SlideShare a Scribd company logo

How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods

BeyondTrust
BeyondTrust

For the full webinar: https://www.beyondtrust.com/resources/webinar/cyber-criminals-steal-passwords-via-pass-hash-attack-methods/ Check out the full webinar presentation from Enterprise Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz. Get insights into pass-the-hash attacks and today's common encryption and decryption techniques being seen across systems, networks, and applications. More importantly, learn how to protect privileged credentials and prevent password credentials from being leaked! Some topics Paula covers include: •How Pass-The-Hash attacks work--and how to prevent them •How to prevent password credential leakage in Windows •How credential attacks work •The role of cryptography for passwords in Windows •The DPAPI (Data Protection API) idea behind the cached credentials

Software
1 of 44
Download to read offline
How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqure.us @paulacqure @CQUREAcademy
Upcoming Workshops 17th – 19th of October, New York, NY – Troubleshooting and Monitoring Windows Infrastructure – From Zero to Hero Please Contact our office in United States and mention BeyondTrust! info@cqure.us Exclusive discounts for all attendees in today’s seminar.
What is the most successful path for the attack right now?
:) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
“PASS THE HASH” ATTACKS Today’s security challenge
TODAY’S SECURITY CHALLENGE PASS THE HASH ATTACKS
User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session PASS THE HASH TECHNIQUE Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
P-T-H SOLUTION VSM uses Hyper-V powered secure execution environment to protect derived credentials – you can get things in but can’t get things out Decouples NTLM hash from logon secret Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non-replayable PASS THE HASH ATTACKS
VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D) Virtualization VIRTUAL SECURE MODE (VSM) VSM runs the Windows Kernel and a series of Trustlets (Processes) within it
Virtual Secure Mode Virtual Secure Mode (VSM) LocalSecurity AuthService Windows Apps VirtualTPM Hyper-Visor CodeIntegrity
Windows 10: Local Account
Windows 10: Domain Account
…and reboot the machine
VSM Enabled Windows 10: VSM Enabled
Comprehensive network security must address Pass-the-Hash It still requires attention The understanding of the problem is necessary New Windows mitigations are available Local account protections Domain account protections Protected domain accounts Authentication policies and Silos Is the problem solved? No!
PowerBroker Password Safe v6.0 Martin Cannard – Product Manager
PAM – A collection of best practices AD BridgeAD Bridge Privilege Delegation Privilege Delegation Session Management Session Management Use AD credentials to access Unix/Linux hosts Once the user is logged on, manage what they can do Managed list of resources the user is authorized to access. Gateway proxy capability. Audit of all session activity Password & SSH Key Management Password & SSH Key Management Automate the management of functional account passwords and SSH keys
Comprehensive Security Management ► Secure and automate the process for managing privileged account passwords and keys ► Control how people, services, applications and scripts access managed credentials ► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password ► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail ► Alert in real-time as passwords, and keys are released, and session activity is started ► Monitor session activity in real-time, and immediately lock/terminate suspicious activity Privileged Password Management People Services A2A Privileged Session Management SSH Key Management
Native desktop tool (MSTSC/PuTTY etc.) connects to Password Safe which proxies connection through to requested resource Protected Resources User authenticates to Password Safe and requests session to protected resource RDP/SSH session is proxied through the Password Safe appliance HTTPS RDP / SSH RDP / SSH Password Safe ProxyProxyProxyProxy Privileged Session Management
Differentiator: Adaptive Workflow Control
Adaptive Workflow Control • Day • Date • Time • Who • What • Where
Differentiator: Controlling Application Access
Automatic Login to ESXi example Browser RDP Client ESX RDP (4489) RDP (3389) User selects vSphere application and credentials vSphere RemoteApp Credential Checkout Credential Management User Store Session Recording / Logging HTTPS
Automatic Login to Unix/Linux Applications Typical Use Cases • Jump host in DMZ • Menu-driven Apps • Backup Scripts • Role-based Apps Browser RDP Client SSH (22) SSH (22) User selects SSH application and credentials SSH Application Credential Checkout Session Recording / Logging HTTPS
Differentiator: Reporting & Analytics
Actionable Reporting
Advanced Threat Analytics
What makes Password Safe different? • Adaptive workflow control to evaluate and intelligently route based on the who, what, where, and when of the request • Full network scanning capabilities with built-in auto-onboard capabilities • Integrated data warehouse and analytics capability • Smart Rules for building permission sets dynamically according to data pulled back from scans • Session management / live monitoring at NO ADDITIONAL COST • Clean, uncluttered, and intuitive HTML5 interface for end users
Market Validation • Leader: Forrester PIM Wave, Q3 2016 − Top-ranked Current Offering (product) among all 10 vendors reviewed − “BeyondTrust excels with its privileged session management capabilities.” − “BeyondTrust […] provides the machine learning and predictive behavior analytics capabilities.” • Leadership − Gartner: “BeyondTrust is a representative vendor for all five key PAM solution categories.” − OVUM: “BeyondTrust […] provides an integrated, one- stop approach to PAM… one of only a small band of PAM providers offering end-to-end coverage.” − SC Magazine: “Recommended product.” − … and more from IDC, KuppingerCole, TechNavio, 451Research, Frost & Sullivan and Forrester
Poll
Q&A Thank you for attending!

Recommended

Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
BeyondTrust
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
Mapping Information Educator\'s Resource
Mapping Information Educator\'s ResourceMapping Information Educator\'s Resource
Mapping Information Educator\'s Resource
A. Lynn Grossman
 
Dossier paris zum 09.01.2017 aktuell
Dossier paris zum 09.01.2017 aktuellDossier paris zum 09.01.2017 aktuell
Dossier paris zum 09.01.2017 aktuell
amargimunzur
 
132226216 gli-insegnamenti-di-kirpal-singh
132226216 gli-insegnamenti-di-kirpal-singh132226216 gli-insegnamenti-di-kirpal-singh
132226216 gli-insegnamenti-di-kirpal-singh
Elena Manda
 
Gamify your Blog
Gamify your BlogGamify your Blog
Gamify your Blog
Sumit Gupta
 
Matric Certificate
Matric CertificateMatric Certificate
Matric Certificate
Michael Witte
 

Recommended

Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
BeyondTrust
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
Mapping Information Educator\'s Resource
Mapping Information Educator\'s ResourceMapping Information Educator\'s Resource
Mapping Information Educator\'s Resource
A. Lynn Grossman
 
Dossier paris zum 09.01.2017 aktuell
Dossier paris zum 09.01.2017 aktuellDossier paris zum 09.01.2017 aktuell
Dossier paris zum 09.01.2017 aktuell
amargimunzur
 
132226216 gli-insegnamenti-di-kirpal-singh
132226216 gli-insegnamenti-di-kirpal-singh132226216 gli-insegnamenti-di-kirpal-singh
132226216 gli-insegnamenti-di-kirpal-singh
Elena Manda
 
Gamify your Blog
Gamify your BlogGamify your Blog
Gamify your Blog
Sumit Gupta
 
Matric Certificate
Matric CertificateMatric Certificate
Matric Certificate
Michael Witte
 
Tom Jenkins LO1
Tom Jenkins LO1Tom Jenkins LO1
Tom Jenkins LO1
cc05000041
 
Erikson 2015-ChronicLyme-Final
Erikson 2015-ChronicLyme-FinalErikson 2015-ChronicLyme-Final
Erikson 2015-ChronicLyme-Final
Justice Erikson
 
How to Repurpose Your Content
How to Repurpose Your ContentHow to Repurpose Your Content
How to Repurpose Your Content
Shahnaz Jahan
 
Keep calm and Call the PMO
Keep calm and Call the PMOKeep calm and Call the PMO
Keep calm and Call the PMO
Renzo Streglio
 
NOTULENSI Diklat Local Economic Resources Development (2)
NOTULENSI Diklat Local Economic Resources Development (2)NOTULENSI Diklat Local Economic Resources Development (2)
NOTULENSI Diklat Local Economic Resources Development (2)
Wahyu Aji
 
Edital simplificado de seleção nº 001 2017
Edital simplificado de seleção nº 001 2017Edital simplificado de seleção nº 001 2017
Edital simplificado de seleção nº 001 2017
dnnoticias
 
Carreras vinculadas-programacion-informatica-consultoria-de-informatica
Carreras vinculadas-programacion-informatica-consultoria-de-informaticaCarreras vinculadas-programacion-informatica-consultoria-de-informatica
Carreras vinculadas-programacion-informatica-consultoria-de-informatica
zonajava
 
