Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CrowdCasts Monthly: Mitigating Pass the Hash

2,290 views

Published on

Sixteen years later and Pass the Hash (PtH) is still one of the most common techniques a targeted attacker can use to compromise a network. There have been many blogs, webinars, and papers covering different PtH mitigation strategies. With all the information about this particular security vulnerability, networks are still continuously attacked and infiltrated using this technique. It is time to look at the problem from a holistic approach and apply the communities' collective intelligence to make this process one of the most difficult for a targeted attacker to use.

Published in: Technology, Business
  • If you’re looking for a great essay service then you should check out ⇒ www.HelpWriting.net ⇐. A friend of mine asked them to write a whole dissertation for him and he said it turned out great! Afterwards I also ordered an essay from them and I was very happy with the work I got too.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! I can recommend a site that has helped me. It's called ⇒ www.HelpWriting.net ⇐ They helped me for writing my quality research paper.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CrowdCasts Monthly: Mitigating Pass the Hash

  1. 1. Mitigating Pass the Hash CrowdStrike’s Holistic Approach
  2. 2. Agenda • Introductions • Overview of Pass the Hash • Building a Strong Foundation • Protection of Critical Accounts (Not Just Domain Admins) • Taking it to Another Level of Security • Resources / Q & A 2013 CrowdStrike, Inc. All rights reserved. 2 @CROWDSTRIKE | #CROWDCASTS
  3. 3. Today’s Speakers Mandiant, Deloitte, George Washington University services@crowdstrike.com Conducting Incident Response Investigations, Litigation Support, and Financial Crime Investigations CHRIS PRICE DIRECTOR 2013 Crowdstrike, Inc. All rights reserved. 3 PRIOR TO CROWDSTRIKE CONNECT 12+ YEARS @CROWDSTRIKE | #CROWDCASTS
  4. 4. Today’s Speakers Defended networks for the Defense Industrial Base (DIB) services@crowdstrike.com Conducting security assessment, incident response, insider threat analysis, and security architecture. CHRISTOPHER SCOTT PRINCIPAL CONSULTANT 2013 Crowdstrike, Inc. All rights reserved. 4 PRIOR TO CROWDSTRIKE CONNECT 15+ YEARS @CROWDSTRIKE | #CROWDCASTS
  5. 5. Who is CrowdStrike? Government Quality Intelligence for the Private Sector Services Focused on Pre and Post Incident Response Big Data Active Defense Platform that Links the Who, What, and Why MIT’S TOP 50 MOST DISRUPTIVE COMPANIES FOR 2013 2013 CrowdStrike, Inc. All rights reserved. 5 INTELLIGENCE SERVICES TECHNOLOGY @CROWDSTRIKE | #CROWDCASTS
  6. 6. About CrowdStrike Services Incident Response Investigations Proactive Threat Assessments IR Program Development Average of Ten Years IR Industry Experience Backgrounds in IR Consulting, Government, and Defense Specialists in Broad Range of Technologies Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment 2013 CrowdStrike, Inc. All rights reserved. 6 COMPREHENSIVE OFFERINGS INDUSTRY VETERANS VARIETY OF CUSTOMER VERTICALS @CROWDSTRIKE | #CROWDCASTS WHOADVERSARY WHYINTENT WHATMALWARE
  7. 7. Intelligence 2013 CrowdStrike, Inc. All rights reserved. 7 Adversary Groups Umbrella Term: Kitten INDIA RUSSIA IRAN NORTH KOREA CHINA Umbrella Term: Panda Umbrella Term: Bear Umbrella Term: Chollima Umbrella Term: Tiger HACKTIVIST/ ACTIVIST/TERRORIST Umbrella Term: Jackal CRIMINAL Umbrella Term: Spider
  8. 8. 2013 CrowdStrike, Inc. All rights reserved. 8 OVERVIEW OF PASS THE HASH
  9. 9. 2013 CrowdStrike, Inc. All rights reserved. 9 Overview of Pass the Hash
  10. 10. 2013 CrowdStrike, Inc. All rights reserved. 10
  11. 11. 2013 CrowdStrike, Inc. All rights reserved. 11 Overview of Pass the Hash
  12. 12. 2013 CrowdStrike, Inc. All rights reserved. 12 BUILDING A STRONG FOUNDATION
  13. 13. 2013 CrowdStrike, Inc. All rights reserved. 13 Building a Strong Foundation – Local Administrator • Disabling the Local Administrator Account – Common Attack Vector – Used by Attackers for Lateral Movement – Safe Mode Enables It – Disable Utilizing GPO “The user’s going to pick dancing pigs over security every time” Bruce Schneier
  14. 14. 2013 CrowdStrike, Inc. All rights reserved. 14 Building a Strong Foundation – Logging and Alerting • Proper Logging and Alerting – Authentication Requests – Centralized System – Near Real Time – Splunk / Kiwi Syslog / Syslog / Other – Splunk Universal Log Forwarder / Snare Agent – Alerts Needed •  Ability to Alert on Events •  Preferably Alert by Email to Custom Recipients
  15. 15. 2013 CrowdStrike, Inc. All rights reserved. 15 Building a Strong Foundation – User Workstation Rights • Limiting Local Administrator Privileges for End Users – Do ALL Users Need Administrator Rights? – Look to Create Multiple Accounts for a User •  One Elevated Account •  One Standard User Account – Helps Limit the Ability for Malware to Harvest Credentials •  Must have Administrator Privileges to Harvest Cached Credentials
