SlideShare una empresa de Scribd logo

The Infosec Revival

S
scriptjunkie

As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, intruders can bypass almost all security barriers despite even tough policies on end users and admins. But failure is not inevitable for a defender. There are many practical ways a network can be constructed that will wipe out most of the playbook, and they don’t always require expensive purchases. Security must be built from the start, and this presentation will show you how it’s done; how to intelligently look at threats and plan defenses for a Windows network.

Tecnología
1 de 34
Descargar para leer sin conexión
THE INFOSEC REVIVAL Why owning a typical network is so easy, and how to build a secure one Matt Weeks scriptjunkie.us · @scriptjunkie1
OUTLINE  The Evil That Threatens Us  Network Defenses  Host Defenses
THE EVIL THAT THREATENS US Network Intrusion Playbook
LEVELS OF ACCESS • Limited User • Local Admin • Lateral Movement • Domain Admin • Internal Network • Internal Server
INITIAL ACCESS Start External ServerExploit: Web/SQLi/password Internal Network Internal Server Client-side Exploit: Java, PDF, Office, Browser Social Engineeringvia Email/Browser Limited User Physical Items: Thumb Drives/CDs autorun/link/EXE, HID-spoofing USB Devices Physical Access Local Admin Supply-chain Compromise
LIMITED USER EXPANSION LimitedUser Weak file/service/registry permissions Find plaintext passwords in scripts/registry Local Admin Local exploit – win32k, ntvdm… Guess/Bruteforce local admin password Find system current user is local admin on Internal server-side exploit – SMB, PXE attacks Lateral Movement Spread links via shares, email; Relay NTLM or crack NTLM password Shares: DLL preloading, shortcut hijacks… Dump local hashes, re- use local admin accounts
LOCAL ADMIN TO DA LocalAdmin Hijack active domain logon: dump wdigest/tspkg-cached password Hijack active domain logon: steal token/hash/ticket Find plain-text password in scripts/registry Keylog admin password Crack domain cached credentials Deobfuscate LSA Secrets, saved passwords DomainAdmin
INTERNAL NETWORK/ SERVER ATTACKSInternalNetwork/Server Internal server-side exploits, PXE attacks Local Admin Internal web attack, guessed password Internal Server Internal client-side attacks; including ARP poisoning, WPAD Local User Domain Admin
COMBINED Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
COMMUNICATION  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites
AIR GAP  “The only way to completely secure your computer is to disconnect it from the internet” – UC San Diego  Still not completely secure, but still the gold standard  Tight physical/personnel security  Prevent USB drives (disable USB drivers)  Everything without air-gap, isolate as much as possible
DEFAULT ALLOW IS EVIL!  Isolate workstations • No direct connections out • Whitelist DNS • Whitelist HTTP by proxy • Block social networking/file sharing • Block inter-workstation/ARP-spoofing  Isolate servers, admin accounts • Stricter whitelist out • DMZ for internet-accessible servers
 Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites COMMUNICATION  Firewall; no direct connections out  Whitelist/categorical block  Whitelist/firewall policy  DNS whitelist  Firewalls/segmentation  Firewall/Whitelist  USB-disabling, user education  Categorical block (sorry!)  
CONTROL THE HOSTS  Disable common social engineering vectors • Java • Office Macros  Stop privilege escalation • Automate permissions checks • Prevent remote local account logins  Never allow passwords
15 PASSWORD EVILS! Admins leave passwords in shared drives & scripts Can be dumped from memory Can be keylogged Can be guessed Everybody reuses them Hard to remember
15 PASSWORD EVILS! Social engineering Passing-the-hash Pot of gold hash dumps Easy lockouts or online brute force NTLM relay NTLM auth and cached credential offline cracking Painful post-attack cleanup (reset every password)
NEVER ALLOW PASSWORDS  Force smart card logon for all users  Force Kerberos by denying all incoming NTLM  Deny network, RDP logon to any non-smart card local or service accounts  For extra credit • Disable secondary logon service to prevent password-privesc • Require SMB signing to address MITM attacks • Set low maximum machine account password age to address computer creds  Results – solves all 15 problems
NEVER ALLOW PASSWORDS  Prevents passing-the-hash; hashes are not used  No hash/private credential database to steal in bulk  Private keys cannot be stolen, dumped from memory or keylogged  Can’t re-use, choose bad passwords, or give them to online social engineers  Don’t need to worry about lockouts or on/offline brute force or NTLM relay  Admins cannot leave passwords in shared drives or scripts  Only active logons can be hijacked – temporarily  Easier on users’ memory and easy to clean up from!
M A N DA T O R Y S M A R T C A R D , K E R B E R O S Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
SECURID EVILS!  RSA server holds all passwords and seeds  On login, password is given to Windows; everything else is the same  Hash, pass can be dumped from memory  Social engineering (MITM - time limited)  Passing-the-hash  Pot of gold - hash dumps, passwords, seeds  NTLM relay  Very painful post-compromise cleanup (replaceall tokens)  Does fix user-chosen or re-used passwords
ISOLATING ADMINS  Assign dedicated admin workstations  Restrict inbound workstation connections to remote admin sources  Block admin accounts from internet and email  Restrict privileged accounts from authenticating to lower trust systems  Mark privileged accounts as “sensitive and cannot be delegated”  Use remote management tools that do not place reusable credentials on a remote computer's memory
 Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead)
 Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead) No remote desktop? But wait! There is another way! Secure RDP with temporary account Video
EXPLOITS  “The bottom line is the way that we keep people out ... I don't care who hacks my system if they can't get in - let's make it hard for them to get in. And the way you do that is by eliminating software vulnerabilities” – a well-known exploit developer  “Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed.” – New York Times Op-Ed, 4 April 2013
I F E X P L O I T S N E V E R E X I S T E D Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
FIGHTING EXPLOITS  Secure webapps • Write security into contract for custom apps • Do not accept source-code-less apps without audit • Scan/bugfix regularly  Force exploit mitigations • Mandatory DEP, ASLR • EMET SEHOP…  Patch in priority  Put vulnerable apps in VM isolation
VM ISOLATION  Virtual Machines > other sandboxes • Hypervisor attack surface < kernel attack surface • VM escapes have required guest LPE first; added barrier  Implementation: • Commercial – Bromium/Invincea • Free - Qubes • VMware view client • Citrix • Roll-your-own with hypervisor/VNC
VM ISOLATION  Requirements • Restrict network access • Prevent host code execution • Deny access to sensitive host files  Document VM with no internet access • PDF reader, Office • Stops exploits and social engineering  Browser VM • Stronger sandbox • VM needs internet access  Demo
VM ISOLATION Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
FILE SHARES ARE EVIL!  Executable planting  DLL Preloading  Shortcut hijacking  Script infecting  Do not use open Windows shares  Use a CMS  Disable WebDAV  Per-user home drives still OK  Admin-writable-only drives still OK
CODE WHITELISTING  Effective against some exploits, much malware, persistence  Bit9/Kaspersky/AppLocker… whitelists  Lock down powershell  Whitelist vbscript/javascript  Whitelist batch scripts  Whitelist Java  Block VBA macros
SUMMARY Air-gap what you can Whitelist everything Kill passwords & NTLM; use smart cards/kerberos Use strong mitigations Put your programs in isolated VM’s Don’t use Windows shared folders
THE END Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
QUESTIONS

