SlideShare a Scribd company logo

CrowdCasts Monthly: Mitigating Pass the Hash

CrowdStrike
CrowdStrike

Sixteen years later and Pass the Hash (PtH) is still one of the most common techniques a targeted attacker can use to compromise a network. There have been many blogs, webinars, and papers covering different PtH mitigation strategies. With all the information about this particular security vulnerability, networks are still continuously attacked and infiltrated using this technique. It is time to look at the problem from a holistic approach and apply the communities' collective intelligence to make this process one of the most difficult for a targeted attacker to use.

TechnologyBusiness
1 of 30
Mitigating Pass the Hash CrowdStrike’s Holistic Approach
Agenda • Introductions • Overview of Pass the Hash • Building a Strong Foundation • Protection of Critical Accounts (Not Just Domain Admins) • Taking it to Another Level of Security • Resources / Q & A 2013 CrowdStrike, Inc. All rights reserved. 2 @CROWDSTRIKE | #CROWDCASTS
Today’s Speakers Mandiant, Deloitte, George Washington University services@crowdstrike.com Conducting Incident Response Investigations, Litigation Support, and Financial Crime Investigations CHRIS PRICE DIRECTOR 2013 Crowdstrike, Inc. All rights reserved. 3 PRIOR TO CROWDSTRIKE CONNECT 12+ YEARS @CROWDSTRIKE | #CROWDCASTS
Today’s Speakers Defended networks for the Defense Industrial Base (DIB) services@crowdstrike.com Conducting security assessment, incident response, insider threat analysis, and security architecture. CHRISTOPHER SCOTT PRINCIPAL CONSULTANT 2013 Crowdstrike, Inc. All rights reserved. 4 PRIOR TO CROWDSTRIKE CONNECT 15+ YEARS @CROWDSTRIKE | #CROWDCASTS
Who is CrowdStrike? Government Quality Intelligence for the Private Sector Services Focused on Pre and Post Incident Response Big Data Active Defense Platform that Links the Who, What, and Why MIT’S TOP 50 MOST DISRUPTIVE COMPANIES FOR 2013 2013 CrowdStrike, Inc. All rights reserved. 5 INTELLIGENCE SERVICES TECHNOLOGY @CROWDSTRIKE | #CROWDCASTS
About CrowdStrike Services Incident Response Investigations Proactive Threat Assessments IR Program Development Average of Ten Years IR Industry Experience Backgrounds in IR Consulting, Government, and Defense Specialists in Broad Range of Technologies Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment 2013 CrowdStrike, Inc. All rights reserved. 6 COMPREHENSIVE OFFERINGS INDUSTRY VETERANS VARIETY OF CUSTOMER VERTICALS @CROWDSTRIKE | #CROWDCASTS WHOADVERSARY WHYINTENT WHATMALWARE
Intelligence 2013 CrowdStrike, Inc. All rights reserved. 7 Adversary Groups Umbrella Term: Kitten INDIA RUSSIA IRAN NORTH KOREA CHINA Umbrella Term: Panda Umbrella Term: Bear Umbrella Term: Chollima Umbrella Term: Tiger HACKTIVIST/ ACTIVIST/TERRORIST Umbrella Term: Jackal CRIMINAL Umbrella Term: Spider
2013 CrowdStrike, Inc. All rights reserved. 8 OVERVIEW OF PASS THE HASH
2013 CrowdStrike, Inc. All rights reserved. 9 Overview of Pass the Hash
2013 CrowdStrike, Inc. All rights reserved. 10
2013 CrowdStrike, Inc. All rights reserved. 11 Overview of Pass the Hash
2013 CrowdStrike, Inc. All rights reserved. 12 BUILDING A STRONG FOUNDATION
2013 CrowdStrike, Inc. All rights reserved. 13 Building a Strong Foundation – Local Administrator • Disabling the Local Administrator Account – Common Attack Vector – Used by Attackers for Lateral Movement – Safe Mode Enables It – Disable Utilizing GPO “The user’s going to pick dancing pigs over security every time” Bruce Schneier
2013 CrowdStrike, Inc. All rights reserved. 14 Building a Strong Foundation – Logging and Alerting • Proper Logging and Alerting – Authentication Requests – Centralized System – Near Real Time – Splunk / Kiwi Syslog / Syslog / Other – Splunk Universal Log Forwarder / Snare Agent – Alerts Needed •  Ability to Alert on Events •  Preferably Alert by Email to Custom Recipients
2013 CrowdStrike, Inc. All rights reserved. 15 Building a Strong Foundation – User Workstation Rights • Limiting Local Administrator Privileges for End Users – Do ALL Users Need Administrator Rights? – Look to Create Multiple Accounts for a User •  One Elevated Account •  One Standard User Account – Helps Limit the Ability for Malware to Harvest Credentials •  Must have Administrator Privileges to Harvest Cached Credentials
2013 CrowdStrike, Inc. All rights reserved. 16 Building a Strong Foundation – Separation of Duties • Separation of Duties by Account – User Account – (JohnDoe) ONLY Standard User – Domain Admins – (DA-JohnDoe) •  Only created for those that ABSOLUTELY need it – Server Admins – (SA-JohnDoe) •  Can be one layer •  If needed can be multiple layers –  IIS, SQL, File and Print Admin – Workstation Admins – (WA-JohnDoe) •  These accounts are most vulnerable “Separation of duties, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.” R. A. Bothe and J. H. P. Etoff IBM Systems Journal
2013 CrowdStrike, Inc. All rights reserved. 17 PROTECTION OF CRITICAL ACCOUNTS
2013 CrowdStrike, Inc. All rights reserved. 18 Protection of Critical Accounts – Domain Admins • Domain Admins and Enterprise Admins – Create a Custom Security Group – “Restricted Domain Admins” •  Allows for adding in multiple accounts •  Allows for business cases where you need a temporary Domain Admin for all computers – Key GPO Settings for Controlling Access •  Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment –  Deny log on locally –  Deny log on as a batch job –  Deny log on as a service –  Deny log on through Remote Desktop Services – Apply GPO to ALL Computers Except Domain Controllers
2013 CrowdStrike, Inc. All rights reserved. 19 Protection of Critical Accounts – Server Admins • Server Admins – Create Security Group – “Server Admins” – Servers Should Be Migrated to Organizational Units •  Allows Applying of Custom GPOs by OU – Key GPO for Controlling Access •  Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups –  Create Group – “Administrators” –  Add in Security Group – “Server Admins” to “Administrators” – Create Multiple Layers of Security as Needed by Your Organization •  SQL Admins, IIS Admins…. •  Helps in Compliance Audits – Sarbanes Oxley – Keep Separation of Duties
2013 CrowdStrike, Inc. All rights reserved. 20 Protection of Critical Accounts – Workstation Admins • Workstation Admin – Create Security Group – “Workstation Admins” – Workstations Should be Migrated to Organizational Units – Similar GPO Setup as Server Admins •  Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups –  Create Group – “Administrators” –  Add in Security Group – “Workstation Admins” to “Administrators”
2013 CrowdStrike, Inc. All rights reserved. 21 Recap of Where We Stand • Local Administrator Account – Disabled • Logging and Alerting – Centralized System • User Permissions – Limited to What is Practical • Domain Admins – Limited to Domain Controllers • Server Admins – Limited to Servers • Workstation Admins – Limited to Workstations • Cached Credentials Will Still Be Harvested at Some Point
2013 CrowdStrike, Inc. All rights reserved. 22 TAKING IT TO ANOTHER LEVEL
2013 CrowdStrike, Inc. All rights reserved. 23 Taking it to Another Level – Password Control • Limiting Validity of Cached Credentials – Web Application for Password Assignment •  Authenticate Using Two Factor Authentication (TFA) •  Only Need ONE TFA Token – No Token Necklace •  Present User with Account Options –  Domain Admin –  Server Admin –  Workstation Admin •  Randomize Password “Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” Clifford Stoll
2013 CrowdStrike, Inc. All rights reserved. 24 Taking it to Another Level – Password Control • Account Expiration – accountExpires LDAP Value – Set to Acceptable Time Frame with Web Application •  ~ 4 Hours •  More or Less Depending on Your Organization • User Controlling Cached Credentials – Allow Users to Expire the Account Through the Web Application – When an Account is Expired, Credentials are NO LONGER VALID
2013 CrowdStrike, Inc. All rights reserved. 25 Taking it to Another Level – Log Alerting • Log Monitoring and Alerting – Alert Users on Privileged Account Usage •  Train users to notify management on unexpected notices •  For highly sensitive accounts, you can notify management on logon – Alert when Expired Credential Use is Attempted •  Establish escalation procedures •  Establish response procedures – Alert on Group Changes •  Monitor Domain Admins, Enterprise Admins, Restricted Domain Admins, Server Admins, Workstation Admins •  Alert on ANY change to group membership – Adds or Deletes
2013 CrowdStrike, Inc. All rights reserved. 26 ADVANTAGES & CONCLUSION
2013 CrowdStrike, Inc. All rights reserved. 27 Advantages of the Solution • Credentials Restricted to Needed Assets • Credentials Have Limited Validity • Lateral Movement Capabilities Significantly Reduced • Business Processes Are Still Functional • Logging and Alerting Provides Warnings of Potential Credential The • Almost NO COST to Implement – Small Amount of Labor – Some Process Changes
2013 CrowdStrike, Inc. All rights reserved. 28 Conclusion • Pass the Hash is a REAL Threat Today • Many Networks ARE Susceptible to this Attack • You CAN Protect Your Network • This Solution HAS Protected Networks • Attackers CANNOT Use Expired Credentials • Alerts WILL Notify of Credential Usage • AFFORDABLE for Any Business
For additional details on CrowdStrike Products & Offerings CONTACT SALES@CROWDSTRIKE.COM Q & A 2013 CrowdStrike, Inc. All rights reserved. 29 @CROWDSTRIKE | #CROWDCASTS Next up: You Have an Adversary Problem. Who’s Attacking You and Why? October 16th | 2PM ET/11AM PT Q&A
CrowdCasts Monthly: Mitigating Pass the Hash

