As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, intruders can bypass almost all security barriers despite even tough policies on end users and admins. But failure is not inevitable for a defender. There are many practical ways a network can be constructed that will wipe out most of the playbook, and they don’t always require expensive purchases.
Security must be built from the start, and this presentation will show you how it’s done; how to intelligently look at threats and plan defenses for a Windows network.
4. LEVELS OF ACCESS
• Limited User
• Local Admin
• Lateral Movement
• Domain Admin
• Internal Network
• Internal Server
5. INITIAL ACCESS
Start External ServerExploit:
Web/SQLi/password
Internal Network
Internal Server
Client-side Exploit: Java,
PDF, Office, Browser
Social Engineeringvia
Email/Browser Limited User
Physical Items: Thumb
Drives/CDs autorun/link/EXE,
HID-spoofing USB Devices
Physical Access
Local Admin
Supply-chain Compromise
6. LIMITED USER EXPANSION
LimitedUser
Weak
file/service/registry
permissions
Find plaintext passwords
in scripts/registry
Local Admin
Local exploit – win32k,
ntvdm…
Guess/Bruteforce local
admin password
Find system current user is
local admin on
Internal server-side exploit
– SMB, PXE attacks
Lateral Movement
Spread links via shares,
email; Relay NTLM or
crack NTLM password
Shares: DLL preloading,
shortcut hijacks…
Dump local hashes, re-
use local admin
accounts
7. LOCAL ADMIN TO DA
LocalAdmin
Hijack active domain logon:
dump wdigest/tspkg-cached
password
Hijack active domain logon:
steal token/hash/ticket
Find plain-text password in
scripts/registry
Keylog admin password
Crack domain cached
credentials
Deobfuscate LSA Secrets,
saved passwords
DomainAdmin
9. COMBINED
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
User
Physical Item
Drop
Physical Access
Supply-chain
Compromise
Weak
permissions
Find plaintext
passwords
Local
Admin
Local exploit
Guess local
admin password
Find system
current user is
local admin on
Internal server-
side exploit
Lateral
Movement
Relay/crack
NTLM
Attacks through
shares
Pass local
hashes
dump cached
active
password
Hijack token,
hash, ticket
Find plain-
text password
Keylog
password
Crack domain
cached
credentials
Deobfuscate
LSA Secrets
DomainAdmin
Internal Server
Attacks
Internal Client-
side Attacks
10. COMMUNICATION
Direct IP’s
Dynamic DNS/registered domains
FTP/HTTP/HTTPS…
DNS exfil
Shares
Tor
USB drives
Webmail/data sharing sites
Compromised sites
11. AIR GAP
“The only way to completely secure your computer is to
disconnect it from the internet” – UC San Diego
Still not completely secure, but still the gold standard
Tight physical/personnel security
Prevent USB drives (disable USB drivers)
Everything without air-gap, isolate as much as possible
12. DEFAULT ALLOW IS EVIL!
Isolate workstations
• No direct connections out
• Whitelist DNS
• Whitelist HTTP by proxy
• Block social networking/file sharing
• Block inter-workstation/ARP-spoofing
Isolate servers, admin accounts
• Stricter whitelist out
• DMZ for internet-accessible servers
13. Direct IP’s
Dynamic DNS/registered domains
FTP/HTTP/HTTPS…
DNS exfil
Shares
Tor
USB drives
Webmail/data sharing sites
Compromised sites
COMMUNICATION
Firewall; no direct connections out
Whitelist/categorical block
Whitelist/firewall policy
DNS whitelist
Firewalls/segmentation
Firewall/Whitelist
USB-disabling, user education
Categorical block (sorry!)
14. CONTROL THE HOSTS
Disable common social engineering vectors
• Java
• Office Macros
Stop privilege escalation
• Automate permissions checks
• Prevent remote local account logins
Never allow passwords
15. 15 PASSWORD EVILS!
