Advanced persistent threats

Advanced Persistent Threats K. K. Mookhey Principal Consultant Network Intelligence India Pvt. Ltd.

Speaker Introduction  Founder & Principal Consultant  Network Intelligence  Institute of Information Security  Certified as CISA, CISSP and CISM  Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009  Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)  Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)  Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.

Agenda Ground-level Realities Compliance & Regulations Case Study of Privileged Identity Challenges Solutions  Policy  Process  Technology

Background

Further background… ―Fraud worries Indian outsourcing firms... Industry executives and officials at Nasscom, … say they are worried that exposés of recent incidents of fraud are damaging Indias reputation as a high-skilled, low-cost location…‖ ―Laterals attrition worrying IT biggies... some companies are now battling attrition as high as 40% among their project managers, threatening to disrupt ongoing engagements. ― ―Infosys wrestles with India IT worker turnover…the Indian outsourcing firm is wrestling with a 25 percent spike in employee attrition—the highest mark since 2004, analysts say.‖ ―In India, the average annual attrition rate in the business process outsourcing (BPO) sector hit a high of close to 50% a few years ago.‖

What are Privileged Accounts?Acct Type Scope Used by Used forElevated • Personal Accounts • Privileged operations elevated permissions • IT staffPersonal Accts • Access to sensitive – JSmith_admin(SUPM) – SUDO informationShared Highly Powerful •• Emergency • IT staff • Administrator • System Admins • UNIX root Fire-call • Network Admins Difficult to Control,DBAsPrivilegedAccounts • Manage & Monitor • Cisco Enable • Oracle SYS • Disaster recovery • Privileged operations • Help Desk, etc(SAPM) Usage is Not ••‘Personalized’sensitive • Local Administrators Developers • ERP admin Legacy Apps • Access to information Pose Devastating Risk if Misused • Applications • Hard-Coded, and • ScriptsApplication • Online database access Embedded Application • Windows ServicesAccounts • Batch processing IDs • Scheduled Tasks(AIM) • App-2-App communication • Service Accounts • Batch jobs, etc • Developers

The Insider Threat… No. 1 security concern of large companies is… THE INSIDER THREAT (IDC Analyst Group) 86% of the insiders held technical positions (CERT) 90% of them were granted system administrators or privileged system access when hired (CERT) 64% used remote access (CERT) 50% of those people were no longer supposed to have this privileged access (Source: Carnegie Mellon, DOD) 92% of all the insiders attacked following a negative work-related event like termination, dispute, etc. (CERT)

Crucial question… Quis custodiet ipsos custodies = Who will guard the guards?

How sys admins really operate!And how passwords get compromised! Ground Level Realities

SQL Server to Enterprise 0wned! Entry Point – 172.16.1.36  Vulnerability -> SQL Server  Default username and password  Username: sa  Password: password Use xp_cmdshell to ‗net user kkm kkm /add‘ ‗net localgroup administrators kkm /add‘

Hash Dump Administrator:500:A8367713FF9D45CE45F37A6::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: GP2010STGLocal:1012:3ED3C0B9BB7B5091BC4186920: AC4FFE38A7582D2A46E36865B:::

Privilege Escalation on the Network Using the Administrator account logon to other machines  Login to the domain server was not possible  Check for Impersonating Users

The Scope of the Problem...―Most organizations have more privileged accounts than personal accounts‖ (Sally Hudson, IDC) Typical use case - mid-size company IT profile:  ~10,000 employees  8,000+ desktops/laptops  200 Windows servers  10 Windows domains  500 Unix/Linux servers  20 WebSphere/Weblogic/Jboss/Tomcat servers  100 Oracle/DB2/Sqlserver databases  50 Cisco/Juniper/Nortel routers and switches  20 firewalls  1,000 application accounts  150 Emergency and break-glass accounts

What happened at RSA?

