Your SlideShare is downloading. ×
The Infosec Revival
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Infosec Revival

3,408

Published on

As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, …

As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, intruders can bypass almost all security barriers despite even tough policies on end users and admins. But failure is not inevitable for a defender. There are many practical ways a network can be constructed that will wipe out most of the playbook, and they don’t always require expensive purchases.

Security must be built from the start, and this presentation will show you how it’s done; how to intelligently look at threats and plan defenses for a Windows network.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,408
On Slideshare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. THE INFOSEC REVIVAL Why owning a typical network is so easy, and how to build a secure one Matt Weeks scriptjunkie.us · @scriptjunkie1
  • 2. OUTLINE  The Evil That Threatens Us  Network Defenses  Host Defenses
  • 3. THE EVIL THAT THREATENS US Network Intrusion Playbook
  • 4. LEVELS OF ACCESS • Limited User • Local Admin • Lateral Movement • Domain Admin • Internal Network • Internal Server
  • 5. INITIAL ACCESS Start External ServerExploit: Web/SQLi/password Internal Network Internal Server Client-side Exploit: Java, PDF, Office, Browser Social Engineeringvia Email/Browser Limited User Physical Items: Thumb Drives/CDs autorun/link/EXE, HID-spoofing USB Devices Physical Access Local Admin Supply-chain Compromise
  • 6. LIMITED USER EXPANSION LimitedUser Weak file/service/registry permissions Find plaintext passwords in scripts/registry Local Admin Local exploit – win32k, ntvdm… Guess/Bruteforce local admin password Find system current user is local admin on Internal server-side exploit – SMB, PXE attacks Lateral Movement Spread links via shares, email; Relay NTLM or crack NTLM password Shares: DLL preloading, shortcut hijacks… Dump local hashes, re- use local admin accounts
  • 7. LOCAL ADMIN TO DA LocalAdmin Hijack active domain logon: dump wdigest/tspkg-cached password Hijack active domain logon: steal token/hash/ticket Find plain-text password in scripts/registry Keylog admin password Crack domain cached credentials Deobfuscate LSA Secrets, saved passwords DomainAdmin
  • 8. INTERNAL NETWORK/ SERVER ATTACKSInternalNetwork/Server Internal server-side exploits, PXE attacks Local Admin Internal web attack, guessed password Internal Server Internal client-side attacks; including ARP poisoning, WPAD Local User Domain Admin
  • 9. COMBINED Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 10. COMMUNICATION  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites
  • 11. AIR GAP  “The only way to completely secure your computer is to disconnect it from the internet” – UC San Diego  Still not completely secure, but still the gold standard  Tight physical/personnel security  Prevent USB drives (disable USB drivers)  Everything without air-gap, isolate as much as possible
  • 12. DEFAULT ALLOW IS EVIL!  Isolate workstations • No direct connections out • Whitelist DNS • Whitelist HTTP by proxy • Block social networking/file sharing • Block inter-workstation/ARP-spoofing  Isolate servers, admin accounts • Stricter whitelist out • DMZ for internet-accessible servers
  • 13.  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites COMMUNICATION  Firewall; no direct connections out  Whitelist/categorical block  Whitelist/firewall policy  DNS whitelist  Firewalls/segmentation  Firewall/Whitelist  USB-disabling, user education  Categorical block (sorry!)  
  • 14. CONTROL THE HOSTS  Disable common social engineering vectors • Java • Office Macros  Stop privilege escalation • Automate permissions checks • Prevent remote local account logins  Never allow passwords
  • 15. 15 PASSWORD EVILS! Admins leave passwords in shared drives & scripts Can be dumped from memory Can be keylogged Can be guessed Everybody reuses them Hard to remember
  • 16. 15 PASSWORD EVILS! Social engineering Passing-the-hash Pot of gold hash dumps Easy lockouts or online brute force NTLM relay NTLM auth and cached credential offline cracking Painful post-attack cleanup (reset every password)
