Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blue Team on a Budget: Defending Your Network with Free Tools

67 views

Published on

This presentation focuses on free/cheap tools you can use to better defend your network and Active Directory environment.

Published in: Technology
  • Be the first to comment

Blue Team on a Budget: Defending Your Network with Free Tools

  1. 1. BlueTeamonaBudget: Defendingyournetworkwithfreetools
  2. 2. Agenda • Who’s this guy? • Inspiration for this talk (spoiler: it was rage) • My first breach response (a tale of tears and fears) • Lets do some blue teaming on a budget!
  3. 3. Who’s this guy? • Security engineer for 7 Minute Security • Podcaster (in 7-minute chunks!) • Neither of these Brian Johnsons • Super tiny movie star
  4. 4. Why this talk? • I don’t like when vendors spew FUD (fear/uncertainty/doubt) • I don’t like when vendors are condescending
  5. 5. My first breach response: A personal tale of tears and fears
  6. 6. Application log
  7. 7. System log
  8. 8. Security log
  9. 9. Firewall log
  10. 10. To make matters worse… • Spotty AV deployment • Cringe-worthy patching • No centralized logging/alerting • Weak password policy:
  11. 11. Verdict? “Burn and rebuild”
  12. 12. How do we NOT suffer the same fate? Lets defend our network with free stuff!
  13. 13. He’s back!
  14. 14. I GotWorms!
  15. 15. Anatomy of an attack: Password spraying
  16. 16. 1. Try “Winter2017!” for all domain users 2. Wait 30-60 minutes 3. Try another weak password (“Spring2018!”) 4. Rinse and repeat
  17. 17. Why isWinter2017! a bad password? It is and it isn’t…
  18. 18. Defending against password spraying
  19. 19. Up the policy requirements? • Microsoft recommends minimum password length: 14
  20. 20. Up the policy requirements? • Microsoft recommends minimum password length: 14 • “Wait…won’t people just use “WinterWinter2017!” - ?
  21. 21. A sweet suite of tools to help you up boost your network defenses! My favorite feature? A better password filter! CredDefense
  22. 22. Setting your Active Directory password Lloyd Domain controller “Hi, I’d like to change my password to Winter2017!” “Sure one sec, let me check the password requirements!”
  23. 23. Setting your Active Directory password Domain controller “Winter2017! fits the bill! Password changed!” Lloyd
  24. 24. Setting your Active Directory password Domain controller “Hi, I’d like to change my password to Winter2017!” “Sure one sec, let me check the password requirements!” + Lloyd
  25. 25. Setting your Active Directory password Domain controller “Winter2017! fits the bill! Buuuuuut I need to check one other source, one moment please…” + Lloyd
  26. 26. Setting your Active Directory password Domain controller + “Wait a sec!Your password contains a word on my no-no list!” Lloyd
  27. 27. Setting your Active Directory password Domain controller “Sorry Lloyd, please try a better password.” + Lloyd “I wonder who else in my company has picked bad passwords!”
  28. 28. Auditing Active Directory passwords
  29. 29. Auditing Active Directory passwords
  30. 30. Anatomy of an attack: “Responder”
  31. 31. “Responder” attacks (The user meant to type igw-srv01)
  32. 32. “Responder” attacks Lloyd’s PC “Hey, do you know a machine called IGW-SRVV01?” DNS server “Sorry, I haven’t heard of it.” “Aaaaaaaaaaaaanybody else?” Bad guy “Yes!That’s me! Send credentials!” “You got it! Here it comes!”
  33. 33. “Responder” attacks
  34. 34. “Responder” attacks
  35. 35. Defending against “Responder” attacks
  36. 36. Defending against “Responder” attacks
  37. 37. Defending against “Responder” attacks
  38. 38. Defending against “Responder” attacks
  39. 39. Defending against “Responder” attacks
  40. 40. Anatomy of an attack: Lateral movement via local admin
  41. 41. Lateral movement
  42. 42. Lateral movement
  43. 43. Lateral movement Lloyd’s PC Harry’s PC Mary’s PC File server Database server Email server P@ssword1
  44. 44. Defending against local admin lateral movement
  45. 45. Local Administrator Password Solution • Strengthens and randomizes local Administrator passwords per machine • Free (!) from Microsoft • Creds are stored securely in Active Directory • A “set it and forget it” solution
  46. 46. Local Administrator Password Solution Requirements: • A few GPOs to push LAPS install • A workstation to manage passwords from
  47. 47. Local Administrator Password Solution
  48. 48. Local Administrator Password Solution
  49. 49. Lateral movement? Nope! Lloyd’s PC Nope! Harry’s PC Nope! Mary’s PC Nope! File server Nope! Database server Nope! Email server Nope! P@ssword1
  50. 50. WEFFLES are delicious! (Windows Event Logging Forensic Logging Enhancement Services) Not this!
  51. 51. WEFFLES Lloyd’s PC Harry’s PC Mary’s PC File server Database server Email server WEFFLES
  52. 52. WEFFLES – signs of compromise Event 1102: “Somebody cleared the security log!”
  53. 53. WEFFLES – signs of compromise Event 4720: “New user accounts created”
  54. 54. WEFFLES – signs of compromise Event 4720: “New user accounts created”
  55. 55. Set a trap with a canary
  56. 56. Setting traps with canaries
  57. 57. Setting traps with canaries
  58. 58. Setting traps with canaries
  59. 59. Setting traps with canaries
  60. 60. Setting traps with canaries
  61. 61. Scan all the things!
  62. 62. Vulnerability scanning Remember Eternal Blue? • Exploit developed by NSA • Leaked in April, 2017 • Takes advantage of weaknesses in SMB protocol • Is still unpatched in many orgs • Easy to exploit
  63. 63. Vulnerability scanning
  64. 64. Vulnerability scanning • Not free but relatively cheap (~$2k) • Identifies missing patches and misconfigurations • Easily schedule scans w/email alerts on critical items
  65. 65. Vulnerability scanning Reporting is a little….yawn
  66. 66. Vulnerability scanning • Cheap! ($65) • Makes pretty pictures from data +
  67. 67. Vulnerability scanning +
  68. 68. Vulnerability scanning +
  69. 69. Vulnerability scanning +
  70. 70. Vulnerability scanning +
  71. 71. Recap • Use good passwords – on domain and local accounts • CredDefense and LAPS can help! • Not collecting event logs? Start for free w/WEFFLES! • Be aware of “responder” attacks • Scan and patch all your network things!
  72. 72. Questions?
  73. 73. Thank you! @7MinSec brian@7MinSec.com www.7ms.us (podcast)

×