Recomendados

The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDCscriptjunkie
 
Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Chris Nickerson
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 

Recomendados

The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDCscriptjunkie
 
Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Chris Nickerson
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesPeter Wood
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19SelectedPresentations
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networksjaymemcree
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Security
SecuritySecurity
SecurityPrajwal Panchmahalkar
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
SphereShield for Zoom - Compliance and Security
SphereShield for Zoom - Compliance and SecuritySphereShield for Zoom - Compliance and Security
SphereShield for Zoom - Compliance and SecurityYoav Crombie
 
Don't blink creating secure software
Don't blink creating secure softwareDon't blink creating secure software
Don't blink creating secure softwarelogsentinel
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Windows network
Windows networkWindows network
Windows networkJithesh Nair
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 

Más contenido relacionado

La actualidad más candente

Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesPeter Wood
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networksjaymemcree
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a HouseSynack
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
SphereShield for Zoom - Compliance and Security
SphereShield for Zoom - Compliance and SecuritySphereShield for Zoom - Compliance and Security
SphereShield for Zoom - Compliance and SecurityYoav Crombie
 
Don't blink creating secure software
Don't blink creating secure softwareDon't blink creating secure software
Don't blink creating secure softwarelogsentinel
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 

La actualidad más candente (20)

Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Security
SecuritySecurity
Security
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
SphereShield for Zoom - Compliance and Security
SphereShield for Zoom - Compliance and SecuritySphereShield for Zoom - Compliance and Security
SphereShield for Zoom - Compliance and Security
 