Recommended

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 

Recommended

Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか
abend_cve_9999_0001
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Network miner 使ってみた
Network miner 使ってみたNetwork miner 使ってみた
Network miner 使ってみた
彰 村地
 
Railsで作るBFFの功罪
Railsで作るBFFの功罪Railsで作るBFFの功罪
Railsで作るBFFの功罪
Recruit Lifestyle Co., Ltd.
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
CrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 

More Related Content

What's hot

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか
abend_cve_9999_0001
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Network miner 使ってみた
Network miner 使ってみたNetwork miner 使ってみた
Network miner 使ってみた
彰 村地
 
Railsで作るBFFの功罪
Railsで作るBFFの功罪Railsで作るBFFの功罪
Railsで作るBFFの功罪
Recruit Lifestyle Co., Ltd.
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 

What's hot (20)

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか標的型攻撃からどのように身を守るのか
標的型攻撃からどのように身を守るのか
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Network miner 使ってみた
Network miner 使ってみたNetwork miner 使ってみた
Network miner 使ってみた
 
Railsで作るBFFの功罪
Railsで作るBFFの功罪Railsで作るBFFの功罪
Railsで作るBFFの功罪
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 

Viewers also liked

Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
CrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
CrowdStrike
 
Venom
Venom Venom
Venom
CrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
Ankit Mehta
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
CrowdStrike
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
Angelo Rago
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
Cysinfo Cyber Security Community
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
Tal Be'ery
 

Viewers also liked (20)

Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 

Similar to CrowdCasts Monthly: Mitigating Pass the Hash

Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
Tom Eston
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Cloudera, Inc.
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CloudIDSummit
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
 
Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1
Senturus
 
How to Enable, Monitor, and Secure Your Remote Workforce
How to Enable, Monitor, and Secure Your Remote WorkforceHow to Enable, Monitor, and Secure Your Remote Workforce
How to Enable, Monitor, and Secure Your Remote Workforce
SolarWinds
 
Monitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmyMonitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US Army
SolarWinds
 
Risk management of privileged users 2
Risk management of privileged users 2Risk management of privileged users 2
Risk management of privileged users 2
Ken Willén
 
Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...
Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...
Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...
SolarWinds
 
M. Josephs - Reaching for the Clouds - Final for Distribution
M. Josephs - Reaching for the Clouds - Final for DistributionM. Josephs - Reaching for the Clouds - Final for Distribution
M. Josephs - Reaching for the Clouds - Final for Distribution
Michael Josephs
 
Impact 2013 2963 - IBM Business Process Manager Top Practices
Impact 2013 2963 - IBM Business Process Manager Top PracticesImpact 2013 2963 - IBM Business Process Manager Top Practices
Impact 2013 2963 - IBM Business Process Manager Top Practices
Brian Petrini
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case
pmcbrideva1
 
Preparing to recover from a cyber attack
Preparing to recover from a cyber attackPreparing to recover from a cyber attack
Preparing to recover from a cyber attack
Allan Cytryn
 
CyberArk
CyberArkCyberArk
CyberArk
Jimmy Sze
 
Implementing security and controls in people soft best practices - may 2017
Implementing security and controls in people soft best practices - may 2017Implementing security and controls in people soft best practices - may 2017
Implementing security and controls in people soft best practices - may 2017
Smart ERP Solutions, Inc.
 
Co p
Co pCo p
Co p
Allyn McGillicuddy
 
Who Broke My Cloud? SaaS Monitoring Best Practices
Who Broke My Cloud? SaaS Monitoring Best PracticesWho Broke My Cloud? SaaS Monitoring Best Practices
Who Broke My Cloud? SaaS Monitoring Best Practices
ThousandEyes
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over Perimeter
ForgeRock
 

Similar to CrowdCasts Monthly: Mitigating Pass the Hash (20)

Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
 
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
Securing the Data Hub--Protecting your Customer IP (Technical Workshop)
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
 
Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1
 
How to Enable, Monitor, and Secure Your Remote Workforce
How to Enable, Monitor, and Secure Your Remote WorkforceHow to Enable, Monitor, and Secure Your Remote Workforce
How to Enable, Monitor, and Secure Your Remote Workforce
 
Monitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmyMonitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US Army
 
Risk management of privileged users 2
Risk management of privileged users 2Risk management of privileged users 2
Risk management of privileged users 2
 
Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...
Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...
Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...
 
M. Josephs - Reaching for the Clouds - Final for Distribution
M. Josephs - Reaching for the Clouds - Final for DistributionM. Josephs - Reaching for the Clouds - Final for Distribution
M. Josephs - Reaching for the Clouds - Final for Distribution
 
Impact 2013 2963 - IBM Business Process Manager Top Practices
Impact 2013 2963 - IBM Business Process Manager Top PracticesImpact 2013 2963 - IBM Business Process Manager Top Practices
Impact 2013 2963 - IBM Business Process Manager Top Practices
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case
 
Preparing to recover from a cyber attack
Preparing to recover from a cyber attackPreparing to recover from a cyber attack
Preparing to recover from a cyber attack
 
CyberArk
CyberArkCyberArk
CyberArk
 
Implementing security and controls in people soft best practices - may 2017
Implementing security and controls in people soft best practices - may 2017Implementing security and controls in people soft best practices - may 2017
Implementing security and controls in people soft best practices - may 2017
 
Co p
Co pCo p
Co p
 
Who Broke My Cloud? SaaS Monitoring Best Practices
Who Broke My Cloud? SaaS Monitoring Best PracticesWho Broke My Cloud? SaaS Monitoring Best Practices
Who Broke My Cloud? SaaS Monitoring Best Practices
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over Perimeter
 

More from CrowdStrike

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS Whitepaper
CrowdStrike
 

More from CrowdStrike (8)

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS Whitepaper
 

Recently uploaded

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 

Recently uploaded (20)

