Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lateral Movement by Default


Published on

Presented at InnoTech Oklahoma 2015. All rights reserved.

Published in: Technology
  • Be the first to comment

Lateral Movement by Default

  1. 1. Lateral Movement By Default Randy Watkins
  2. 2. 2© 2015 Critical Start LLC. Critical Start is a Threat Management company with the goal to measurably improve the security effectiveness of our customers. We developed a security framework to evaluate the status of your security controls and assess your current environment. The core inputs of our methodology are: Critical Start: Who We Are Attack Phase Maturity Following a kill chain methodology understanding the ability to detect initial compromise, lateral movement, breach detection and response Security Efficiency Control effectiveness, impact to user experience, upfront costs, and ongoing costs. Security Efficiency is used to prioritize how to address attack phase maturity gaps Critical Assets and Data What is the likelihood outside attackers would specifically target your organization? Critical assets and data is viewed from point of view of 3rd party value versus business impact. Impact of Compliance What compliance and regulatory requirements are driving security practices within your company?
  3. 3. 3© 2015 Critical Start LLC. All Rights Reserved Agenda Define Lateral Movement How It’s Done Methods of Lateral Movement Recommendations for Limiting Effectiveness Can it be Prevented?
  4. 4. We are currently not planning on conquering the world. – Sergey Brin What is Lateral Movement?
  5. 5. 5© 2015 Critical Start LLC. Using an Initial point of compromise to migrate to other network assets What is gained with Lateral Movement? – Establish Persistence – Identify Critical Assets – Find Sensitive Data Lateral Movement expands attack footprint, and increases Incident Response Efforts, including identifying potential exfiltration. What is Lateral Movement?
  6. 6. 6© 2015 Critical Start LLC. • Initial compromise can use: – Malware – Easier to detect and prevent – Legitimate Credentials – Go after the user A (mostly) Hidden Threat
  7. 7. 9© 2015 Critical Start LLC. • Initial compromise can use: – Malware – Easier to detect and prevent – Legitimate Credentials – Go after the user • Attackers Point of View: – Any user account or machine is valuable to an attacker – Legitimate credentials are less alarming than callbacks – Once an attacker finds their way in… A (mostly) Hidden Threat
  8. 8. 10© 2015 Critical Start LLC.
  9. 9. 11© 2015 Critical Start LLC. • SSC Syndrome – Soft Squishy Center – Most security budget is spent protecting the perimeter – Little security measures preventing spread – Very difficult to weed out false positives to identify lateral movement – Most Windows machines, Networks, and Active Directory are built for convenience, including lateral movement. SSC Syndrome
  10. 10. We are currently not planning on conquering the world. – Sergey Brin Methods Of Lateral Movement
  11. 11. 13© 2015 Critical Start LLC. • Attacker installs or gets user to install back door – Phishing Email – Drive by Download • Computer communicates to C2 server/opens a direct shell to attacker • Attacker accesses computer Malware Back Door
  12. 12. 14© 2015 Critical Start LLC. • Attacker Compromised Legitimate Credentials – Spear Phishing – Brute Force – Malware • Attacker Logs into machine via VPN • Attacker Does recon to find additional machines Legitimate Credentials with VPN
  13. 13. 15© 2015 Critical Start LLC. • Attacker Accesses Compromised Machine – Malware – Legitimate Credentials • Attacker captures cached credentials • Attacker replays captured hashes to authenticate • Attacker continues recon to continue spread through network Pass the Hash
  14. 14. 16© 2015 Critical Start LLC. • Multiple tools will pull Credential in Clear Text – Mimikatz – Windows Credential Editor Forget the Hash. Plaintext FTW!
  15. 15. 17© 2015 Critical Start LLC. • Malware is Dropped and Credentials are Harvested • Cycle is repeated to continue exfiltration and attack footprint • Incident detection turn into incident containment and response Rinse Lather Repeat
  16. 16. We are currently not planning on conquering the world. – Sergey Brin Preventing/Restricting Lateral Movement
  17. 17. 19© 2015 Critical Start LLC. Start at the source – Malware • Use Anti-Virus or Next-Gen Endpoint product to prevent initial infection • Employ Network Based Detection to find things Endpoint Agents may not pick up – Legitimate Credentials • Employ SPAM and Spear Phish filtering • Enforce Strong Passwords • User Education – Staged Phishing Campaigns – Security Bulletins/New letters Prevention
  18. 18. 20© 2015 Critical Start LLC. • Have Unique Passwords for Local Admin Accounts – Microsoft LAPS is a free tool for managing these • Deny Network Logon for Local Accounts • Remove User accounts from Local Administrators Group Control Local Accounts
  19. 19. 21© 2015 Critical Start LLC. • Log Events from Privileged Accounts • Do not give Privileged Accounts Email boxes • Do not nest Active Directory Groups into privileged groups • Enforce Strong Passwords Control Network Accounts
  20. 20. 22© 2015 Critical Start LLC. • Require Privileged Accounts and VPN users to use 2 Factor Authentication • Enforce Device Certificate Authentication • Log all VPN connections and correlate suspicious logins • Reduce or Remove Default Cached Credential Value Control Remote Access
  21. 21. 23© 2015 Critical Start LLC. • Use Jump Hosts for Administrative Access • Segment Guest/User/Server/Critical Asset Networks – Leverage User Segmentation where possible Control the Network
  22. 22. 24© 2015 Critical Start LLC. • Microsoft Pass The Hash (PTH) Mitigation Paper – • Microsoft LAPS Technet Security Advisory – • Channel 9 Videos – Security-Briefings-Fall-2012-Sessions/BH1208 – B210#fbid= Additional Resources
  23. 23. Critical Start LLC 6860 North Dallas Pkwy, St 200 Plano, Texas 75024 Phone: 214-810-6762 Learn more about creating your own Defendable Network at: