
40
▪ Email:
▪ Website:
CyberArk.com
▪ Twitter:
R41nM4kr
▪ LinkedIn:
AndyThompsonInfoSec
Andy Thompson