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 

CrowdCasts Monthly: Mitigating Pass the Hash

  • 1. Mitigating Pass the Hash CrowdStrike’s Holistic Approach
  • 2. Agenda • Introductions • Overview of Pass the Hash • Building a Strong Foundation • Protection of Critical Accounts (Not Just Domain Admins) • Taking it to Another Level of Security • Resources / Q & A 2013 CrowdStrike, Inc. All rights reserved. 2 @CROWDSTRIKE | #CROWDCASTS
  • 3. Today’s Speakers Mandiant, Deloitte, George Washington University services@crowdstrike.com Conducting Incident Response Investigations, Litigation Support, and Financial Crime Investigations CHRIS PRICE DIRECTOR 2013 Crowdstrike, Inc. All rights reserved. 3 PRIOR TO CROWDSTRIKE CONNECT 12+ YEARS @CROWDSTRIKE | #CROWDCASTS
  • 4. Today’s Speakers Defended networks for the Defense Industrial Base (DIB) services@crowdstrike.com Conducting security assessment, incident response, insider threat analysis, and security architecture. CHRISTOPHER SCOTT PRINCIPAL CONSULTANT 2013 Crowdstrike, Inc. All rights reserved. 4 PRIOR TO CROWDSTRIKE CONNECT 15+ YEARS @CROWDSTRIKE | #CROWDCASTS
  • 5. Who is CrowdStrike? Government Quality Intelligence for the Private Sector Services Focused on Pre and Post Incident Response Big Data Active Defense Platform that Links the Who, What, and Why MIT’S TOP 50 MOST DISRUPTIVE COMPANIES FOR 2013 2013 CrowdStrike, Inc. All rights reserved. 5 INTELLIGENCE SERVICES TECHNOLOGY @CROWDSTRIKE | #CROWDCASTS
  • 6. About CrowdStrike Services Incident Response Investigations Proactive Threat Assessments IR Program Development Average of Ten Years IR Industry Experience Backgrounds in IR Consulting, Government, and Defense Specialists in Broad Range of Technologies Finance, Technology, Manufacturing, Retail, Healthcare, Telecommunications, Oil & Gas, Entertainment 2013 CrowdStrike, Inc. All rights reserved. 6 COMPREHENSIVE OFFERINGS INDUSTRY VETERANS VARIETY OF CUSTOMER VERTICALS @CROWDSTRIKE | #CROWDCASTS WHOADVERSARY WHYINTENT WHATMALWARE
  • 7. Intelligence 2013 CrowdStrike, Inc. All rights reserved. 7 Adversary Groups Umbrella Term: Kitten INDIA RUSSIA IRAN NORTH KOREA CHINA Umbrella Term: Panda Umbrella Term: Bear Umbrella Term: Chollima Umbrella Term: Tiger HACKTIVIST/ ACTIVIST/TERRORIST Umbrella Term: Jackal CRIMINAL Umbrella Term: Spider
  • 8. 2013 CrowdStrike, Inc. All rights reserved. 8 OVERVIEW OF PASS THE HASH
  • 9. 2013 CrowdStrike, Inc. All rights reserved. 9 Overview of Pass the Hash
  • 10. 2013 CrowdStrike, Inc. All rights reserved. 10
  • 11. 2013 CrowdStrike, Inc. All rights reserved. 11 Overview of Pass the Hash
  • 12. 2013 CrowdStrike, Inc. All rights reserved. 12 BUILDING A STRONG FOUNDATION
  • 13. 2013 CrowdStrike, Inc. All rights reserved. 13 Building a Strong Foundation – Local Administrator • Disabling the Local Administrator Account – Common Attack Vector – Used by Attackers for Lateral Movement – Safe Mode Enables It – Disable Utilizing GPO “The user’s going to pick dancing pigs over security every time” Bruce Schneier
  • 14. 2013 CrowdStrike, Inc. All rights reserved. 14 Building a Strong Foundation – Logging and Alerting • Proper Logging and Alerting – Authentication Requests – Centralized System – Near Real Time – Splunk / Kiwi Syslog / Syslog / Other – Splunk Universal Log Forwarder / Snare Agent – Alerts Needed •  Ability to Alert on Events •  Preferably Alert by Email to Custom Recipients
  • 15. 2013 CrowdStrike, Inc. All rights reserved. 15 Building a Strong Foundation – User Workstation Rights • Limiting Local Administrator Privileges for End Users – Do ALL Users Need Administrator Rights? – Look to Create Multiple Accounts for a User •  One Elevated Account •  One Standard User Account – Helps Limit the Ability for Malware to Harvest Credentials •  Must have Administrator Privileges to Harvest Cached Credentials
  • 16. 2013 CrowdStrike, Inc. All rights reserved. 16 Building a Strong Foundation – Separation of Duties • Separation of Duties by Account – User Account – (JohnDoe) ONLY Standard User – Domain Admins – (DA-JohnDoe) •  Only created for those that ABSOLUTELY need it – Server Admins – (SA-JohnDoe) •  Can be one layer •  If needed can be multiple layers –  IIS, SQL, File and Print Admin – Workstation Admins – (WA-JohnDoe) •  These accounts are most vulnerable “Separation of duties, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.” R. A. Bothe and J. H. P. Etoff IBM Systems Journal
  • 17. 2013 CrowdStrike, Inc. All rights reserved. 17 PROTECTION OF CRITICAL ACCOUNTS
