Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Non-Advanced Persistent Threat

1,594 views

Published on

Advanced Persistent Threat (APT) is a term given to attacks that specifically and persistently target an entity. The security community views this type of attack as a complex, sophisticated cyber-attack that can last months or even years. However, new research indicates that these attacks are actually being achieved by much simpler methods.

Imperva's Application Defense Center (ADC) has discovered that data breaches commonly associated with APT require only basic technical skills. As a result, security teams need to fundamentally shift their focus from absolute prevention of intrusion to protecting critical data assets once intruders have gained access to their infrastructure.

This presentation will:
- Expose some powerful, yet extremely simple techniques that allow attackers to efficiently expand their reach within an infected organization
- Show how attackers achieve their goals without resorting to zero-day vulnerabilities and sophisticated exploits
- Discuss how organizations can protect themselves against the advance of such attacks

Published in: Technology

The Non-Advanced Persistent Threat

  1. 1. The Non-Advanced Persistent Threat September 17, 2014 © 2014 Imperva, Inc. All rights reserved. 1 Confidential
  2. 2. Agenda § APT • Scenario • Infamous APTs § Non-APTs • The non-APT • NTLM weaknesses • Demo - Poisoning the Well (File Share) • More attack scenarios § Waiting for good things to come § Privilege escalation • Demo – SharePoint Poisoning § Leftovers § Conclusion © 2014 Imperva, Inc. All rights reserved. 2 Confidential
  3. 3. Advanced Persistent Threats What Comes to Mind © 2014 Imperva, Inc. All rights reserved. 3 Confidential
  4. 4. What Is APT? Data Center File Share / Database Initial Compromise Establish Foothold © 2014 Imperva, Inc. All rights reserved. Lateral Movement Gather Data Exfiltrate 4 Confidential
  5. 5. Few Infamous APTs From Governments to the People § CHS • Stolen Records ~4,500,000 • Period ~3 months • Initial Compromise – Heartbleed § eBay • Stolen Records ~145,000,000 • Period ~ 2 months • Initial Compromise – stolen credentials (phishing / reuse) § Target • Stolen Records ~70,000,000 • Period ~ 3 weeks • Initial Compromise – Credentials from partner (HVAC) © 2014 Imperva, Inc. All rights reserved. 5 Confidential
  6. 6. Non-Advanced Persistent Threats © 2014 Imperva, Inc. All rights reserved. 6 Confidential
  7. 7. The Non-Advanced Persistent Threat § What is APT ? • Advanced • Persistent • Threat § Show equivalent scenario • Not advanced • Not persistent (not extremely) • Still a threat © 2014 Imperva, Inc. All rights reserved. 7 Confidential
  8. 8. Windows NT LAN Manager (NTLM) § Authentication protocol designed by Microsoft § Messages (challenge response): Negotiate Challenge Response § Gives the user the Single Sign On experience • Client stores LM / NT Hash (used for authentication) § Used in a variety of protocols: HTTP, SMTP, IMAP, CIFS/SMB, RDP, Telnet, MSSQL, Oracle and more… § Microsoft says: • “Although Microsoft Kerberos is the protocol of choice, NTLM is still supported” • “Applications are generally advised not to use NTLM” © 2014 Imperva, 8 Inc. All rights reserved. Confidential
  9. 9. NTLM Vulnerabilities § Pass the Hash APT1 • Because response is calculated using LM / NT hash, it is equivalent to plaintext password § Weak Response Calculations • In early versions, attacker that has challenge & response can calculate LM / NT hash (CloudCracker) • Extract easily with public tools: Windows Credential Editor (WCE) / QuarksPwDump § Relay Attack © 2014 Imperva, Inc. All rights reserved. 9 Confidential
  10. 10. Demo Poisoning the Well © 2014 Imperva, Inc. All rights reserved. 10 Confidential
  11. 11. Demo - Poisoning the Well Initial Compromise Poison File Share / © 2014 Imperva, Inc. All rights reserved. SharePoint Gather Privileges (NTLM Relay) 11 Confidential Exfiltrate Alice Bob CatCorp inc.
  12. 12. Poisoning the Well File Share 1 2 © 2014 Imperva, Inc. All rights reserved. Compromised 3 12 Confidential
  13. 13. Waiting for Good Things to Come © 2014 Imperva, Inc. All rights reserved. Compromised 1 2 13 Confidential Firewall Agent Data Center File Share / Database
  14. 14. Privilege Escalation SMB Reflect SMB relay & authenticate © 2014 Imperva, Inc. All rights reserved. Compromised 14 Confidential Metasploit SMB capture SMB relay & crack
  15. 15. Demo SharePoint Poisoning © 2014 Imperva, Inc. All rights reserved. 15 Confidential
  16. 16. Demo – SharePoint Poisoning CatCorp, Inc. Easily skip between protocols: HTTP to SMB / RDP / MSSQL, etc. © 2014 Imperva, Inc. All rights reserved. Alice Bob 16 Confidential
  17. 17. Leftovers What We Left Out and Why © 2014 Imperva, Inc. All rights reserved. 17 Confidential
  18. 18. Things We Left Out § We didn’t talk about the “edges” • Initial Compromise § done with simple methods (phishing, stealing, pay per infection) § Security is not equal, attackers go for the weakest link. recently was hacked via a “test server” “That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information” • Exfiltration § copy stolen data from asset § Use any legitimate cloud service (Google Drive etc.) Initial Compromise Establish Foothold Lateral Movement Gather Data Exfiltrate © 2014 Imperva, 18 Inc. All rights reserved. Confidential
  19. 19. Conclusion What Does It All Mean & How to Mitigate? © 2014 Imperva, Inc. All rights reserved. 19 Confidential
  20. 20. Conclusion § APT is not the sole domain of government or sophisticated criminal groups • No need for zero days • Low technical skills § NTLM is only a symptom • Patching / upgrading does not always happen, especially when it’s costly • SSO experience is convenient for attackers : go from file to DB, Web Server, Exchange, etc. § The least confidential locations could prove dangerous • Not strictly monitored © 2014 Imperva, Inc. All rights reserved. 20 Confidential
  21. 21. Mitigations § Upgrade • While a good idea, but not always feasible • Kerberos also has its vulnerabilities (e.g. Pass the Ticket) § Monitor authentications to resources • Same machine authenticates with several users • Same user authenticates from several machines § Avoid services that logon to large number of assets • Services authentication can leave behind hashes, tickets or used in a relay / MIM attacks © 2014 Imperva, Inc. All rights reserved. 21 Confidential
  22. 22. www.imperva.com © 2014 Imperva, Inc. All rights reserved. 22

×