Don't blink creating secure software
Don't blink creating secure softwareDon't blink creating secure software
Don't blink creating secure software
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 

Similar a The Infosec Revival

Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Jerod Brennen
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 

Similar a The Infosec Revival (20)

Windows network
Windows networkWindows network
Windows network
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Windows network security
Windows network securityWindows network security
Windows network security
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_NiemelaTietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 

Último

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

The Infosec Revival

  • 1. THE INFOSEC REVIVAL Why owning a typical network is so easy, and how to build a secure one Matt Weeks scriptjunkie.us · @scriptjunkie1
  • 2. OUTLINE  The Evil That Threatens Us  Network Defenses  Host Defenses
  • 3. THE EVIL THAT THREATENS US Network Intrusion Playbook
  • 4. LEVELS OF ACCESS • Limited User • Local Admin • Lateral Movement • Domain Admin • Internal Network • Internal Server
  • 5. INITIAL ACCESS Start External ServerExploit: Web/SQLi/password Internal Network Internal Server Client-side Exploit: Java, PDF, Office, Browser Social Engineeringvia Email/Browser Limited User Physical Items: Thumb Drives/CDs autorun/link/EXE, HID-spoofing USB Devices Physical Access Local Admin Supply-chain Compromise
  • 6. LIMITED USER EXPANSION LimitedUser Weak file/service/registry permissions Find plaintext passwords in scripts/registry Local Admin Local exploit – win32k, ntvdm… Guess/Bruteforce local admin password Find system current user is local admin on Internal server-side exploit – SMB, PXE attacks Lateral Movement Spread links via shares, email; Relay NTLM or crack NTLM password Shares: DLL preloading, shortcut hijacks… Dump local hashes, re- use local admin accounts
  • 7. LOCAL ADMIN TO DA LocalAdmin Hijack active domain logon: dump wdigest/tspkg-cached password Hijack active domain logon: steal token/hash/ticket Find plain-text password in scripts/registry Keylog admin password Crack domain cached credentials Deobfuscate LSA Secrets, saved passwords DomainAdmin
  • 8. INTERNAL NETWORK/ SERVER ATTACKSInternalNetwork/Server Internal server-side exploits, PXE attacks Local Admin Internal web attack, guessed password Internal Server Internal client-side attacks; including ARP poisoning, WPAD Local User Domain Admin
  • 9. COMBINED Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 10. COMMUNICATION  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites
  • 11. AIR GAP  “The only way to completely secure your computer is to disconnect it from the internet” – UC San Diego  Still not completely secure, but still the gold standard  Tight physical/personnel security  Prevent USB drives (disable USB drivers)  Everything without air-gap, isolate as much as possible
  • 12. DEFAULT ALLOW IS EVIL!  Isolate workstations • No direct connections out • Whitelist DNS • Whitelist HTTP by proxy • Block social networking/file sharing • Block inter-workstation/ARP-spoofing  Isolate servers, admin accounts • Stricter whitelist out • DMZ for internet-accessible servers
  • 13.  Direct IP’s  Dynamic DNS/registered domains  FTP/HTTP/HTTPS…  DNS exfil  Shares  Tor  USB drives  Webmail/data sharing sites  Compromised sites COMMUNICATION  Firewall; no direct connections out  Whitelist/categorical block  Whitelist/firewall policy  DNS whitelist  Firewalls/segmentation  Firewall/Whitelist  USB-disabling, user education  Categorical block (sorry!)  
  • 14. CONTROL THE HOSTS  Disable common social engineering vectors • Java • Office Macros  Stop privilege escalation • Automate permissions checks • Prevent remote local account logins  Never allow passwords
  • 15. 15 PASSWORD EVILS! Admins leave passwords in shared drives & scripts Can be dumped from memory Can be keylogged Can be guessed Everybody reuses them Hard to remember
  • 16. 15 PASSWORD EVILS! Social engineering Passing-the-hash Pot of gold hash dumps Easy lockouts or online brute force NTLM relay NTLM auth and cached credential offline cracking Painful post-attack cleanup (reset every password)
  • 17. NEVER ALLOW PASSWORDS  Force smart card logon for all users  Force Kerberos by denying all incoming NTLM  Deny network, RDP logon to any non-smart card local or service accounts  For extra credit • Disable secondary logon service to prevent password-privesc • Require SMB signing to address MITM attacks • Set low maximum machine account password age to address computer creds  Results – solves all 15 problems
