For the full webinar: https://www.beyondtrust.com/resources/webinar/cyber-criminals-steal-passwords-via-pass-hash-attack-methods/
Check out the full webinar presentation from Enterprise Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz. Get insights into pass-the-hash attacks and today's common encryption and decryption techniques being seen across systems, networks, and applications. More importantly, learn how to protect privileged credentials and prevent password credentials from being leaked!
Some topics Paula covers include:
•How Pass-The-Hash attacks work--and how to prevent them
•How to prevent password credential leakage in Windows
•How credential attacks work
•The role of cryptography for passwords in Windows
•The DPAPI (Data Protection API) idea behind the cached credentials
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods
1. How Cyber Criminals Steal Passwords via Pass-the-Hash
and Other Attack Methods
Paula Januszkiewicz
CQURE: CEO, Penetration Tester / Security Expert
CQURE Academy: Trainer
MVP: Enterprise Security, MCT
Contact: paula@cqure.us | http://cqure.us @paulacqure
@CQUREAcademy
2.
3.
4. Upcoming Workshops
17th – 19th of October, New York, NY – Troubleshooting and Monitoring Windows
Infrastructure – From Zero to Hero
Please Contact our office in United States and mention BeyondTrust!
info@cqure.us
Exclusive discounts for all attendees in today’s seminar.
5.
6.
7. What is the most successful
path for the attack right now?
8. :)
THE ANATOMY OF AN ATTACK
Healthy
Computer
User Receives
Email
User Lured to
Malicious Site
Device
Infected with
Malware
9. HelpDesk Logs
into Device
Identity Stolen,
Attacker Has
Increased Privs
:)
Healthy
Computer
User Receives
Email
User Lured to
Malicious Site
Device
Infected with
Malware
10. User Lured to
Malicious Site
Device
Infected with
Malware
HelpDesk Logs
into Device
Identity Stolen,
Attacker Has
Increased Privs
ceives
il
14. User: Adm...
Hash:E1977
Fred’s Laptop
Fred’s User Session
User: Fred
Password hash: A3D7…
Sue’s Laptop
Sue’s User Session
PASS THE HASH TECHNIQUE
Malware Session
User: Administrator
Password hash: E1977…
Malware User Session
User: Adm…
Hash: E1977
User: Sue
Hash: C9DF
User: Sue
Password hash: C9DF…
File Server
User: Sue
Hash:C9DF
1 3 4
1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR
2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER
3. MALWARE INFECTS SUE’S LAPTOP AS FRED
4. MALWARE INFECTS FILE SERVER AS SUE
2
15. P-T-H SOLUTION
VSM uses Hyper-V powered secure
execution environment to protect
derived credentials – you can get
things in but can’t get things out
Decouples NTLM hash from logon
secret
Fully randomizes and manages full
length NTLM hash to prevent brute
force attack
Derived credentials that VSM
protected LSA Service gives to
Windows are non-replayable
PASS THE HASH
ATTACKS
16. VSM isolates sensitive Windows
processes in a hardware based Hyper-V
container
VSM protects VSM kernel and Trustlets
even if Windows Kernel is fully
compromised
Requires processor virtualization
extensions (e.g.: VT-X, VT-D)
Virtualization
VIRTUAL SECURE MODE (VSM)
VSM runs the Windows Kernel and a
series of Trustlets (Processes) within it
26. Comprehensive network security must address Pass-the-Hash
It still requires attention
The understanding of the problem is necessary
New Windows mitigations are available
Local account protections
Domain account protections
Protected domain accounts
Authentication policies and Silos
Is the problem solved? No!
29. PAM – A collection of best practices
AD BridgeAD Bridge Privilege
Delegation
Privilege
Delegation
Session
Management
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Password & SSH
Key Management
Automate the management of functional
account passwords and SSH keys
30. Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
31. Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected Resources
User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance
HTTPS RDP / SSH
RDP / SSH
Password
Safe
ProxyProxyProxyProxy
Privileged Session Management
40. What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on the
who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
41. Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester