Learning to Live with an Advanced
Persistent Threat
John Denune
IT Security Director
University of California, San Diego
jdenune@ucsd.edu
ACT Infrastructure services
E-mail
Database Administration
Data Center
Security
Active Directory
Telecom
Networking
ID Management
UNIX and Windows Support
ACT Security
Policy and Compliance
9 Staff
Anti-virus and FDE
VPN
Incident Response
Intrusion Detection
SSL Certs
Firewall
Forensics
Patch Management
Vulnerability Assessment
What is an APT?
It’s not
Opportunistic
Varied Attacks
Espionage
Technical
Targeted
APT
Corporate
State-Sponsored
Skilled
Hacktivism
Patient
Theft
Social Engineering
Physical threats
APT Lifecycle
External
Recon
Initial
Compromise
Expand
Complete
Mission
Internal
Recon
Establish
Foothold
Escalate
Privileges
Initial Detection
June 2012
Lesson #1
Pay attention to
anti-virus alerts
Lesson #2
Don’t
(completely)
rely on your
anti-virus
product
Lesson #3
Where possible,
track IP’s instead
of blocking them
Initial Recon
February 2012
Initial Compromise
April 2012
Gh0st RAT
Lesson #4
Make your
local FBI agent
your new best
friend
Lesson #5
Have a secure
communications
plan in place
Lesson #6
Log everything,
especially
authentication,
netflow and DNS
Attack timing
All attacks took
place Sunday –
Thursday
between the
hours of 6pm
and 3am Pacific
Attack Path
Malware Observations
You don’t need to rely on a
lot of malware when you’ve
already got a long list of
credentials
You don’t need to crack
passwords when you
can just pass a hash
Interactive Authentication
Client computes LM and NTLM
hash and stores them in memory.
Plaintext password is reversibly
encrypted and stored in memory.
Password hash is salted with
username and stored in registry.
Administrator Hash
So, let’s say the
domain administrator
RDP’s to the client…
Domain Admin
NTLM hash now
stored in client
memory.
Pass the Hash
Attacker compromises client…
Steals hashes from memory…
Accesses both server
and domain controller
Mitigations
•
•
•
•
•
•
•
Change passwords multiple times per day
Fast track two factor authentication
Compartmentalized passwords
Separate user and admin credentials
Minimize lateral trust
Scan entire domain for scheduled tasks
Rebuild Domain Controlers
Lesson #7
Reconsider
traditional
password best
practices
Good passwords?
*tecno9654postgres
A Matt Hale Tribute CD would be cool..
Access-Control-Allow-Origin
Abundance4me2day
Bulletformyvalentine123
Elementarymydearwatson
Putin is nothing but commie scum.
Video killed the radio star?
antcolonyoptimization
Emergency Action
September 2012
Lesson #8
Effectively and
securely
communicating
a password
change is hard
We are not alone
Reengagement
July 2013
Parting Thoughts
•
•
•
•
•
•
•
•
Detection can be subtle and an art
Have a good AD Team
Logging visibility is essential
Regular password changes are a MUST
Be prepared to re-image any system
Firewalls to prevent lateral movement
Separation of user and admin credentials
Require two-factor for OU Admins
A New Hope
A New Hope
• Strengthened LSASS to prevent credential
dumps
• Many processes no longer store credentials
in memory
• Better ways to restrict local account use over
the network
• RDP use without putting the credentials on
the remote computer
• Addition of a new Protected Users group,
whose members' credentials cannot be used
in remote PtH attacks
Further Reading
Know Your Digital Enemy – Anatomy of a Gh0st RAT
http://www.mcafee.com/us/resources/white-papers/foundstone/wpknow-your-digital-enemy.pdf
Mitigating Pass-the-Hash (PtH) Attacks and Other
Credential Theft Techniques
http://www.microsoft.com/en-us/download/details.aspx?id=36036
APT1: Exposing One of China's Cyber Espionage Units
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
“If ignorant both of your enemy and
yourself, you are certain to be in peril.”
― Sun Tzu, The Art of War