Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Silent cold war - Compromising Government Networks

111 views

Published on

How to compromise governments network silently through abuse of trust. Governments rely on 3rd parties heavily for minor tasks like shipping, to major tasks like DB management. The trust between government network and those 3rd parties can be abused silently while using Shadow Admins and Delegation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Silent cold war - Compromising Government Networks

  1. 1. 1 Silent Cold War How Government Networks Can Be Compromised Silently Lavi Lazarovitz – Cyberark Security Research
  2. 2. 2 4.5M22.5M
  3. 3. 3 “ This is crown jewels material… a gold mine for a foreign intelligence service ” “ … a treasure trove of information that is available to the Chinese until the people represented by the information age off. There’s no fixing it. ” Joel Brenner, former NSA Senior Counsel Michael Hayden, former Director of the CIA
  4. 4. 4 My Name Is…. My Name Is… My Name Is… /> Lavi. Lazarovitz /> Security Research @ CyberArk Labs /> Research: //> Authentication protocols //> Privilege escalation + Persistency //> Cloud security /> Contributor to CyberArkLabs Github repo /> Former pilot and intel. Officer for the IAF
  5. 5. 5 201520142012 2013 Timeline of the Attack Initial foothold July Mar US-CERT notified OPM about a beach “Big Bang” Network map exfiltration “Big Bang” Execution Attackers install key loggers 20152014 May Initial foothold Apr 15 OPM detects anomalous SSL activity Apr 17 US CERT discovers risk to PII Apr 23 US CERT discovers exfiltration that occurred in Dec. Apr 24 Attackers kicked out USIS breach detected Aug KeyPoint breach detected Sept KeyPoint breached Mar Fingerprints exfiltrated July PII exfiltration Dec Pivot to Department Of Interior
  6. 6. 6 USIS KeyPoint DOI OPM Deep Panda / Axiom The OPM Breach
  7. 7. 7 The OPM Breach KeyPoint credentials Phishing email Domain Admin PIIs SQL server Network map Finger prints DOI credentials
  8. 8. 8 Breach Attack Vectors KeyPoint credentials Domain Admin DOI credentials Initial foothold Domain Compromise Cross Domains
  9. 9. 9 US CERT Recommendations Trust Model “ The zero trust model requires strictly enforced user controls to ensure limited access for all users and assumes that all traffic traveling over an organization’s network is threat traffic until authorized by the IT team.” https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
  10. 10. 10 generals are always preparing for the last war rather than the next one. ICIT, Handing Over the Keys to the Castle http://icitech.org/wp-content/uploads/2015/07/ICIT-Brief-OPM-Breach2.pdf
  11. 11. 11 Admin A Shadow Admins Admin B Shadow Admin
  12. 12. 13 Permissions and ACLs - in Active Directory SYSTEM Enterprise Admins Domain Admins Authenticated Users User1 User2 ACLAD Objects Groups Domain root Containers GPOs FULL CONTROL CREATE CHILD OBJECTS DELETE CHILD OBJECTS CHANGE PASSWORD READ ONLY READ ONLY READ ONLY CHANGE PASSWORD
  13. 13. 14 SHADOW ADMINS DEMO https://github.com/cyberark/ACLight
  14. 14. 15 Delegation - Concept Client User Front End User’s Ticket Back End
  15. 15. 16 Delegation - Kerberos Client’s Workstation Front-End Service Unconstrained Delegation 1 2 3 4 5 Domain Controller
  16. 16. 17 Kerberos Features Allows a service to obtain a service ticket on behalf of a user to a different service. Allows a service to obtain a service ticket to itself in the name of a different user.
  17. 17. 18 Delegation - Kerberos Client’s Workstation Front-End Service Unconstrained Delegation 1 4 Domain Controller
  18. 18. 20 The Bottom Line https://msdn.microsoft.com/en-us/library/cc246112.aspx “ This gives any service allowed access to the S4U2proxy extension a degree of power similar to that of the KDC itself. “ “ The S4U2proxy extension allows a service to obtain a service ticket to a second service on behalf of a user. “ “ When combined with S4U2self, this allows the first service to impersonate any user principal while accessing the second service. “
  19. 19. 21 The Flexibility… CIFS File Server HOST Computer MSSQLSvc SQL Databases HTTP Web Services LDAP Domain Controllers msDS-AllowedToDelegateTo
  20. 20. 22 Constrained Delegataion Privilege Escalation Arbitrary Impersonations MSSQL Svc Data Base access HTTP Invoke-Command Remote Code execution LDAP DCSync Password replication
  21. 21. 23 The Attack Vector Hunt Accounts Trusted for Delegation Impersonate Another User Abuse the Allowed Service
  22. 22. 24 Trying To Constrain Services validate a service ticket using Secret-Key Services associated with the same account Services with the same password
  23. 23. 26 DELEGATION DEMO
  24. 24. 27 Detection Monitor Kerberos Traffic Monitor Impersonation
  25. 25. 28 Log Detection – Event 4624 Source Target
  26. 26. 29 Network Detection – Kerberos Traffic TGS_REQ TGS_REP
  27. 27. 30 Mitigations Dedicated Service Accounts Protected Accounts Unique SPNs https://github.com/CyberArk
  28. 28. 31 Takeaways Credentials are key asset Delegation can be utilized to abuse credentials Shadow Admins are silent assassins
  29. 29. 32
  30. 30. 33 Thank You Lavi.Lazarovitz@cyberark.com Lavi Lazarovitz @ Linkedin @LaviLazarovitz @ Twitter CyberArk @ GitHub Credits Benjamin Delpy Ben Campbell @Harmj0y

×