Zipdial introduction polls & surveys
Zipdial introduction polls & surveys Zipdial introduction polls & surveys
Zipdial introduction polls & surveys
ZipDial
 
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_finalInformation Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Chris MacMillan
 
What is a deadlock
What is a deadlockWhat is a deadlock
What is a deadlock
lodhran-hayat
 
Cambio Climático, sus impactos
Cambio Climático, sus impactosCambio Climático, sus impactos
Cambio Climático, sus impactos
IES Turina/Rodrigo/Itaca/Palomeras
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
BeyondTrust
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
BeyondTrust
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)
BeyondTrust
 
Unearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseUnearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your Enterprise
BeyondTrust
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges
BeyondTrust
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
BeyondTrust
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
BeyondTrust
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 

More Related Content

Viewers also liked

Erikson 2015-ChronicLyme-Final
Erikson 2015-ChronicLyme-FinalErikson 2015-ChronicLyme-Final
Erikson 2015-ChronicLyme-Final
Justice Erikson
 
NOTULENSI Diklat Local Economic Resources Development (2)
NOTULENSI Diklat Local Economic Resources Development (2)NOTULENSI Diklat Local Economic Resources Development (2)
NOTULENSI Diklat Local Economic Resources Development (2)
Wahyu Aji
 
Carreras vinculadas-programacion-informatica-consultoria-de-informatica
Carreras vinculadas-programacion-informatica-consultoria-de-informaticaCarreras vinculadas-programacion-informatica-consultoria-de-informatica
Carreras vinculadas-programacion-informatica-consultoria-de-informatica
zonajava
 
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_finalInformation Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Chris MacMillan
 

Viewers also liked (11)

Tom Jenkins LO1
Tom Jenkins LO1Tom Jenkins LO1
Tom Jenkins LO1
 
Erikson 2015-ChronicLyme-Final
Erikson 2015-ChronicLyme-FinalErikson 2015-ChronicLyme-Final
Erikson 2015-ChronicLyme-Final
 
How to Repurpose Your Content
How to Repurpose Your ContentHow to Repurpose Your Content
How to Repurpose Your Content
 
Keep calm and Call the PMO
Keep calm and Call the PMOKeep calm and Call the PMO
Keep calm and Call the PMO
 
NOTULENSI Diklat Local Economic Resources Development (2)
NOTULENSI Diklat Local Economic Resources Development (2)NOTULENSI Diklat Local Economic Resources Development (2)
NOTULENSI Diklat Local Economic Resources Development (2)
 
Edital simplificado de seleção nº 001 2017
Edital simplificado de seleção nº 001 2017Edital simplificado de seleção nº 001 2017
Edital simplificado de seleção nº 001 2017
 
Carreras vinculadas-programacion-informatica-consultoria-de-informatica
Carreras vinculadas-programacion-informatica-consultoria-de-informaticaCarreras vinculadas-programacion-informatica-consultoria-de-informatica
Carreras vinculadas-programacion-informatica-consultoria-de-informatica
 
Zipdial introduction polls & surveys
Zipdial introduction polls & surveys Zipdial introduction polls & surveys
Zipdial introduction polls & surveys
 
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_finalInformation Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
Information Mapping Presentation for STC West Coast Chapter - Jan 29, 2014_final
 
What is a deadlock
What is a deadlockWhat is a deadlock
What is a deadlock
 
Cambio Climático, sus impactos
Cambio Climático, sus impactosCambio Climático, sus impactos
Cambio Climático, sus impactos
 

More from BeyondTrust

Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)
BeyondTrust
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares AboutUnix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
BeyondTrust
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
BeyondTrust
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)
BeyondTrust
 

More from BeyondTrust (20)

The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
 
5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)
 
Unearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseUnearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your Enterprise
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
 
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares AboutUnix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
 
Mitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT SystemsMitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT Systems
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
 
Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
 

Recently uploaded

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 

How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods

  • 1. How Cyber Criminals Steal Passwords via Pass-the-Hash and Other Attack Methods Paula Januszkiewicz CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Contact: paula@cqure.us | http://cqure.us @paulacqure @CQUREAcademy
  • 2.
  • 3.
  • 4. Upcoming Workshops 17th – 19th of October, New York, NY – Troubleshooting and Monitoring Windows Infrastructure – From Zero to Hero Please Contact our office in United States and mention BeyondTrust! info@cqure.us Exclusive discounts for all attendees in today’s seminar.
  • 5.
  • 6.
  • 7. What is the most successful path for the attack right now?
  • 8. :) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 9. HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 10. User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
  • 11.
  • 14. User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session PASS THE HASH TECHNIQUE Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
  • 15. P-T-H SOLUTION VSM uses Hyper-V powered secure execution environment to protect derived credentials – you can get things in but can’t get things out Decouples NTLM hash from logon secret Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non-replayable PASS THE HASH ATTACKS
  • 16. VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D) Virtualization VIRTUAL SECURE MODE (VSM) VSM runs the Windows Kernel and a series of Trustlets (Processes) within it
  • 17. Virtual Secure Mode Virtual Secure Mode (VSM) LocalSecurity AuthService Windows Apps VirtualTPM Hyper-Visor CodeIntegrity
  • 20.
  • 21.
  • 22. …and reboot the machine
  • 23. VSM Enabled Windows 10: VSM Enabled
  • 24.
  • 25.
  • 26. Comprehensive network security must address Pass-the-Hash It still requires attention The understanding of the problem is necessary New Windows mitigations are available Local account protections Domain account protections Protected domain accounts Authentication policies and Silos Is the problem solved? No!
  • 27.
  • 28. PowerBroker Password Safe v6.0 Martin Cannard – Product Manager
  • 29. PAM – A collection of best practices AD BridgeAD Bridge Privilege Delegation Privilege Delegation Session Management Session Management Use AD credentials to access Unix/Linux hosts Once the user is logged on, manage what they can do Managed list of resources the user is authorized to access. Gateway proxy capability. Audit of all session activity Password & SSH Key Management Password & SSH Key Management Automate the management of functional account passwords and SSH keys
  • 30. Comprehensive Security Management ► Secure and automate the process for managing privileged account passwords and keys ► Control how people, services, applications and scripts access managed credentials ► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password ► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail ► Alert in real-time as passwords, and keys are released, and session activity is started ► Monitor session activity in real-time, and immediately lock/terminate suspicious activity Privileged Password Management People Services A2A Privileged Session Management SSH Key Management
  • 31. Native desktop tool (MSTSC/PuTTY etc.) connects to Password Safe which proxies connection through to requested resource Protected Resources User authenticates to Password Safe and requests session to protected resource RDP/SSH session is proxied through the Password Safe appliance HTTPS RDP / SSH RDP / SSH Password Safe ProxyProxyProxyProxy Privileged Session Management
  • 33. Adaptive Workflow Control • Day • Date • Time • Who • What • Where
  • 35. Automatic Login to ESXi example Browser RDP Client ESX RDP (4489) RDP (3389) User selects vSphere application and credentials vSphere RemoteApp Credential Checkout Credential Management User Store Session Recording / Logging HTTPS
  • 36. Automatic Login to Unix/Linux Applications Typical Use Cases • Jump host in DMZ • Menu-driven Apps • Backup Scripts • Role-based Apps Browser RDP Client SSH (22) SSH (22) User selects SSH application and credentials SSH Application Credential Checkout Session Recording / Logging HTTPS
  • 40. What makes Password Safe different? • Adaptive workflow control to evaluate and intelligently route based on the who, what, where, and when of the request • Full network scanning capabilities with built-in auto-onboard capabilities • Integrated data warehouse and analytics capability • Smart Rules for building permission sets dynamically according to data pulled back from scans • Session management / live monitoring at NO ADDITIONAL COST • Clean, uncluttered, and intuitive HTML5 interface for end users
  • 41. Market Validation • Leader: Forrester PIM Wave, Q3 2016 − Top-ranked Current Offering (product) among all 10 vendors reviewed − “BeyondTrust excels with its privileged session management capabilities.” − “BeyondTrust […] provides the machine learning and predictive behavior analytics capabilities.” • Leadership − Gartner: “BeyondTrust is a representative vendor for all five key PAM solution categories.” − OVUM: “BeyondTrust […] provides an integrated, one- stop approach to PAM… one of only a small band of PAM providers offering end-to-end coverage.” − SC Magazine: “Recommended product.” − … and more from IDC, KuppingerCole, TechNavio, 451Research, Frost & Sullivan and Forrester
  • 42.
  • 43. Poll
  • 44. Q&A Thank you for attending!