the non-advanced persistent threat
DESCRIPTION
Advanced Persistent Threat (APT) is a term given to attacks that specifically and persistently target an entity. The security community views this type of attack as a complex, sophisticated cyber-attack that can last months or even years. However, new research indicates that these attacks are actually being achieved by much simpler methods. Imperva's Application Defense Center (ADC) has discovered that data breaches commonly associated with APT require only basic technical skills. As a result, security teams need to fundamentally shift their focus from absolute prevention of intrusion to protecting critical data assets once intruders have gained access to their infrastructure. This presentation will: - Expose some powerful, yet extremely simple techniques that allow attackers to efficiently expand their reach within an infected organization - Show how attackers achieve their goals without resorting to zero-day vulnerabilities and sophisticated exploits - Discuss how organizations can protect themselves against the advance of such attacksTRANSCRIPT
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 1
September 17, 2014
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ APT • Scenario • Infamous APTs
§ Non-APTs • The non-APT • NTLM weaknesses • Demo - Poisoning the Well (File Share) • More attack scenarios
§ Waiting for good things to come § Privilege escalation
• Demo – SharePoint Poisoning § Leftovers § Conclusion
© 2014 Imperva, Inc. All rights reserved.
Advanced Persistent Threats
Confidential 3
What Comes to Mind
© 2014 Imperva, Inc. All rights reserved.
What Is APT?
Confidential 4
Data Center File Share / Database
Initial Compromise
Establish Foothold
Lateral Movement Gather Data Exfiltrate
© 2014 Imperva, Inc. All rights reserved.
Few Infamous APTs From Governments to the People
Confidential 5
§ CHS • Stolen Records ~4,500,000 • Period ~3 months • Initial Compromise – Heartbleed
§ eBay • Stolen Records ~145,000,000 • Period ~ 2 months • Initial Compromise – stolen credentials
(phishing / reuse)
§ Target • Stolen Records ~70,000,000 • Period ~ 3 weeks • Initial Compromise – Credentials from partner (HVAC)
© 2014 Imperva, Inc. All rights reserved.
Non-Advanced Persistent Threats
Confidential 6
© 2014 Imperva, Inc. All rights reserved.
The Non-Advanced Persistent Threat
Confidential 7
§ What is APT ? • Advanced • Persistent • Threat
§ Show equivalent scenario • Not advanced • Not persistent (not extremely) • Still a threat
© 2014 Imperva, Inc. All rights reserved. Confidential 8
§ Authentication protocol designed by Microsoft § Messages (challenge response):
§ Gives the user the Single Sign On experience • Client stores LM / NT Hash (used for authentication)
§ Used in a variety of protocols: HTTP, SMTP, IMAP, CIFS/SMB, RDP, Telnet, MSSQL, Oracle and more…
§ Microsoft says: • “Although Microsoft Kerberos is the protocol of choice, NTLM is still
supported” • “Applications are generally advised not to use NTLM”
Challenge
Response
Negotiate
Windows NT LAN Manager (NTLM)
© 2014 Imperva, Inc. All rights reserved.
NTLM Vulnerabilities
Confidential 9
§ Pass the Hash APT1 • Because response is calculated using LM / NT hash, it is equivalent to
plaintext password § Weak Response Calculations
• In early versions, attacker that has challenge & response can calculate LM / NT hash (CloudCracker)
• Extract easily with public tools: Windows Credential Editor (WCE) / QuarksPwDump
§ Relay Attack
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 10
Poisoning the Well
© 2014 Imperva, Inc. All rights reserved.
Demo - Poisoning the Well
Confidential 11
Initial Compromise
Poison File Share / SharePoint
Gather Privileges (NTLM Relay)
Exfiltrate
Alice
Bob
CatCorp inc.
© 2014 Imperva, Inc. All rights reserved.
Poisoning the Well
Confidential 12
File Share
Compromised
1 2
3
© 2014 Imperva, Inc. All rights reserved.
Waiting for Good Things to Come
Confidential 13
Compromised 1 2
Firewall Agent
Data Center File Share / Database
© 2014 Imperva, Inc. All rights reserved.
Privilege Escalation
Confidential 14
Compromised
SMB Reflect
SMB relay &
authenticate
Metasploit SMB capture
SMB relay & crack
© 2014 Imperva, Inc. All rights reserved.
Demo
Confidential 15
SharePoint Poisoning
© 2014 Imperva, Inc. All rights reserved.
Demo – SharePoint Poisoning
Confidential 16
Alice
Bob
CatCorp, Inc.
Easily skip between protocols: HTTP to SMB / RDP / MSSQL, etc.
© 2014 Imperva, Inc. All rights reserved.
Leftovers
Confidential 17
What We Left Out and Why
© 2014 Imperva, Inc. All rights reserved. Confidential 18
§ We didn’t talk about the “edges” • Initial Compromise
§ done with simple methods (phishing, stealing, pay per infection)
§ Security is not equal, attackers go for the weakest link. recently was hacked via a “test server” “That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information”
• Exfiltration § copy stolen data from asset § Use any legitimate cloud service (Google Drive etc.)
Initial Compromise
Establish Foothold
Lateral Movement Gather Data Exfiltrate
Things We Left Out
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 19
What Does It All Mean & How to Mitigate?
© 2014 Imperva, Inc. All rights reserved.
Conclusion
Confidential 20
§ APT is not the sole domain of government or sophisticated criminal groups • No need for zero days • Low technical skills
§ NTLM is only a symptom • Patching / upgrading does not always happen, especially when it’s
costly • SSO experience is convenient for attackers : go from file to DB,
Web Server, Exchange, etc.
§ The least confidential locations could prove dangerous • Not strictly monitored
© 2014 Imperva, Inc. All rights reserved.
Mitigations
Confidential 21
§ Upgrade • While a good idea, but not always feasible • Kerberos also has its vulnerabilities (e.g. Pass the Ticket)
§ Monitor authentications to resources • Same machine authenticates with several users • Same user authenticates from several machines
§ Avoid services that logon to large number of assets • Services authentication can leave behind hashes, tickets or used
in a relay / MIM attacks
© 2014 Imperva, Inc. All rights reserved.
www.imperva.com
22