  • 18. 2013 CrowdStrike, Inc. All rights reserved. 18 Protection of Critical Accounts – Domain Admins • Domain Admins and Enterprise Admins – Create a Custom Security Group – “Restricted Domain Admins” •  Allows for adding in multiple accounts •  Allows for business cases where you need a temporary Domain Admin for all computers – Key GPO Settings for Controlling Access •  Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment –  Deny log on locally –  Deny log on as a batch job –  Deny log on as a service –  Deny log on through Remote Desktop Services – Apply GPO to ALL Computers Except Domain Controllers
  • 19. 2013 CrowdStrike, Inc. All rights reserved. 19 Protection of Critical Accounts – Server Admins • Server Admins – Create Security Group – “Server Admins” – Servers Should Be Migrated to Organizational Units •  Allows Applying of Custom GPOs by OU – Key GPO for Controlling Access •  Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups –  Create Group – “Administrators” –  Add in Security Group – “Server Admins” to “Administrators” – Create Multiple Layers of Security as Needed by Your Organization •  SQL Admins, IIS Admins…. •  Helps in Compliance Audits – Sarbanes Oxley – Keep Separation of Duties
  • 20. 2013 CrowdStrike, Inc. All rights reserved. 20 Protection of Critical Accounts – Workstation Admins • Workstation Admin – Create Security Group – “Workstation Admins” – Workstations Should be Migrated to Organizational Units – Similar GPO Setup as Server Admins •  Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups –  Create Group – “Administrators” –  Add in Security Group – “Workstation Admins” to “Administrators”
  • 21. 2013 CrowdStrike, Inc. All rights reserved. 21 Recap of Where We Stand • Local Administrator Account – Disabled • Logging and Alerting – Centralized System • User Permissions – Limited to What is Practical • Domain Admins – Limited to Domain Controllers • Server Admins – Limited to Servers • Workstation Admins – Limited to Workstations • Cached Credentials Will Still Be Harvested at Some Point
  • 22. 2013 CrowdStrike, Inc. All rights reserved. 22 TAKING IT TO ANOTHER LEVEL
  • 23. 2013 CrowdStrike, Inc. All rights reserved. 23 Taking it to Another Level – Password Control • Limiting Validity of Cached Credentials – Web Application for Password Assignment •  Authenticate Using Two Factor Authentication (TFA) •  Only Need ONE TFA Token – No Token Necklace •  Present User with Account Options –  Domain Admin –  Server Admin –  Workstation Admin •  Randomize Password “Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” Clifford Stoll
  • 24. 2013 CrowdStrike, Inc. All rights reserved. 24 Taking it to Another Level – Password Control • Account Expiration – accountExpires LDAP Value – Set to Acceptable Time Frame with Web Application •  ~ 4 Hours •  More or Less Depending on Your Organization • User Controlling Cached Credentials – Allow Users to Expire the Account Through the Web Application – When an Account is Expired, Credentials are NO LONGER VALID
  • 25. 2013 CrowdStrike, Inc. All rights reserved. 25 Taking it to Another Level – Log Alerting • Log Monitoring and Alerting – Alert Users on Privileged Account Usage •  Train users to notify management on unexpected notices •  For highly sensitive accounts, you can notify management on logon – Alert when Expired Credential Use is Attempted •  Establish escalation procedures •  Establish response procedures – Alert on Group Changes •  Monitor Domain Admins, Enterprise Admins, Restricted Domain Admins, Server Admins, Workstation Admins •  Alert on ANY change to group membership – Adds or Deletes
  • 26. 2013 CrowdStrike, Inc. All rights reserved. 26 ADVANTAGES & CONCLUSION
  • 27. 2013 CrowdStrike, Inc. All rights reserved. 27 Advantages of the Solution • Credentials Restricted to Needed Assets • Credentials Have Limited Validity • Lateral Movement Capabilities Significantly Reduced • Business Processes Are Still Functional • Logging and Alerting Provides Warnings of Potential Credential The • Almost NO COST to Implement – Small Amount of Labor – Some Process Changes
  • 28. 2013 CrowdStrike, Inc. All rights reserved. 28 Conclusion • Pass the Hash is a REAL Threat Today • Many Networks ARE Susceptible to this Attack • You CAN Protect Your Network • This Solution HAS Protected Networks • Attackers CANNOT Use Expired Credentials • Alerts WILL Notify of Credential Usage • AFFORDABLE for Any Business
  • 29. For additional details on CrowdStrike Products & Offerings CONTACT SALES@CROWDSTRIKE.COM Q & A 2013 CrowdStrike, Inc. All rights reserved. 29 @CROWDSTRIKE | #CROWDCASTS Next up: You Have an Adversary Problem. Who’s Attacking You and Why? October 16th | 2PM ET/11AM PT Q&A