  • 18. NEVER ALLOW PASSWORDS  Prevents passing-the-hash; hashes are not used  No hash/private credential database to steal in bulk  Private keys cannot be stolen, dumped from memory or keylogged  Can’t re-use, choose bad passwords, or give them to online social engineers  Don’t need to worry about lockouts or on/offline brute force or NTLM relay  Admins cannot leave passwords in shared drives or scripts  Only active logons can be hijacked – temporarily  Easier on users’ memory and easy to clean up from!
  • 19. M A N DA T O R Y S M A R T C A R D , K E R B E R O S Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 20. SECURID EVILS!  RSA server holds all passwords and seeds  On login, password is given to Windows; everything else is the same  Hash, pass can be dumped from memory  Social engineering (MITM - time limited)  Passing-the-hash  Pot of gold - hash dumps, passwords, seeds  NTLM relay  Very painful post-compromise cleanup (replaceall tokens)  Does fix user-chosen or re-used passwords
  • 21. ISOLATING ADMINS  Assign dedicated admin workstations  Restrict inbound workstation connections to remote admin sources  Block admin accounts from internet and email  Restrict privileged accounts from authenticating to lower trust systems  Mark privileged accounts as “sensitive and cannot be delegated”  Use remote management tools that do not place reusable credentials on a remote computer's memory
  • 22.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead)
  • 23.  Remote desktop  Console physical logon  Batch logon (scheduled tasks when not S4U)  Service logon  NetworkClearText/Basic authentication  RUNAS  Powershell WinRM with -Authentication Credssp or -Credential  Net use/file shares  Remote registry  Remote service control manager  MMC snap-ins  Powershell WinRM without – Authentication Credssp or –Credential  Psexec without explicit creds  IIS integrated Windows authentication  Intel AMT with Kerberos REMOTE MANAGEMENT Stealable Non-stealable(Use these instead) No remote desktop? But wait! There is another way! Secure RDP with temporary account Video
  • 24. EXPLOITS  “The bottom line is the way that we keep people out ... I don't care who hacks my system if they can't get in - let's make it hard for them to get in. And the way you do that is by eliminating software vulnerabilities” – a well-known exploit developer  “Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed.” – New York Times Op-Ed, 4 April 2013
  • 25. I F E X P L O I T S N E V E R E X I S T E D Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 26. FIGHTING EXPLOITS  Secure webapps • Write security into contract for custom apps • Do not accept source-code-less apps without audit • Scan/bugfix regularly  Force exploit mitigations • Mandatory DEP, ASLR • EMET SEHOP…  Patch in priority  Put vulnerable apps in VM isolation
  • 27. VM ISOLATION  Virtual Machines > other sandboxes • Hypervisor attack surface < kernel attack surface • VM escapes have required guest LPE first; added barrier  Implementation: • Commercial – Bromium/Invincea • Free - Qubes • VMware view client • Citrix • Roll-your-own with hypervisor/VNC
  • 28. VM ISOLATION  Requirements • Restrict network access • Prevent host code execution • Deny access to sensitive host files  Document VM with no internet access • PDF reader, Office • Stops exploits and social engineering  Browser VM • Stronger sandbox • VM needs internet access  Demo
  • 29. VM ISOLATION Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks
  • 30. FILE SHARES ARE EVIL!  Executable planting  DLL Preloading  Shortcut hijacking  Script infecting  Do not use open Windows shares  Use a CMS  Disable WebDAV  Per-user home drives still OK  Admin-writable-only drives still OK
  • 31. CODE WHITELISTING  Effective against some exploits, much malware, persistence  Bit9/Kaspersky/AppLocker… whitelists  Lock down powershell  Whitelist vbscript/javascript  Whitelist batch scripts  Whitelist Java  Block VBA macros
  • 32. SUMMARY Air-gap what you can Whitelist everything Kill passwords & NTLM; use smart cards/kerberos Use strong mitigations Put your programs in isolated VM’s Don’t use Windows shared folders
  • 33. THE END Start External Server Attack Internal Network Internal Server Client-side Exploit Social Engineering Limited User Physical Item Drop Physical Access Supply-chain Compromise Weak permissions Find plaintext passwords Local Admin Local exploit Guess local admin password Find system current user is local admin on Internal server- side exploit Lateral Movement Relay/crack NTLM Attacks through shares Pass local hashes dump cached active password Hijack token, hash, ticket Find plain- text password Keylog password Crack domain cached credentials Deobfuscate LSA Secrets DomainAdmin Internal Server Attacks Internal Client- side Attacks