0
THE INFOSEC REVIVAL
Why owning a typical network is so easy, and how to build a secure one
Matt Weeks
scriptjunkie.us · @s...
OUTLINE
 The Evil That Threatens Us
 Network Defenses
 Host Defenses
THE EVIL THAT
THREATENS US
Network Intrusion Playbook
LEVELS OF ACCESS
• Limited User
• Local Admin
• Lateral Movement
• Domain Admin
• Internal Network
• Internal Server
INITIAL ACCESS
Start External ServerExploit:
Web/SQLi/password
Internal Network
Internal Server
Client-side Exploit: Java,...
LIMITED USER EXPANSION
LimitedUser
Weak
file/service/registry
permissions
Find plaintext passwords
in scripts/registry
Loc...
LOCAL ADMIN TO DA
LocalAdmin
Hijack active domain logon:
dump wdigest/tspkg-cached
password
Hijack active domain logon:
st...
INTERNAL NETWORK/
SERVER ATTACKSInternalNetwork/Server
Internal server-side
exploits, PXE attacks
Local Admin
Internal web...
COMBINED
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
User...
COMMUNICATION
 Direct IP’s
 Dynamic DNS/registered domains
 FTP/HTTP/HTTPS…
 DNS exfil
 Shares
 Tor
 USB drives
 W...
AIR GAP
 “The only way to completely secure your computer is to
disconnect it from the internet” – UC San Diego
 Still n...
DEFAULT ALLOW IS EVIL!
 Isolate workstations
• No direct connections out
• Whitelist DNS
• Whitelist HTTP by proxy
• Bloc...
 Direct IP’s
 Dynamic DNS/registered domains
 FTP/HTTP/HTTPS…
 DNS exfil
 Shares
 Tor
 USB drives
 Webmail/data sh...
CONTROL THE HOSTS
 Disable common social engineering vectors
• Java
• Office Macros
 Stop privilege escalation
• Automat...
15 PASSWORD EVILS!
Admins leave passwords in shared drives & scripts
Can be dumped from memory
Can be keylogged
Can be...
15 PASSWORD EVILS!
Social engineering
Passing-the-hash
Pot of gold hash dumps
Easy lockouts or online brute force
NTL...
NEVER ALLOW PASSWORDS
 Force smart card logon for all users
 Force Kerberos by denying all incoming NTLM
 Deny network,...
NEVER ALLOW PASSWORDS
 Prevents passing-the-hash; hashes are not used
 No hash/private credential database to steal in b...
M A N DA T O R Y
S M A R T C A R D ,
K E R B E R O S
Start
External
Server
Attack Internal
Network
Internal Server
Client-...
SECURID EVILS!
 RSA server holds all passwords and seeds
 On login, password is given to Windows; everything else is the...
ISOLATING ADMINS
 Assign dedicated admin workstations
 Restrict inbound workstation connections to remote admin sources
...
 Remote desktop
 Console physical logon
 Batch logon (scheduled tasks when not
S4U)
 Service logon
 NetworkClearText/...
 Remote desktop
 Console physical logon
 Batch logon (scheduled tasks when not
S4U)
 Service logon
 NetworkClearText/...
EXPLOITS
 “The bottom line is the way that we keep people out ... I don't care
who hacks my system if they can't get in -...
I F
E X P L O I T S
N E V E R
E X I S T E D
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Expl...
FIGHTING EXPLOITS
 Secure webapps
• Write security into contract for custom apps
• Do not accept source-code-less apps wi...
VM ISOLATION
 Virtual Machines > other sandboxes
• Hypervisor attack surface < kernel attack surface
• VM escapes have re...
VM ISOLATION
 Requirements
• Restrict network access
• Prevent host code execution
• Deny access to sensitive host files
...
VM
ISOLATION
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
...
FILE SHARES ARE EVIL!
 Executable planting
 DLL Preloading
 Shortcut hijacking
 Script infecting
 Do not use open Win...
CODE WHITELISTING
 Effective against some exploits, much malware, persistence
 Bit9/Kaspersky/AppLocker… whitelists
 Lo...
SUMMARY
Air-gap what you can
Whitelist everything
Kill passwords & NTLM; use smart cards/kerberos
Use strong mitigatio...
THE END
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
User
...
QUESTIONS
Upcoming SlideShare
Loading in...5
×

The Infosec Revival

3,483

Published on

As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, intruders can bypass almost all security barriers despite even tough policies on end users and admins. But failure is not inevitable for a defender. There are many practical ways a network can be constructed that will wipe out most of the playbook, and they don’t always require expensive purchases.

Security must be built from the start, and this presentation will show you how it’s done; how to intelligently look at threats and plan defenses for a Windows network.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,483
On Slideshare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
41
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "The Infosec Revival"

  1. 1. THE INFOSEC REVIVAL Why owning a typical network is so easy, and how to build a secure one Matt Weeks scriptjunkie.us · @scriptjunkie1
  2. 2. OUTLINE  The Evil That Threatens Us  Network Defenses  Host Defenses
  3. 3. THE EVIL THAT THREATENS US Network Intrusion Playbook
  4. 4. LEVELS OF ACCESS • Limited User • Local Admin • Lateral Movement • Domain Admin • Internal Network • Internal Server
  5. 5. INITIAL ACCESS Start External ServerExploit: Web/SQLi/password Internal Network Internal Server Client-side Exploit: Java, PDF, Office, Browser Social Engineeringvia Email/Browser Limited User Physical Items: Thumb Drives/CDs autorun/link/EXE, HID-spoofing USB Devices Physical Access Local Admin Supply-chain Compromise
  6. 6. LIMITED USER EXPANSION LimitedUser Weak file/service/registry permissions Find plaintext passwords in scripts/registry Local Admin Local exploit – win32k, ntvdm… Guess/Bruteforce local admin password Find system current user is local admin on Internal server-side exploit – SMB, PXE attacks Lateral Movement Spread links via shares, email; Relay NTLM or crack NTLM password Shares: DLL preloading, shortcut hijacks… Dump local hashes, re- use local admin accounts
  7. 7. LOCAL ADMIN TO DA LocalAdmin Hijack active domain logon: dump wdigest/tspkg-cached password Hijack active domain logon: steal token/hash/ticket Find plain-text password in scripts/registry Keylog admin password Crack domain cached credentials Deobfuscate LSA Secrets, saved passwords DomainAdmin
  8. 8. INTERNAL NETWORK/ SERVER ATTACKSInternalNetwork/Server Internal server-side exploits, PXE attacks Local Admin Internal web attack, guessed password Internal Server Internal client-side attacks; including ARP poisoning, WPAD Local User Domain Admin
  9. 9. COMBINED Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  10. 10. COMMUNICATION  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites
  11. 11. AIR GAP  “The only way to completely secure your computer is to disconnect it from the internet” – UC San Diego  Still not completely secure, but still the gold standard  Tight physical/personnel security  Prevent USB drives (disable USB drivers)  Everything without air-gap, isolate as much as possible
  12. 12. DEFAULT ALLOW IS EVIL!  Isolate workstations • No direct connections out • Whitelist DNS • Whitelist HTTP by proxy • Block social networking/file sharing • Block inter-workstation/ARP-spoofing  Isolate servers, admin accounts • Stricter whitelist out • DMZ for internet-accessible servers
  13. 13.  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites COMMUNICATION  Firewall; no direct connections out  Whitelist/categorical block  Whitelist/firewall policy  DNS whitelist  Firewalls/segmentation  Firewall/Whitelist  USB-disabling, user education  Categorical block (sorry!)  
  14. 14. CONTROL THE HOSTS  Disable common social engineering vectors • Java • Office Macros  Stop privilege escalation • Automate permissions checks • Prevent remote local account logins  Never allow passwords
  15. 15. 15 PASSWORD EVILS! Admins leave passwords in shared drives & scripts Can be dumped from memory Can be keylogged Can be guessed Everybody reuses them Hard to remember
  16. 16. 15 PASSWORD EVILS! Social engineering Passing-the-hash Pot of gold hash dumps Easy lockouts or online brute force NTLM relay NTLM auth and cached credential offline cracking Painful post-attack cleanup (reset every password)
  17. 17. NEVER ALLOW PASSWORDS  Force smart card logon for all users  Force Kerberos by denying all incoming NTLM  Deny network, RDP logon to any non-smart card local or service accounts  For extra credit • Disable secondary logon service to prevent password-privesc • Require SMB signing to address MITM attacks • Set low maximum machine account password age to address computer creds  Results – solves all 15 problems
