SlideShare a Scribd company logo

The Infosec Revival

S
scriptjunkie

This document discusses the vulnerabilities and threats to network security, emphasizing the ease of network invasions and the importance of building secure architectures. It outlines various attack methods, including social engineering, physical access, and exploits, while providing recommendations for defenses such as air-gapping, password elimination, and using smart cards with Kerberos authentication. It concludes with suggestions for better software practices, the necessity of isolation, and effective whitelisting strategies to mitigate risks.

Technology
Related topics:
Information SecurityNetwork Security
1 of 34
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
THE INFOSEC REVIVAL Why owning a typical network is so easy, and how to build a secure one Matt Weeks scriptjunkie.us · @scriptjunkie1
OUTLINE  The Evil That Threatens Us  Network Defenses  Host Defenses
THE EVIL THAT THREATENS US Network Intrusion Playbook
LEVELS OF ACCESS • Limited User • Local Admin • Lateral Movement • Domain Admin • Internal Network • Internal Server
INITIAL ACCESS Start External ServerExploit: Web/SQLi/password Internal Network Internal Server Client-side Exploit: Java, PDF, Office, Browser Social Engineeringvia Email/Browser Limited User Physical Items: Thumb Drives/CDs autorun/link/EXE, HID-spoofing USB Devices Physical Access Local Admin Supply-chain Compromise
LIMITED USER EXPANSION LimitedUser Weak file/service/registry permissions Find plaintext passwords in scripts/registry Local Admin Local exploit – win32k, ntvdm… Guess/Bruteforce local admin password Find system current user is local admin on Internal server-side exploit – SMB, PXE attacks Lateral Movement Spread links via shares, email; Relay NTLM or crack NTLM password Shares: DLL preloading, shortcut hijacks… Dump local hashes, re- use local admin accounts
LOCAL ADMIN TO DA LocalAdmin Hijack active domain logon: dump wdigest/tspkg-cached password Hijack active domain logon: steal token/hash/ticket Find plain-text password in scripts/registry Keylog admin password Crack domain cached credentials Deobfuscate LSA Secrets, saved passwords DomainAdmin
INTERNAL NETWORK/ SERVER ATTACKSInternalNetwork/Server Internal server-side exploits, PXE attacks Local Admin Internal web attack, guessed password Internal Server Internal client-side attacks; including ARP poisoning, WPAD Local User Domain Admin
COMBINED Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
COMMUNICATION  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites
AIR GAP  “The only way to completely secure your computer is to disconnect it from the internet” – UC San Diego  Still not completely secure, but still the gold standard  Tight physical/personnel security  Prevent USB drives (disable USB drivers)  Everything without air-gap, isolate as much as possible
DEFAULT ALLOW IS EVIL!  Isolate workstations • No direct connections out • Whitelist DNS • Whitelist HTTP by proxy • Block social networking/file sharing • Block inter-workstation/ARP-spoofing  Isolate servers, admin accounts • Stricter whitelist out • DMZ for internet-accessible servers
 Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites COMMUNICATION  Firewall; no direct connections out  Whitelist/categorical block  Whitelist/firewall policy  DNS whitelist  Firewalls/segmentation  Firewall/Whitelist  USB-disabling, user education  Categorical block (sorry!)  
CONTROL THE HOSTS  Disable common social engineering vectors • Java • Office Macros  Stop privilege escalation • Automate permissions checks • Prevent remote local account logins  Never allow passwords
15 PASSWORD EVILS! Admins leave passwords in shared drives & scripts Can be dumped from memory Can be keylogged Can be guessed Everybody reuses them Hard to remember
15 PASSWORD EVILS! Social engineering Passing-the-hash Pot of gold hash dumps Easy lockouts or online brute force NTLM relay NTLM auth and cached credential offline cracking Painful post-attack cleanup (reset every password)
NEVER ALLOW PASSWORDS  Force smart card logon for all users  Force Kerberos by denying all incoming NTLM  Deny network, RDP logon to any non-smart card local or service accounts  For extra credit • Disable secondary logon service to prevent password-privesc • Require SMB signing to address MITM attacks • Set low maximum machine account password age to address computer creds  Results – solves all 15 problems
NEVER ALLOW PASSWORDS  Prevents passing-the-hash; hashes are not used  No hash/private credential database to steal in bulk  Private keys cannot be stolen, dumped from memory or keylogged  Can’t re-use, choose bad passwords, or give them to online social engineers  Don’t need to worry about lockouts or on/offline brute force or NTLM relay  Admins cannot leave passwords in shared drives or scripts  Only active logons can be hijacked – temporarily  Easier on users’ memory and easy to clean up from!
M A N DA T O R Y S M A R T C A R D , K E R B E R O S Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
SECURID EVILS!  RSA server holds all passwords and seeds  On login, password is given to Windows; everything else is the same  Hash, pass can be dumped from memory  Social engineering (MITM - time limited)  Passing-the-hash  Pot of gold - hash dumps, passwords, seeds  NTLM relay  Very painful post-compromise cleanup (replaceall tokens)  Does fix user-chosen or re-used passwords
ISOLATING ADMINS  Assign dedicated admin workstations  Restrict inbound workstation connections to remote admin sources  Block admin accounts from internet and email  Restrict privileged accounts from authenticating to lower trust systems  Mark privileged accounts as “sensitive and cannot be delegated”  Use remote management tools that do not place reusable credentials on a remote computer's memory
 Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead)
 Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead) No remote desktop? But wait! There is another way! Secure RDP with temporary account Video
EXPLOITS  “The bottom line is the way that we keep people out ... I don't care who hacks my system if they can't get in - let's make it hard for them to get in. And the way you do that is by eliminating software vulnerabilities” – a well-known exploit developer  “Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed.” – New York Times Op-Ed, 4 April 2013
I F E X P L O I T S N E V E R E X I S T E D Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
FIGHTING EXPLOITS  Secure webapps • Write security into contract for custom apps • Do not accept source-code-less apps without audit • Scan/bugfix regularly  Force exploit mitigations • Mandatory DEP, ASLR • EMET SEHOP…  Patch in priority  Put vulnerable apps in VM isolation
VM ISOLATION  Virtual Machines > other sandboxes • Hypervisor attack surface < kernel attack surface • VM escapes have required guest LPE first; added barrier  Implementation: • Commercial – Bromium/Invincea • Free - Qubes • VMware view client • Citrix • Roll-your-own with hypervisor/VNC
VM ISOLATION  Requirements • Restrict network access • Prevent host code execution • Deny access to sensitive host files  Document VM with no internet access • PDF reader, Office • Stops exploits and social engineering  Browser VM • Stronger sandbox • VM needs internet access  Demo
VM ISOLATION Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
FILE SHARES ARE EVIL!  Executable planting  DLL Preloading  Shortcut hijacking  Script infecting  Do not use open Windows shares  Use a CMS  Disable WebDAV  Per-user home drives still OK  Admin-writable-only drives still OK
CODE WHITELISTING  Effective against some exploits, much malware, persistence  Bit9/Kaspersky/AppLocker… whitelists  Lock down powershell  Whitelist vbscript/javascript  Whitelist batch scripts  Whitelist Java  Block VBA macros
SUMMARY Air-gap what you can Whitelist everything Kill passwords & NTLM; use smart cards/kerberos Use strong mitigations Put your programs in isolated VM’s Don’t use Windows shared folders
THE END Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
QUESTIONS

More Related Content

PDF
The Infosec Revival
scriptjunkie
 
PDF
Red teaming the CCDC
scriptjunkie
 
PPTX
Nightmares of a Penetration Tester ( How to protect your network)
Chris Nickerson
 
PPTX
Flipping the script
Chris Nickerson
 
PPTX
Exploiting appliances presentation v1.1-vids-removed
NCC Group
 
PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PDF
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
PPTX
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
The Infosec Revival
scriptjunkie
 
Red teaming the CCDC
scriptjunkie
 
Nightmares of a Penetration Tester ( How to protect your network)
Chris Nickerson
 
Flipping the script
Chris Nickerson
 
Exploiting appliances presentation v1.1-vids-removed
NCC Group
 
Client-Side Penetration Testing Presentation
Chris Gates
 
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

What's hot (20)

PPT
Top Five Internal Security Vulnerabilities
Peter Wood
 
PPTX
Password Stealing & Enhancing User Authentication Using Opass Protocol
Prasad Pawar
 
PPTX
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Eric Kolb
 
PDF
Spo2 t19 spo2-t19
SelectedPresentations
 
PPTX
ETHICAL HACKING
NAWAZ KHAN
 
PPTX
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
PPT
Firewalls (Distributed computing)
Sri Prasanna
 
PPTX
7 Things People Do To Endanger Their Networks
jaymemcree
 
PPTX
Mobile security services 2012
Tjylen Veselyj
 
PDF
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
PDF
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PPT
Security
Prajwal Panchmahalkar
 
PPTX
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
PPTX
Personal Internet Security System
Matthew Bricker
 
PDF
Let's Hack a House
Synack
 
PPTX
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
PPTX
SphereShield for Zoom - Compliance and Security
Yoav Crombie
 
PPTX
Don't blink creating secure software
logsentinel
 
PDF
Security Theatre (PHP Leuven)
xsist10
 
Top Five Internal Security Vulnerabilities
Peter Wood
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Prasad Pawar
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Eric Kolb
 
Spo2 t19 spo2-t19
SelectedPresentations
 
ETHICAL HACKING
NAWAZ KHAN
 
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
Firewalls (Distributed computing)
Sri Prasanna
 
7 Things People Do To Endanger Their Networks
jaymemcree
 
Mobile security services 2012
Tjylen Veselyj
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Security
Prajwal Panchmahalkar
 
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Personal Internet Security System
Matthew Bricker
 
Let's Hack a House
Synack
 
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
SphereShield for Zoom - Compliance and Security
Yoav Crombie
 
Don't blink creating secure software
logsentinel
 
Security Theatre (PHP Leuven)
xsist10
 
Ad

Similar to The Infosec Revival (20)

PPT
Windows network
Jithesh Nair
 
PDF
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
PPT
Windows network security
Information Technology
 
PPTX
password cracking and Key logger
Patel Mit
 
PDF
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PPTX
Sql server security in an insecure world
Gianluca Sartori
 
PDF
Invited Talk - Cyber Security and Open Source
hack33
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
PPTX
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
PDF
Websec
Kristaps Kūlis
 
PDF
Web security 101
Kristaps Kūlis
 
PDF
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Jerod Brennen
 
PDF
Windows server hardening 1
Frank Avila Zapata
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PPT
Module 8 System Hacking
leminhvuong
 
PDF
Detecting-Preventing-Insider-Threat
Mike Saunders
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PDF
Internal penetration test_hitchhackers_guide
Darin Fredde
 
Windows network
Jithesh Nair
 
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
Windows network security
Information Technology
 
password cracking and Key logger
Patel Mit
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Sql server security in an insecure world
Gianluca Sartori
 
Invited Talk - Cyber Security and Open Source
hack33
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Valtiokonttori / Statskontoret / State Treasury of Finland
 
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Websec
Kristaps Kūlis
 
Web security 101
Kristaps Kūlis
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Jerod Brennen
 
Windows server hardening 1
Frank Avila Zapata
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Module 8 System Hacking
leminhvuong
 
Detecting-Preventing-Insider-Threat
Mike Saunders
 
Owasp top 10_openwest_2019
Sean Jackson
 
Internal penetration test_hitchhackers_guide
Darin Fredde
 
Ad

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Cloud computing and distributed systems.
kkkkkhan
 
Teaching material agriculture food technology
LiaRayya
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Approach and Philosophy of On baking technology
30anthuong17
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

