1.attacker targets workstations en masse 2.user running as local admin is compromised, attacker...
Post on 16-Dec-2015
244 Views
Preview:
TRANSCRIPT
TWC: Pass-the-Hash and Credential Theft Mitigation Architectures Mark Simos, Nicholas DiCola
DCIM-B213
AgendaMicrosoft Cybersecurity TeamDetermined Adversaries and Targeted AttacksPass the Hash and Credential TheftCredential Theft Mitigation Architectures
Detecting ThreatsAdvanced tools to find new attacksDeep expertise hunting for the Determined Adversary
Innovative MitigationsMake the most of your existing assetsNew approaches to counter threats
Custom SolutionsSpecialized security solutions from tailored assessments to integrating the Security Development Lifecycle into your software development
Recovery & Mitigations
Sensors & Intelligence
Response & Investigation
Architecture & Advisory
Expert SDL Developer Services
Cybersecurity PracticeGlobal Reach and Delivery with World Class Architects, Consultants, and Engineers
Technology Experts
Key LearningsAstronomical Adversary ROI for internet attacksCheap, effective, relatively easyNo alternate espionage method has comparable ROI
Increased adversary maturityMany are well-resourced, mission-focused, determinedSophisticated targeting of organizations, people, data
Ubiquitous use of credential theft (Pass the hash)Elevate to mission, shareholder value, existential threatExternals effectively conducting insider attacks
Targeted Attacks—Strategies and TacticsEstablish Persistence
Gain control of your identity storePublic: administrator rights, interesting projects and groupsSecrets: passwords and hashes
Hide malware on multiple hostsCustom compiled for attack campaign
Execute MissionDownload terabytes of your data (~99% of cases)Initially: large exfiltration of many typesThen: target specific data (new, valuable, strategic)
Implement the wrecking ball (~1% of cases)
Defender TrendsIT environments not designed for credential-theft class of attacks
IT security resources trying to defend every system equally
Reputation impact concerns hamper defender collaboration
Pass the Hash48 hours (or less)
1. Attacker targets workstations en
masse 2. User running as local admin is compromised, attacker harvests credentials3. Attacker uses credentials for lateral movement or privilege escalation
4. Attacker acquires domain admin credentials
5. Attacker exercises full control of data and systems in the environment
Potential Attacker Pathways
WorkstationAdministrator
User Access
Patient Zero
Servers
User Access
Acc
ess
Data
Server Administrator
User Credential
System or Administrator
Server Admin
PTH
All Local Data
Cre
den
tial R
e-u
sePass the Hash(Local
Accounts)
All Workstations
Domain Administrator Access
All Data
All Active Directory Data (Full Control)All Credentials
(NT Hashes)
Domain Controllers
Domain Admin
Pass the hash (PTH)
Domain Admin
PTH
Domain Admin Logon
PTH
User Action
SAM: NT Hashes
Active User Credentials
Malware Install
Beacon, Command & Control
Vulnerability & ExploitUser = Administrator
Ele
vati
on
All Local Data
Active User Credentials SAM: NT
Hashes
All Local Data
Active User Credentials Security
Accounts Manager (SAM): NT Hashes
All Active Directory Data (Read)
EstablishBeachhead
User’s Data and Keystrokes
DemoPass the Hash Attack
DC Client
Domain.Local
DomainAdmin
Attack Operator
Smartcards alone will not stop PTHSmartcards logon sessions have a NTLM hash:…of the user password…of a random 128 bit value (if smartcard required)
Account attribute restricts interactive logon only:
Smartcard remotely available to attacker when:Malware installedSmartcard inserted in readerPIN captured from a keystroke logger (most malware includes these)
Effective Mitigations1. Credential Theft
Ensure high privileged account credentials aren’t available to be stolen
No Domain Admins on workstations servers
No Server Admins on workstations
2. Credential Re-Use (Illicit)Reduce the usefulness of credentials exposed to high risks (internet)
Local SAM database (NT Hash only)Machine account passwordsServices passwords (if present)
1. Prevent Exposure
2. Limit Usefulness
High Exposure (to Internet/Risk)High Privilege/Value
Credential Theft Mitigation Strategy
1. Privilege escalation• Credential Theft• Application Agents• Service Accounts
2. Lateral traversal• Credential Theft• Application Agents• Service Accounts
Tier 0
Tier 2
Tier 1
Tier Model Restrictions
Tier 2
Tier 1
Tier 0
Domain Controllers
Servers
WorkstationsWorkstation Admins
Server Admins
Forest/Domain AdminsAdmin
Workstation
Admin
Workstation
Admin
Workstation
Same Tier Logon
Higher TierLogon
Lower TierLogon
Blocked
Enhanced Security Admin Environment
Access: Users and Workstations
Admin EnvironmentProduction
Power: Domain Controllers
Management and Monitoring
Production Domain Admins
IPsec Credential Partitioning Hardened Admin
Environment Known Good Media Network security Hardened Workstations Accounts and
smartcards Auto-Patching Security Alerting Tamper-resistant audit Offline Administration
(enforces governance) Assist with mitigating risks
Services and applications
Lateral traversal
Break Glass Account(s)
Red CardAdmins
Data: Servers and Applications
Self-maintaining (to extent possible)Automatic software update application (and reboots)
Small footprintSingle ESAE domain/forestDCs, System Center Operations Manager (Security Alerting)One Administrative Workstation per administrator
Smartcard enforcement and regular NT Hash cycling for all active accounts
Typical Administrative Environment
ESAE - Managing Multiple Forests/Domains
Admin Environment
Privileged Account Workstation (PAW) – On Premises
Workstations& Users
Production Domain(s)
Domain & Forest
Servers and Applications
Domain Admins
Increase Security Protections Enterprise threats Known internet threats
Hardened Workstations Known Good Media 20+ security controls Network Traffic
Restrictions Admin smartcards
(optional)
Server& AppAdmins
SaaS
Privileged Account Workstation (PAW) – Cloud Security
Privileged Account Workstations Increase Security Protections
Enterprise threats Known internet threats
Security Protections include Known Good Media 20+ security controls Smartcards (Optional) Security Alerting (Optional)
IaaSPaaS
Cloud Infrastructure & Services Administration
Social Media, Publishing,
Brand Management
What are these 20+ Security Controls?UEFI/TPM/Secure Boot enabled
BitLocker
Standard User Configuration
AppLocker
USB Media Restrictions
Outbound Traffic restrictions (no Internet)
Inbound Traffic restrictions (default block)
Automatic patching
EMET
System Center Endpoint Protection
Rapid rebuild process
Known Good Media Build Process
Logon Restrictions
Microsoft Security Baselines (SCM)
Unsigned code analysis
Attack Surface Analysis
OU and GPO ACL Lockdowns
Lateral Traversal Mitigation(s)
Restricted administrators membership
Only authorized management tools
Etc.
How MARS works (Auto-Approval example)
Configure Workflows for each RoleNotificationsApproval Requirements Custom Actions
MARS Server
Resource(s)• Managed
Servers• Domain Admin • Schema Admin• Top Secret
Project
12:00
10:00
1. Request Access (10:00)
2a. Auto-Approve (10:00)
3. Access Resource (10:01)
5. Attempt Access (3:15)CandidateAccount
11:00
1:00
2:00
3:00
9:00
Managed Privilege
(Group Membershipor Custom Actions)
2b. E-mail Notification (10:00)4. Privilege Expires (12:00)
Platform UpdatesCore platform changes (Automatically On)Remove LM hashes from LSASSRemove plaintext-equivalent passwords from LSASS (for domain credentials)Enforce credential removal after logoff
Facilitate restriction of local admin accountsS-1-5-113 – Local accountS-1-5-114 – Local account and member of Administrators group
New Configurable FeaturesProtected UsersRestricted Admin Mode Remote DesktopAuthentication Policies & Silos
Enhanced Security Admin Environment (ESAE)
Domain and Forest AdministrationProduction Domain(s)
Domain and Forest
Security Alerting
Server and System Management
Hardened Hosts and Accounts
Managed Access Request System (MARS)
App and Data Management
Privileged AccountWorkstation (PAW)
User Assistance and Support
Lateral Traversal
Mitigations
Application & Service
Hardening
Helpdesk and Workstation Management
Credential Theft Mitigations
RDP w/Restricted Admin
Protected
Users
With 8.1/2012 R2 Features
Auth Policies and Silos
Application and Service Hardening
24
Upstream Risks (Controlling the Application)
Downstream Control
Important: upstream risks also includes hosts where upstream administrator credentials are exposed.
ApplicationApplication agents or
software
Application service
accounts
Business critical data?
Backup and storage administrators
Baseboard Management Controllers (BMCs)
Local operating system administrators
Physical access and virtual machine administrators
ACLs on Computer account, OU, GPO, GPO Content
Management agents on server and scheduled tasks
Application administrator roles
Unpatched Software Vulnerability, Weak OS Configuration
Host Installation Media/Process
Importance of Known Good MediaMedia attack vectorsInfecting gold master imagesInjecting malicious software to download bit-streamsInfecting software packages
Validate Media SourceVerify Printed MediaVerify Downloaded Media (certutil –hashfile) Compare binary to published hashes
Compare from two independent downloads (different machines, internet connections)
Transfer and Storage of Media Save onto read-only media such as a locked DVD (not USB drive)Label as Known Good Media or “KGM.”
Lessons LearnedCredential theft is different than a normal vulnerabilityAttack surface is determined by operational practices
It all starts from host integrityIt only takes one tool to automate a new/difficult attack
Prevention is cheaper than recovery!Recovery still requires preventing reinfection (similar to proactive defenses)Recovery also requires cleaning up attacker presence (never guaranteed)Residual risk is higher in recovery mode
Questions?
Ask now or….
Mark.Simos @ Microsoft.comNicholas.DiCola @ Microsoft.com
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure PackAzure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related