Admins leave passwords in shared drives & scripts
Can be dumped from memory
Can be keylogged
Can be guessed
Everybody reuses them
Hard to remember
16. 15 PASSWORD EVILS!
Social engineering
Passing-the-hash
Pot of gold hash dumps
Easy lockouts or online brute force
NTLM relay
NTLM auth and cached credential offline cracking
Painful post-attack cleanup (reset every password)
17. NEVER ALLOW PASSWORDS
Force smart card logon for all users
Force Kerberos by denying all incoming NTLM
Deny network, RDP logon to any non-smart card local or service accounts
For extra credit
• Disable secondary logon service to prevent password-privesc
• Require SMB signing to address MITM attacks
• Set low maximum machine account password age to address computer creds
Results – solves all 15 problems
18. NEVER ALLOW PASSWORDS
Prevents passing-the-hash; hashes are not used
No hash/private credential database to steal in bulk
Private keys cannot be stolen, dumped from memory or keylogged
Can’t re-use, choose bad passwords, or give them to online social engineers
Don’t need to worry about lockouts or on/offline brute force or NTLM relay
Admins cannot leave passwords in shared drives or scripts
Only active logons can be hijacked – temporarily
Easier on users’ memory and easy to clean up from!
19. M A N DA T O R Y
S M A R T C A R D ,
K E R B E R O S
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
User
Physical Item
Drop
Physical Access
Supply-chain
Compromise
Weak
permissions
Find plaintext
passwords
Local
Admin
Local exploit
Guess local
admin password
Find system
current user is
local admin on
Internal server-
side exploit
Lateral
Movement
Relay/crack
NTLM
Attacks through
shares
Pass local
hashes
dump cached
active
password
Hijack token,
hash, ticket
Find plain-
text password
Keylog
password
Crack domain
cached
credentials
Deobfuscate
LSA Secrets
DomainAdmin
Internal Server
Attacks
Internal Client-
side Attacks
20. SECURID EVILS!
RSA server holds all passwords and seeds
On login, password is given to Windows; everything else is the same
Hash, pass can be dumped from memory
Social engineering (MITM - time limited)
Passing-the-hash
Pot of gold - hash dumps, passwords, seeds
NTLM relay
Very painful post-compromise cleanup (replaceall tokens)
Does fix user-chosen or re-used passwords
21. ISOLATING ADMINS
Assign dedicated admin workstations
Restrict inbound workstation connections to remote admin sources
Block admin accounts from internet and email
Restrict privileged accounts from authenticating to lower trust systems
Mark privileged accounts as “sensitive and cannot be delegated”
Use remote management tools that do not place reusable credentials on a
remote computer's memory
22. Remote desktop
Console physical logon
Batch logon (scheduled tasks when not
S4U)
Service logon
NetworkClearText/Basic authentication
RUNAS
Powershell WinRM with -Authentication
Credssp or -Credential
Net use/file shares
Remote registry
Remote service control manager
MMC snap-ins
Powershell WinRM without –
Authentication Credssp or –Credential
Psexec without explicit creds
IIS integrated Windows authentication
Intel AMT with Kerberos
REMOTE MANAGEMENT
Stealable Non-stealable(Use these instead)
23. Remote desktop
Console physical logon
Batch logon (scheduled tasks when not
S4U)
Service logon
NetworkClearText/Basic authentication
RUNAS
Powershell WinRM with -Authentication
Credssp or -Credential
Net use/file shares
Remote registry
Remote service control manager
MMC snap-ins
Powershell WinRM without –
Authentication Credssp or –Credential
Psexec without explicit creds
IIS integrated Windows authentication
Intel AMT with Kerberos
REMOTE MANAGEMENT
Stealable Non-stealable(Use these instead)
No remote desktop?
But wait!
There is another way!
Secure RDP with temporary account
Video
24. EXPLOITS
“The bottom line is the way that we keep people out ... I don't care
who hacks my system if they can't get in - let's make it hard for them to
get in. And the way you do that is by eliminating software
vulnerabilities” – a well-known exploit developer
“Too much of the debate begins and ends with the perpetrators and
the victims of cyberattacks, and not enough is focused on the real
problem: the insecure software or technology that allows such attacks
to succeed.” – New York Times Op-Ed, 4 April 2013
25. I F
E X P L O I T S
N E V E R
E X I S T E D
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
User
Physical Item
Drop
Physical Access
Supply-chain
Compromise
Weak
permissions
Find plaintext
passwords
Local
Admin
Local exploit
Guess local
admin password
Find system
current user is
local admin on
Internal server-
side exploit
Lateral
Movement
Relay/crack
NTLM
Attacks through
shares
Pass local
hashes
dump cached
active
password
Hijack token,
hash, ticket
Find plain-
text password
Keylog
password
Crack domain
cached
credentials
Deobfuscate
LSA Secrets
DomainAdmin
Internal Server
Attacks
Internal Client-
side Attacks
26. FIGHTING EXPLOITS
Secure webapps
• Write security into contract for custom apps
• Do not accept source-code-less apps without audit
• Scan/bugfix regularly
Force exploit mitigations
• Mandatory DEP, ASLR
• EMET SEHOP…
Patch in priority
Put vulnerable apps in VM isolation
27. VM ISOLATION
Virtual Machines > other sandboxes
• Hypervisor attack surface < kernel attack surface
• VM escapes have required guest LPE first; added barrier
Implementation:
• Commercial – Bromium/Invincea
• Free - Qubes
• VMware view client
• Citrix
• Roll-your-own with hypervisor/VNC
28. VM ISOLATION
Requirements
• Restrict network access
• Prevent host code execution
• Deny access to sensitive host files
Document VM with no internet access
• PDF reader, Office
• Stops exploits and social engineering
Browser VM
• Stronger sandbox
• VM needs internet access
Demo
29. VM
ISOLATION
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
User
Physical Item
Drop
Physical Access
Supply-chain
Compromise
Weak
permissions
Find plaintext
passwords
Local
Admin
Local exploit
Guess local
admin password
Find system
current user is
local admin on
Internal server-
side exploit
Lateral
Movement
Relay/crack
NTLM
Attacks through
shares
Pass local
hashes
dump cached
active
password
Hijack token,
hash, ticket
Find plain-
text password
Keylog
password
Crack domain
cached
credentials
Deobfuscate
LSA Secrets
DomainAdmin
Internal Server
Attacks
Internal Client-
side Attacks
30. FILE SHARES ARE EVIL!
Executable planting
DLL Preloading
Shortcut hijacking
Script infecting
Do not use open Windows shares
Use a CMS
Disable WebDAV
Per-user home drives still OK
Admin-writable-only drives still OK
31. CODE WHITELISTING
Effective against some exploits, much malware, persistence
Bit9/Kaspersky/AppLocker… whitelists
Lock down powershell
Whitelist vbscript/javascript
Whitelist batch scripts
Whitelist Java
Block VBA macros
32. SUMMARY
Air-gap what you can
Whitelist everything
Kill passwords & NTLM; use smart cards/kerberos
Use strong mitigations
Put your programs in isolated VM’s
Don’t use Windows shared folders
33. THE END
Start
External
Server
Attack Internal
Network
Internal Server
Client-side
Exploit
Social
Engineering
Limited
User
Physical Item
Drop
Physical Access
Supply-chain
Compromise
Weak
permissions
Find plaintext
passwords
Local
Admin
Local exploit
Guess local
admin password
Find system
current user is
local admin on
Internal server-
side exploit
Lateral
Movement
Relay/crack
NTLM
Attacks through
shares
Pass local
hashes
dump cached
active
password
Hijack token,
hash, ticket
Find plain-
text password
Keylog
password
Crack domain
cached
credentials
Deobfuscate
LSA Secrets
DomainAdmin
Internal Server
Attacks
Internal Client-
side Attacks