Ethical Hackers Perspective Things that Make a Hacker's Job Easy

Transcription

1 WEALTH ADVISORY OUTSOURCING AUDIT, TAX, AND CONSULTING Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor Ethical Hackers Perspective Things that Make a Hacker's Job Easy

2 Intro I am going to share with you: whoami 10 Ways Banks get PWNED Phishing and Remote Access Lateral Movement and Privilege Escalation Include mitigation strategies for each 2

3 Cyber Security Services Information Security offered as specialized service offering for over 20 years Penetration Testing and Vulnerability Assessment IT/Cyber security risk assessments IT audit and compliance GLBA/FFIEC, NIST, CIS Critical Controls, PCI-DSS, etc Incident response and forensics Security awareness training Independent security consulting 3

4 10 Ways Banks Get PWNED The same thing.over and over. 4

5 10 Ways CUs Get PWNED 1. Users clicking links 5

6 10 Ways CUs Get PWNED 2. Users clicking links 6

7 10 Ways CUs Get PWNED 3. Users clicking links 7

8 10 Ways CUs Get PWNED 4. Users clicking links 8

9 10 Ways CUs Get PWNED 5. Users clicking links 9

10 10 Ways CUs Get PWNED 6. Users clicking links 10

11 10 Ways CUs Get PWNED 7. Users clicking links 11

12 10 Ways CUs Get PWNED 8. Users clicking links 12

13 10 Ways CUs Get PWNED 9. Users clicking links 13

14 10 Ways CUs Get PWNED 10. Users opening attachments 14

15 QUESTIONS 15

16 CLAconnect.com Thank you! Randy Romes, CISSP, CRISC, MPC, PCI-QSA Managing Principal, Cyber Security Services Direct: linkedin.com/company/ cliftonlarsonallen facebook.com/ cliftonlarsonallen twitter.com/ CLAconnect youtube.com/ CliftonLarsonAllen 16

17 Poor Filtering I am the king of Nigeria 17

18 Poor Filtering By default, many spam filters don t prevent spoofing of your own domain SPF checks typically occur on the SMTP Envelope FROM address, NOT the Message FROM address 18

19 Poor Filtering Connected to mail.cogentco.com (38.9.X.X). MAIL FROM: 250 OK RCPT TO: 250 Accepted SMTP Envelope DATA 354 Enter message, ending with "." on a line by itself FROM: <ElonMusk@tesla.com> TO: <david.anderson@claconnect.com> Subject: Free Tesla Car SMTP Message 19

20 Poor Filtering - Mitigation Configure spam filter to look at both the Envelope FROM field and Message FROM field If it contains your domain, block Implement SPF Also look into DKIM and DMARC Apply extra scrutiny to s that come from domain without a SPF record 20

21 PowerShell That s one powerful shell 21

22 PowerShell Windows scripting environment built on.net Comes pre-installed Attackers don t have to worry about AV Able to perform many different tasks that command prompt couldn t 22

23 PowerShell Search for systems where you have local administrator access Search for where domain administrators are logged in Can download items from a URL Can inject malicious code straight into memory 23

24 PowerShell - Mitigation Upgrade to PowerShell v5 Remove PowerShell v2 Enable Script Block Logging Enable Script Transcription Configure Constrained Language Mode Prevents advanced features, such as.net execution, Windows API calls, and COM access 24

25 OWA Attacks I can read your 25

26 OWA Attacks Exchange supports multiple ways to access mailbox Outlook Anywhere, MAPI, EWS These services are subject to brute force attacks Tools such as MailSniper, Metasploit Targets weak passwords (Winter2016) 26

27 OWA Attacks Many organizations expose OWA to the Internet without requiring 2FA With access to mailbox Find sensitive information (VPN info, PII, passwords) Impersonate employee in phishing attack Create new Outlook Rule 27

28 28

29 OWA Attacks - Mitigation Implement 2FA Be careful, not all 2FA solutions apply to all services Implement strong password policy Require passphrases Implement password filter Configure usernames differently than addresses Log and monitor Logon attempts Outlook Rules 29

30 Office Macros Welcome back to the 1990s 30

31 Office Macros Macros allow attackers to access any applications/features that are installed or available on the user s workstation Utilizing PowerShell, attackers can execute malicious code easily 31

32 Office Macros 32

33 Office Macros 33

34 Office Macros - Mitigation Use Group Policy to disable macros Most users don t need them Office 2016 has new GPO for documents originating from the Internet Teach users who utilize Macros the dangers of opening unknown documents Prevent users from receiving Word Docs Block Docs coming through , Websites 34

35 Office Macros - Mitigation 35

36 .HTA Payloads Thank you for choosing IE for your browser needs :) 36

37 .HTA Payloads HTA > HTML Applications Allows attacker to run malicious applications on end user s system Needs to be opened with Internet Explorer.HTA files get launched by trusted Microsoft application - mshta.exe 37

38 .HTA Payloads From Microsoft - HTAs are not subject to the same security constraints as webpages. The end result is that an HTA runs like any executable (.exe) file written in C++ or Visual Basic. 38

39 .HTA Payloads <script> a=new ActiveXObject("WScript.Shell"); a.run( calc.exe, 0);window.close(); </script> 39

40 .HTA Payloads 40

41 .HTA Payloads 41

42 .HTA Payloads - Mitigation Block mshta.exe from running on systems Web filter/content filter block.hta extension 42

43 Domain Fronting I dare you to block Azure/AWS/Cloudflare 43

44 Domain Fronting Utilizes Content Delivery Networks (CDNs) to hide malicious servers Malware delivery C2 communication There are many well known/reputable providers Microsoft Azure Amazon AWS Cloudflare 44

45 Domain Fronting 45

46 Domain Fronting - Mitigation This one is hard to detect/prevent Monitor web traffic through proxy Utilize SSL stripping Look for oddities over period of time Block these IP ranges if there is not business need 46

47 Lateral Movement and Privilege Escalation DA Hunter Hunting your admins 47

48 DA Hunter PowerShell scripts automating the discovery of: Computers on network Who is logged into each computer Who are the administrators Does the current user have admin rights on the target 48

49 DA Hunter VERBOSE: No Local Admin on OR-TIG VERBOSE: bob has local admin access on D0543 VERBOSE: bob has local admin access on D0467 VERBOSE: No Local Admin on EMS-104 VERBOSE: alice (DA) is logged in! 49

50 DA Hunter Win 7 through Win 10 (excluding latest update) Allows any user to enumerate logged in users We are looking for admin rights in order to compromise additional user accounts Continue the process over and over until we find a system with a DA logged in and we have local admin access on 50

51 DA Hunter - Mitigation Latest update to Windows 10 allows the ability to deny user enumeration through GPO/Registry Windows Version Who can query local users Can be change < Windows 10 Any domain users No Windows 10 Any domain user Yes (only registry) Windows 10 Anniversary Only local administrators Yes (registry or GPO) Network Access: Restrict clients allowed to make remote calls to SAM 51

52 DA Hunter - Mitigation PowerShell script NetCease.ps1 Prevents user enumeration if not an administrator Download from TechNet site Works on Win7/2008 and newer 52

53 Password Storage You think your password is safe? 53

54 Password Storage We commonly look for insecure storage of passwords Spreadsheets Text files Password managers Just found Keypass password for an IT person in a text file in home directory These are easy to find, need to ensure they are properly secured 54

55 Password Storage - Mitigation If you use password managers MUST enable 2FA Computers that access the password database should be highly locked down Know they are not bullet proof E.g. Certificates can be easy to steal 55

56 CLAconnect.com Thank you! Randy Romes, CISSP, CRISC, MPC, PCI-QSA Managing Principal, Cyber Security Services Direct: linkedin.com/company/ cliftonlarsonallen facebook.com/ cliftonlarsonallen twitter.com/ CLAconnect youtube.com/ CliftonLarsonAllen 56