  16. 16. 2013 CrowdStrike, Inc. All rights reserved. 16 Building a Strong Foundation – Separation of Duties • Separation of Duties by Account – User Account – (JohnDoe) ONLY Standard User – Domain Admins – (DA-JohnDoe) •  Only created for those that ABSOLUTELY need it – Server Admins – (SA-JohnDoe) •  Can be one layer •  If needed can be multiple layers –  IIS, SQL, File and Print Admin – Workstation Admins – (WA-JohnDoe) •  These accounts are most vulnerable “Separation of duties, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.” R. A. Bothe and J. H. P. Etoff IBM Systems Journal
  17. 17. 2013 CrowdStrike, Inc. All rights reserved. 17 PROTECTION OF CRITICAL ACCOUNTS
  18. 18. 2013 CrowdStrike, Inc. All rights reserved. 18 Protection of Critical Accounts – Domain Admins • Domain Admins and Enterprise Admins – Create a Custom Security Group – “Restricted Domain Admins” •  Allows for adding in multiple accounts •  Allows for business cases where you need a temporary Domain Admin for all computers – Key GPO Settings for Controlling Access •  Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment –  Deny log on locally –  Deny log on as a batch job –  Deny log on as a service –  Deny log on through Remote Desktop Services – Apply GPO to ALL Computers Except Domain Controllers
  19. 19. 2013 CrowdStrike, Inc. All rights reserved. 19 Protection of Critical Accounts – Server Admins • Server Admins – Create Security Group – “Server Admins” – Servers Should Be Migrated to Organizational Units •  Allows Applying of Custom GPOs by OU – Key GPO for Controlling Access •  Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups –  Create Group – “Administrators” –  Add in Security Group – “Server Admins” to “Administrators” – Create Multiple Layers of Security as Needed by Your Organization •  SQL Admins, IIS Admins…. •  Helps in Compliance Audits – Sarbanes Oxley – Keep Separation of Duties
  20. 20. 2013 CrowdStrike, Inc. All rights reserved. 20 Protection of Critical Accounts – Workstation Admins • Workstation Admin – Create Security Group – “Workstation Admins” – Workstations Should be Migrated to Organizational Units – Similar GPO Setup as Server Admins •  Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups –  Create Group – “Administrators” –  Add in Security Group – “Workstation Admins” to “Administrators”
  21. 21. 2013 CrowdStrike, Inc. All rights reserved. 21 Recap of Where We Stand • Local Administrator Account – Disabled • Logging and Alerting – Centralized System • User Permissions – Limited to What is Practical • Domain Admins – Limited to Domain Controllers • Server Admins – Limited to Servers • Workstation Admins – Limited to Workstations • Cached Credentials Will Still Be Harvested at Some Point
  22. 22. 2013 CrowdStrike, Inc. All rights reserved. 22 TAKING IT TO ANOTHER LEVEL
  23. 23. 2013 CrowdStrike, Inc. All rights reserved. 23 Taking it to Another Level – Password Control • Limiting Validity of Cached Credentials – Web Application for Password Assignment •  Authenticate Using Two Factor Authentication (TFA) •  Only Need ONE TFA Token – No Token Necklace •  Present User with Account Options –  Domain Admin –  Server Admin –  Workstation Admin •  Randomize Password “Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” Clifford Stoll
  24. 24. 2013 CrowdStrike, Inc. All rights reserved. 24 Taking it to Another Level – Password Control • Account Expiration – accountExpires LDAP Value – Set to Acceptable Time Frame with Web Application •  ~ 4 Hours •  More or Less Depending on Your Organization • User Controlling Cached Credentials – Allow Users to Expire the Account Through the Web Application – When an Account is Expired, Credentials are NO LONGER VALID
  25. 25. 2013 CrowdStrike, Inc. All rights reserved. 25 Taking it to Another Level – Log Alerting • Log Monitoring and Alerting – Alert Users on Privileged Account Usage •  Train users to notify management on unexpected notices •  For highly sensitive accounts, you can notify management on logon – Alert when Expired Credential Use is Attempted •  Establish escalation procedures •  Establish response procedures – Alert on Group Changes •  Monitor Domain Admins, Enterprise Admins, Restricted Domain Admins, Server Admins, Workstation Admins •  Alert on ANY change to group membership – Adds or Deletes
  26. 26. 2013 CrowdStrike, Inc. All rights reserved. 26 ADVANTAGES & CONCLUSION
  27. 27. 2013 CrowdStrike, Inc. All rights reserved. 27 Advantages of the Solution • Credentials Restricted to Needed Assets • Credentials Have Limited Validity • Lateral Movement Capabilities Significantly Reduced • Business Processes Are Still Functional • Logging and Alerting Provides Warnings of Potential Credential The • Almost NO COST to Implement – Small Amount of Labor – Some Process Changes
  28. 28. 2013 CrowdStrike, Inc. All rights reserved. 28 Conclusion • Pass the Hash is a REAL Threat Today • Many Networks ARE Susceptible to this Attack • You CAN Protect Your Network • This Solution HAS Protected Networks • Attackers CANNOT Use Expired Credentials • Alerts WILL Notify of Credential Usage • AFFORDABLE for Any Business
  29. 29. For additional details on CrowdStrike Products & Offerings CONTACT SALES@CROWDSTRIKE.COM Q & A 2013 CrowdStrike, Inc. All rights reserved. 29 @CROWDSTRIKE | #CROWDCASTS Next up: You Have an Adversary Problem. Who’s Attacking You and Why? October 16th | 2PM ET/11AM PT Q&A

×