  18. 18. NEVER ALLOW PASSWORDS  Prevents passing-the-hash; hashes are not used  No hash/private credential database to steal in bulk  Private keys cannot be stolen, dumped from memory or keylogged  Can’t re-use, choose bad passwords, or give them to online social engineers  Don’t need to worry about lockouts or on/offline brute force or NTLM relay  Admins cannot leave passwords in shared drives or scripts  Only active logons can be hijacked – temporarily  Easier on users’ memory and easy to clean up from!
  19. 19. M A N DA T O R Y S M A R T C A R D , K E R B E R O S Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  20. 20. SECURID EVILS!  RSA server holds all passwords and seeds  On login, password is given to Windows; everything else is the same  Hash, pass can be dumped from memory  Social engineering (MITM - time limited)  Passing-the-hash  Pot of gold - hash dumps, passwords, seeds  NTLM relay  Very painful post-compromise cleanup (replaceall tokens)  Does fix user-chosen or re-used passwords
  21. 21. ISOLATING ADMINS  Assign dedicated admin workstations  Restrict inbound workstation connections to remote admin sources  Block admin accounts from internet and email  Restrict privileged accounts from authenticating to lower trust systems  Mark privileged accounts as “sensitive and cannot be delegated”  Use remote management tools that do not place reusable credentials on a remote computer's memory
  22. 22.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead)
  23. 23.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead) No remote desktop? But wait! There is another way! Secure RDP with temporary account Video
  24. 24. EXPLOITS  “The bottom line is the way that we keep people out ... I don't care who hacks my system if they can't get in - let's make it hard for them to get in. And the way you do that is by eliminating software vulnerabilities” – a well-known exploit developer  “Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed.” – New York Times Op-Ed, 4 April 2013
  25. 25. I F E X P L O I T S N E V E R E X I S T E D Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  26. 26. FIGHTING EXPLOITS  Secure webapps • Write security into contract for custom apps • Do not accept source-code-less apps without audit • Scan/bugfix regularly  Force exploit mitigations • Mandatory DEP, ASLR • EMET SEHOP…  Patch in priority  Put vulnerable apps in VM isolation
  27. 27. VM ISOLATION  Virtual Machines > other sandboxes • Hypervisor attack surface < kernel attack surface • VM escapes have required guest LPE first; added barrier  Implementation: • Commercial – Bromium/Invincea • Free - Qubes • VMware view client • Citrix • Roll-your-own with hypervisor/VNC
  28. 28. VM ISOLATION  Requirements • Restrict network access • Prevent host code execution • Deny access to sensitive host files  Document VM with no internet access • PDF reader, Office • Stops exploits and social engineering  Browser VM • Stronger sandbox • VM needs internet access  Demo
  29. 29. VM ISOLATION Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  30. 30. FILE SHARES ARE EVIL!  Executable planting  DLL Preloading  Shortcut hijacking  Script infecting  Do not use open Windows shares  Use a CMS  Disable WebDAV  Per-user home drives still OK  Admin-writable-only drives still OK
  31. 31. CODE WHITELISTING  Effective against some exploits, much malware, persistence  Bit9/Kaspersky/AppLocker… whitelists  Lock down powershell  Whitelist vbscript/javascript  Whitelist batch scripts  Whitelist Java  Block VBA macros
  32. 32. SUMMARY Air-gap what you can Whitelist everything Kill passwords & NTLM; use smart cards/kerberos Use strong mitigations Put your programs in isolated VM’s Don’t use Windows shared folders
  33. 33. THE END Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  34. 34. QUESTIONS
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×