You Directory Has Been Breached!
Now what?
Dmitry Kagansky
Chief Technology Officer, Federal
May 30, 2012
©2011 Quest Software, Inc. All rights reserved.
Your Directory Has Been Breached
In today's constantly hostile online environment, hacks
and compromises are almost inevitable. When an
attacker makes their way into your network, they can
stay undetected for days and weeks. -- and the systems
most threatened are the systems that are most critical;
databases, email and Active Directory.
However, there are preventative measures you can take
to decrease the chance of compromise, or remediate
your situation if a breach occurs. Join Quest Software in
a presentation on both preventative measures and
remediation techniques to survive a network
compromise.
1
©2011 Quest Software, Inc. All rights reserved.
Credit Where Credit Is Due
• The next 4 slides were shamelessly taken from Scott
Culp’s presentation
– Managing Risk in Today’s Cyber Threat Environment
– Scott Culp, Principal Security Architect, Microsoft
– Originally presented at the 2012 Microsoft Public Sector CIO Summit
2
©2011 Quest Software, Inc. All rights reserved.
Begin at the beginning
How did it happen?
Most likely culprits:
Targeting
Phishing
SQL
Injection
Persistence
Pass The
Hash
3
©2011 Quest Software, Inc. All rights reserved.
Persistence
Common Return Vectors
Valid
Credentials
Passwords obtained in
cleartext, keyloggers,
databases, etc.
Passwords obtained by
cracking hashes,
especially from DCs
Zombie RATs
Remote Access Tools
installed on compromised
machines, with
instructions to reactivate
and phone home later
Dupes
Users with a demonstrated
propensity for extending
unjustified trust
4
©2011 Quest Software, Inc. All rights reserved.
Pass The Hash
Domain
Privileged
Servers
• Where the
power is
Line of
Business
Servers
• Where the
assets are
Workstations
• Where the
access is
5
©2011 Quest Software, Inc. All rights reserved.
Preventative Measures
• If you’re confident you’re still “sterile,” here are things
you can easily do on an on-going basis to stay that
way:
• Know What Matters
• Focus on your key systems, users, data.
• Get Current, Stay Current
• Deploy Windows 7, Office 2010, Acrobat Reader X, Java 6; keep them patched.
• Start Secure, Stay Secure
• Configure security using SCM; maintain it & monitor it; independently test it.
• Isolate Key Credentials
• Use Standard User for Workstations. Isolate privileged credentials.
• Employ the SDL
• Employ the Security Development Lifecycle for in-house apps, especially web apps.
• But if you’re not confident, or you know you’ve been
breached . . .
6
©2011 Quest Software, Inc. All rights reserved.
Steel yourself . . . This is not going to be pretty
• You have to migrate
• Yes, I said migrate
7
©2011 Quest Software, Inc. All rights reserved.
Why Are We Here?
“Once you realized your directory was ‘owned’ the only
way you will feel secure again is to migrate your data to
a new directory on new servers."
– Anonymous Customer, Sr. AD Architect
8
©2011 Quest Software, Inc. All rights reserved.
High Level Overview
• Have a destination prepared
• Have as much moved over as possible
– Users
– Groups
• Prepare a Services Priority List
• Be ready to copy what cannot be moved ahead of time
– Computers
– Services
– Resources
• Have tools at the ready
• You WILL have an outage
• Do NOT grant any rights to anyone without a thorough
review process
9
©2011 Quest Software, Inc. All rights reserved.
Have a Destination Prepared
• You can set up AD in a VM ahead of time
– create a new domain
– Have only the single ‘Administrator’ user with any rights
– Start to actively monitor this new instance
• Map all users
– Create an “old to new” map – MS Excel, MS Access, CSV, etc.
– For convenience, add old & new SIDs to the map if you can
– Secure the map
– Review the map on an on-going basis
• Copy all distribution groups
– Group Membership is suspect, and should probably not be copied
• Copy all security groups
– Group Membership is compromised, and must not be copied
10
©2011 Quest Software, Inc. All rights reserved.
Prepare the Services Priority List
• Determine what is most important
– Involve the business owners
• Document “service interactions”
– SQL, IIS and what level of privileges are needed for all apps
• Email may not be mentioned but assume it to
be first priority
• Mobile devices (even Blackberries) should be last
– Yes, I know people want their data, but this is a potential entry point
11
©2011 Quest Software, Inc. All rights reserved.
Have Tools Prepared
• Many vendors have what you need however . . .
• No one (not even my employer) has a single package
for this
• Be comfortable with PowerShell
– If you don’t have any 3rd party tools, this will be the only way to go
unless you only have 20 users in your domain
• Everything that is necessary can be scripted
• Have the scripts ready
12
©2011 Quest Software, Inc. All rights reserved.
During the move
• Copy what cannot be moved ahead of time
– Computers
– Services
– Resources
• All objects are suspect
– Treat them the same as compromised user objects
– Do not blindly add them to groups
• Look at directory sync tools
– Microsoft
– Quest
13
©2011 Quest Software, Inc. All rights reserved.
You WILL Have An Outage
• Prepare your users - let them know
– They’ll need to reset their passwords
– Some apps & services will not be available, especially after the initial move
• Size determines speed
• Risk determines speed
• A few days to a few weeks
– It will take a day or two to copy everything over
– It will take weeks to get everything back in place
• Security groups MUST go through a review process
– Involve the business owners
14
©2011 Quest Software, Inc. All rights reserved.
Credit Where Credit Is Due
• Slides 3 - 6 taken from Scott Culp’s presentation
– Managing Risk in Today’s Cyber Threat Environment
– Scott Culp, Principal Security Architect, Microsoft
– Originally presented at the 2012 Microsoft Public Sector CIO Summit
• There is a corresponding white paper out on June 4th
– Robert Bobel (bob@activefolder.com) is the original co-author of the
white paper and much of this presentation is based on his original draft
15
©2011 Quest Software, Inc. All rights reserved.
Wrap-up
• Contact Information
–
–
–
–
Dmitry Kagansky
Email: dmitry.kagansky@quest.com
Twitter: @dimikagi
Blog: http://www.federalcto.com/
• Supporting Whitepaper (Available June 4, 2012)
– http://www.federalcto.com/quest/breached-directory.docx
– http://tinyurl.com/re-establishAD
• AD Landing page
– http://www.federalcto.com/2012/05/breached/
• These slides
– http://www.federalcto.com/quest/breached-directory.pptx
16
©2011 Quest Software, Inc. All rights reserved.
©2011 Quest Software, Inc. All rights reserved..
reserved.