Spear Phishing

Compliance & Regulations

Compliance and RegulationCurrent Audit Questions around Privileged Accounts: ―Can you prove that you are protecting access to key accounts?‖ ―Who is acting as System Administrator for this activity?‖ ―Can you prove that Rahul Mehta‘s access to the netAdmin ID was properly approved?‖ ―Can you show me what Rahul Mehta did within his session as root last week?‖ ―Are you changing the Exchange Admin password inline with company policy?‖ ―Have you removed hard-coded passwords from your applications?‖ PCI, SOX, Basel II & HIPAA are all diving deeper into Privileged Accounts

Telecom Regulations DOT circular (31st May 2011) states in 5.6 A (vi) c. that The Licensee shall keep a record of all the operation and maintenance command logs for a period of 12 months, which should include the actual command given, who gave the command, when was it given and from where. For next 24 months the same information shall be stored/retained in a non-online mode.

Corporate Liability ‗43A.Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages, not exceeding five crore rupees, by way of compensation to the person so affected.

RBI Guidelines on Technology Risks April 29, 2011, the Reserve Bank of India released the ―Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds‖. Close supervision of personnel with elevated system privileges Personnel with elevated system access privileges should be closely supervised

App2App Communication• App2App interaction requires an authentication process – Calling application needs to send credentials to target application• Common use cases – Applications and Scripts connecting to databases – 3rd Party Products accessing network resources – Job Scheduling – Application Server Connection Pools – Distributed Computing Centers – Application Encryption Key Management – ATM, Kiosks, etc.

Solutions!Or why SIEM’s are not the answer

Decipher this! OS_USERNAME -------------------------------------------------------------------------------- USERNAME ------------------------------ USERHOST -------------------------------------------------------------------------------- TIMESTAMP RETURNCODE ------------------- ---------------- MRMESSINMike Messina DUMMYWORKGROUPMRMESSIN 11/08/2007 09:07:54 1017

On-Demand Privileges Manager:Tightening Unix Security Control superuser access for in-depth unix security Manage the commands Unix admins can run with granular access control Enforce ‗least privilege‘ - elevate to ‗root‘ only when necessary Monitor individual superuser activity with text recording Unified audit of superuser activity and password access When Who What Where

Privileged ‗Session‘ Example ‘Session’ Example Privileged  Company : Telco with over 100M subscribers  Regulation : Multiple  Driver : Compliance, control & monitor access to production environment, reduce operational costs  Scope : Integrated Privileged ID and Session Management implementation on 15,000 machines, tens of thousands of accounts.  Benefits :  Minimized security risks • Detailed audit logging & recording – 26,000 PSM recorded sessions within first 60 days  Met compliance goals  Reduced TCO • Avoid performance impact of end-point logging agents – savings of around 4% of total CPU power!  Operational efficiency • Integrated solution with central management & unified reporting & policies • Improved IT work efficiency with privileged single-sign-on

Summary: Privileged Identity & Session ManagementA comprehensive platform for isolating and preemptivelyprotecting your datacenter – whether on premise or in thecloud Discover all privileged accounts across datacenter Manage and secure every credential Enforce policies for usage Record and monitor privileged activities React and comply Integrate with IDAM

Before we get to the technology…

Controls Framework

Policies Privileged ID Management Policy & Procedures  Privileged ID allocation – process of the approval mechanism for it  Privileged ID periodic review – procedure for this  Monitoring of privileged ID activities – mechanisms, and procedures for logging and monitoring privileged IDs  Revocation of a privileged ID – what happens when an Administrator leaves the organization?  How are vendor-supplied user IDs managed  Managing shared/generic privileged IDs

Take Aways Privileged IDs represent the highest risk for data leakage in the organization Such IDs are numerous due to the large number of systems and devices in any network Managing the access of these IDs and monitoring their activities is of crucial importance! Technology solutions such as Privileged Identity Management make this task easier But these need to be combined with the right policy framework and comprehensive procedures

Thank you! Questions?kkmookhey@niiconsulting.com

Advanced persistent threats

by Network Intelligence on Nov 01, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Advanced persistent threats — Presentation Transcript