  • 17. NEVER ALLOW PASSWORDS  Force smart card logon for all users  Force Kerberos by denying all incoming NTLM  Deny network, RDP logon to any non-smart card local or service accounts  For extra credit • Disable secondary logon service to prevent password-privesc • Require SMB signing to address MITM attacks • Set low maximum machine account password age to address computer creds  Results – solves all 15 problems
  • 18. NEVER ALLOW PASSWORDS  Prevents passing-the-hash; hashes are not used  No hash/private credential database to steal in bulk  Private keys cannot be stolen, dumped from memory or keylogged  Can’t re-use, choose bad passwords, or give them to online social engineers  Don’t need to worry about lockouts or on/offline brute force or NTLM relay  Admins cannot leave passwords in shared drives or scripts  Only active logons can be hijacked – temporarily  Easier on users’ memory and easy to clean up from!
  • 19. M A N DA T O R Y S M A R T C A R D , K E R B E R O S Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 20. SECURID EVILS!  RSA server holds all passwords and seeds  On login, password is given to Windows; everything else is the same  Hash, pass can be dumped from memory  Social engineering (MITM - time limited)  Passing-the-hash  Pot of gold - hash dumps, passwords, seeds  NTLM relay  Very painful post-compromise cleanup (replaceall tokens)  Does fix user-chosen or re-used passwords
  • 21. ISOLATING ADMINS  Assign dedicated admin workstations  Restrict inbound workstation connections to remote admin sources  Block admin accounts from internet and email  Restrict privileged accounts from authenticating to lower trust systems  Mark privileged accounts as “sensitive and cannot be delegated”  Use remote management tools that do not place reusable credentials on a remote computer's memory
  • 22.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead)
  • 23.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead) No remote desktop? But wait! There is another way! Secure RDP with temporary account Video
  • 24. EXPLOITS  “The bottom line is the way that we keep people out ... I don't care who hacks my system if they can't get in - let's make it hard for them to get in. And the way you do that is by eliminating software vulnerabilities” – a well-known exploit developer  “Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed.” – New York Times Op-Ed, 4 April 2013
  • 25. I F E X P L O I T S N E V E R E X I S T E D Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 26. FIGHTING EXPLOITS  Secure webapps • Write security into contract for custom apps • Do not accept source-code-less apps without audit • Scan/bugfix regularly  Force exploit mitigations • Mandatory DEP, ASLR • EMET SEHOP…  Patch in priority  Put vulnerable apps in VM isolation
  • 27. VM ISOLATION  Virtual Machines > other sandboxes • Hypervisor attack surface < kernel attack surface • VM escapes have required guest LPE first; added barrier  Implementation: • Commercial – Bromium/Invincea • Free - Qubes • VMware view client • Citrix • Roll-your-own with hypervisor/VNC
  • 28. VM ISOLATION  Requirements • Restrict network access • Prevent host code execution • Deny access to sensitive host files  Document VM with no internet access • PDF reader, Office • Stops exploits and social engineering  Browser VM • Stronger sandbox • VM needs internet access  Demo
  • 29. VM ISOLATION Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 30. FILE SHARES ARE EVIL!  Executable planting  DLL Preloading  Shortcut hijacking  Script infecting  Do not use open Windows shares  Use a CMS  Disable WebDAV  Per-user home drives still OK  Admin-writable-only drives still OK
  • 31. CODE WHITELISTING  Effective against some exploits, much malware, persistence  Bit9/Kaspersky/AppLocker… whitelists  Lock down powershell  Whitelist vbscript/javascript  Whitelist batch scripts  Whitelist Java  Block VBA macros
  • 32. SUMMARY Air-gap what you can Whitelist everything Kill passwords & NTLM; use smart cards/kerberos Use strong mitigations Put your programs in isolated VM’s Don’t use Windows shared folders
  • 33. THE END Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 34. QUESTIONS

×