This document outlines an advanced targeted attack and then discusses identity and access management (IAM) best practices to prevent such attacks. It begins with an example "Golden Ticket" attack demonstration. Then, it describes the typical phases of an advanced attack including external reconnaissance, internal reconnaissance, lateral movement, and compromise of privileged accounts. Finally, it discusses IAM best practices such as implementing least privilege, managing application access, using network segmentation, securing credentials, implementing credential boundaries, and monitoring privileged access. The presentation aims to demonstrate advanced attack techniques in order to highlight the importance of strong IAM controls.

1. 1
Advanced targeted attacks
Protecting Against
with IAM Best Practices

2. 2
▪ Strategic Advisor – CyberArk Software
▪ B.S. Information Systems – University of Texas at Arlington
▪ COMPTIA A+ & Sec+
▪ VMWare VCA-DCV
▪ (ISC)2 SSCP & CISSP
▪ GIAC GPEN (Taking exam tomorrow!)
▪ Married, Father of 2 girls.
▪ Member of Shadow Systems Hacker Collective
▪ Member of Dallas Hackers Association
Hello Friend - Andy Thompson
@R41nM4kr

3. 3
▪ Golden Ticket PoC
▪ Defense using IAM Best Practices
▪ Q&A
▪ Mass Applause
Agenda

4. 4
Golden Ticket Attack
Golden Ticket Attack
Proof of Concept in Under 6 Minutes.
(4 Minutes if I weren’t so bad at typing)

5. 5
▪ It didn’t actually go
down like this.
▪ More than one way to
skin a cat.
▪ No 1337 H4X here.
Just a warning here. . . …

6. 6
So simple, you don’t have to be a 400lb hacker
living in your parents’ basement to do it!

7. 7
What is a Golden Ticket Attack

8. 8

9. 9

10. 10
The Bangladesh Bank Heist

11. 11
FOUNDATIONFUNDANTION

12. 12
What makes an attack advanced?
An advanced attack is…
a targeted attack against a specific organization, during
which an attacker operates extensively inside the network
Contrary to:
Distributed Denial of
Service (DDoS)
Opportunistic endpoint
attacks (ex. Ransomware)
Quick, targeted attacks
(ex: Support Call
Scams)

13. 13
Phases of an Advanced Attack
External
Recon
•OSINT
•Passive Scanning
Breach
•Phishing
•USB Drops
•Exploits
Internal
Recon
•Network Queries
•Passive Listening
•Probing
Lateral
Movement
•Seek Creds
•See Access
Domain
Compromise
•Golden Ticket
•Persistence
Endgame
•Exfiltration
•DoS
•Corrupt

14. 14
Breach
Email with malicious attachment

15. 15

16. 16
Domain Controller
File Server 1
Admin Workstation
Web Server 3
Help Desk
Workstation
Internal Recon
WHAT computers are there in the network?
WHO are the privileged users?
WHERE are they connected?
What privileges can I GET?
nmap bloodhound
COMMON TOOLS USED FOR RECON
Powershell

17. 17

18. 18
Domain Controller
Web Server 3
Help Desk
Workstation
Lateral Movement
Connect to the shared machine
Search for credentials
Steal privileged credentials
File Server 1
Admin Workstation
mimikatz
COMMON TOOLS USED FOR LATERAL MOVEMENT
*****
Domain Admin
credentials found!
PsExec

19. 19

20. 20
Domain Compromise
Connect to Domain Controller
Steal krbtgt hash
Create a Golden Ticket with required privileges
Locate and access desired system: SWIFTNet Domain Controller
NEXT: Steal the krbtgt hash
Generate golden
ticket for full
domain access
!
SWIFTNet

21. 21

22. 22
Recipient Bank
SWIFTNet
SWIFT User 1
SWIFT User 2
Actions on target
!
SWIFTNet Server
Access the SWIFT server
Locate pending transaction file
Inject fraudulent transaction

23. 23

24. 25
Profit!

25. 26
IAM
Best Practices

26. 27
▪ Remove Unnecessary Privileges
￭ Local Admin
￭ Implement Least Privilege
▪ Manage Application Access
￭ Block applications running by
unauthorized accounts
￭ Allow others.
Endpoint Least Privilege

27. 28
▪ Not really IAM, but still a Best
Practice recommendation.
￭ Prevents lateral movement.
▪ Route Privileged Identities
through isolated jump servers.
￭ Can’t pass the hash if you
can’t get a hash!
￭ Accountability & Auditing
• Privileged Internal Users
• Vendors & 3rd Parties too!
Network Segmentation

28. 29
Routers and
SwitchesVault
Windows/UNIX
Servers
Web Sites
1. Logon through PVWA
2. Connect
3. Fetch credential from Vault
4. Connect using native protocols
5. Store session recording
6. Logs forwarded to SIEM/Syslog
4
5
Databases
6
SIEM/Syslog
ESXvCenters
1
HTTPS
2
RDP over HTTPS
PSM
3
Privileged Session Management Explained.

29. 30
▪ Secure and Manage your
Credentials
￭ Unique
￭ Complex
￭ Ever-changing!
▪ Require MFA
▪ Credential Boundaries
￭ See MSFT Whitepaper:
Mitigating Pass the Hash Attacks
and Other Credential Theft
Version 2
Credentials

30. 31
Tier 0
Tier 1
Tier 2
Tier 0 – Forest Admins: Direct of indirect administrative control
of Active Directory forests, domains, or domain controllers.
Tier 1 – Server Admins: Direct or indirect administrative control
over a single or multiple servers.
Tier 2 – Workstation Admins: Direct or indirect administrative
control over a single or multiple devices.

31. 32
Identity
Flesh & Blood Individual
Account
Defined Permissions
Key concept here…(Write this down!)

32. 34

33. 35
AThompson
JVealey
NLiran
KJermyn
PLi
ADM-AThompson
ADM-JVealey
ADM-NLiran
ADM-KJermyn
ADM-PLI
5 Privileged Accounts
ADM-Functional-Account
1 Privileged Account
AThompson
JVealey
NLiran
KJermyn
PLi

34. 36
The whole-shabang!
Unbounded Network
Financial Databases PCI Databases
ESX Servers
Domain Controllers
Workstations/Laptops
Network w/Credential Boundaries
Financial Databases PCI Databases
ESX Servers
Domain Controllers
Workstations/Laptops
Further Reduce Risk of Theft
With EPM

35. 37
 Monitor privileged users
 Internal employees & 3rd Party Access
 Alerting on high risk or malicious
events
 DCSync
 IOC behavior.
 Alert on behavior anomalies
 Logons outside your IAM controls.
Monitoring

36. 38
Endpoint Network Credentials Monitoring
 Remove local
privileges
 Control applications
 Segment off
sensitive assets
 Route access
through jump servers
 Enforce credential
tiers
 Require multi-factor
authentication
 Secure and manage
privileged credentials
 Set alerts on
malicious events
 Monitor behavior to
detect anomalies
 Monitor privileged
users
Iam Best Practices . . . In review.

37. 39
Thank
You!

38. 40
▪ Email:
Andy.Thompson@CyberArk.com
▪ Website:
CyberArk.com
▪ Twitter:
R41nM4kr
▪ LinkedIn:
AndyThompsonInfoSec
Andy Thompson