The Infosec Revival

  • 1. THE INFOSEC REVIVAL Why owning a typical network is so easy, and how to build a secure one Matt Weeks scriptjunkie.us · @scriptjunkie1
  • 2. OUTLINE  The Evil That Threatens Us  Network Defenses  Host Defenses
  • 3. THE EVIL THAT THREATENS US Network Intrusion Playbook
  • 4. LEVELS OF ACCESS • Limited User • Local Admin • Lateral Movement • Domain Admin • Internal Network • Internal Server
  • 5. INITIAL ACCESS Start External ServerExploit: Web/SQLi/password Internal Network Internal Server Client-side Exploit: Java, PDF, Office, Browser Social Engineeringvia Email/Browser Limited User Physical Items: Thumb Drives/CDs autorun/link/EXE, HID-spoofing USB Devices Physical Access Local Admin Supply-chain Compromise
  • 6. LIMITED USER EXPANSION LimitedUser Weak file/service/registry permissions Find plaintext passwords in scripts/registry Local Admin Local exploit – win32k, ntvdm… Guess/Bruteforce local admin password Find system current user is local admin on Internal server-side exploit – SMB, PXE attacks Lateral Movement Spread links via shares, email; Relay NTLM or crack NTLM password Shares: DLL preloading, shortcut hijacks… Dump local hashes, re- use local admin accounts
  • 7. LOCAL ADMIN TO DA LocalAdmin Hijack active domain logon: dump wdigest/tspkg-cached password Hijack active domain logon: steal token/hash/ticket Find plain-text password in scripts/registry Keylog admin password Crack domain cached credentials Deobfuscate LSA Secrets, saved passwords DomainAdmin
  • 8. INTERNAL NETWORK/ SERVER ATTACKSInternalNetwork/Server Internal server-side exploits, PXE attacks Local Admin Internal web attack, guessed password Internal Server Internal client-side attacks; including ARP poisoning, WPAD Local User Domain Admin
  • 9. COMBINED Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 10. COMMUNICATION  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites
  • 11. AIR GAP  “The only way to completely secure your computer is to disconnect it from the internet” – UC San Diego  Still not completely secure, but still the gold standard  Tight physical/personnel security  Prevent USB drives (disable USB drivers)  Everything without air-gap, isolate as much as possible
  • 12. DEFAULT ALLOW IS EVIL!  Isolate workstations • No direct connections out • Whitelist DNS • Whitelist HTTP by proxy • Block social networking/file sharing • Block inter-workstation/ARP-spoofing  Isolate servers, admin accounts • Stricter whitelist out • DMZ for internet-accessible servers
  • 13.  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites COMMUNICATION  Firewall; no direct connections out  Whitelist/categorical block  Whitelist/firewall policy  DNS whitelist  Firewalls/segmentation  Firewall/Whitelist  USB-disabling, user education  Categorical block (sorry!)  
  • 14. CONTROL THE HOSTS  Disable common social engineering vectors • Java • Office Macros  Stop privilege escalation • Automate permissions checks • Prevent remote local account logins  Never allow passwords
  • 15. 15 PASSWORD EVILS! Admins leave passwords in shared drives & scripts Can be dumped from memory Can be keylogged Can be guessed Everybody reuses them Hard to remember
  • 16. 15 PASSWORD EVILS! Social engineering Passing-the-hash Pot of gold hash dumps Easy lockouts or online brute force NTLM relay NTLM auth and cached credential offline cracking Painful post-attack cleanup (reset every password)
  • 17. NEVER ALLOW PASSWORDS  Force smart card logon for all users  Force Kerberos by denying all incoming NTLM  Deny network, RDP logon to any non-smart card local or service accounts  For extra credit • Disable secondary logon service to prevent password-privesc • Require SMB signing to address MITM attacks • Set low maximum machine account password age to address computer creds  Results – solves all 15 problems
  • 18. NEVER ALLOW PASSWORDS  Prevents passing-the-hash; hashes are not used  No hash/private credential database to steal in bulk  Private keys cannot be stolen, dumped from memory or keylogged  Can’t re-use, choose bad passwords, or give them to online social engineers  Don’t need to worry about lockouts or on/offline brute force or NTLM relay  Admins cannot leave passwords in shared drives or scripts  Only active logons can be hijacked – temporarily  Easier on users’ memory and easy to clean up from!
  • 19. M A N DA T O R Y S M A R T C A R D , K E R B E R O S Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 20. SECURID EVILS!  RSA server holds all passwords and seeds  On login, password is given to Windows; everything else is the same  Hash, pass can be dumped from memory  Social engineering (MITM - time limited)  Passing-the-hash  Pot of gold - hash dumps, passwords, seeds  NTLM relay  Very painful post-compromise cleanup (replaceall tokens)  Does fix user-chosen or re-used passwords
  • 21. ISOLATING ADMINS  Assign dedicated admin workstations  Restrict inbound workstation connections to remote admin sources  Block admin accounts from internet and email  Restrict privileged accounts from authenticating to lower trust systems  Mark privileged accounts as “sensitive and cannot be delegated”  Use remote management tools that do not place reusable credentials on a remote computer's memory
  • 22.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead)
  • 23.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead) No remote desktop? But wait! There is another way! Secure RDP with temporary account Video
  • 24. EXPLOITS  “The bottom line is the way that we keep people out ... I don't care who hacks my system if they can't get in - let's make it hard for them to get in. And the way you do that is by eliminating software vulnerabilities” – a well-known exploit developer  “Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed.” – New York Times Op-Ed, 4 April 2013
  • 25. I F E X P L O I T S N E V E R E X I S T E D Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 26. FIGHTING EXPLOITS  Secure webapps • Write security into contract for custom apps • Do not accept source-code-less apps without audit • Scan/bugfix regularly  Force exploit mitigations • Mandatory DEP, ASLR • EMET SEHOP…  Patch in priority  Put vulnerable apps in VM isolation
  • 27. VM ISOLATION  Virtual Machines > other sandboxes • Hypervisor attack surface < kernel attack surface • VM escapes have required guest LPE first; added barrier  Implementation: • Commercial – Bromium/Invincea • Free - Qubes • VMware view client • Citrix • Roll-your-own with hypervisor/VNC
  • 28. VM ISOLATION  Requirements • Restrict network access • Prevent host code execution • Deny access to sensitive host files  Document VM with no internet access • PDF reader, Office • Stops exploits and social engineering  Browser VM • Stronger sandbox • VM needs internet access  Demo
  • 29. VM ISOLATION Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 30. FILE SHARES ARE EVIL!  Executable planting  DLL Preloading  Shortcut hijacking  Script infecting  Do not use open Windows shares  Use a CMS  Disable WebDAV  Per-user home drives still OK  Admin-writable-only drives still OK
  • 31. CODE WHITELISTING  Effective against some exploits, much malware, persistence  Bit9/Kaspersky/AppLocker… whitelists  Lock down powershell  Whitelist vbscript/javascript  Whitelist batch scripts  Whitelist Java  Block VBA macros
  • 32. SUMMARY Air-gap what you can Whitelist everything Kill passwords & NTLM; use smart cards/kerberos Use strong mitigations Put your programs in isolated VM’s Don’t use Windows shared folders
  • 33. THE END Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks