2017 TAG Cyber Security Invitational Course Advanced Cyber Security Technology for Practitioners

Transcription

1 2017 TAG Cyber Security Invitational Course Advanced Cyber Security Technology for Practitioners Lead Instructor: Dr. Edward G. Amoroso Threat Intelligence Lead: Jose Dominguez, TD Ameritrade Course Administrator: Frank Ableson, navitend 2017 TAG Cyber Security Invitational Course 1

2 Course Instructors and Moderators Ed Amoroso Chief Executive Officer TAG Cyber Lead Instructor Jose Dominguez Chief Information Security Officer TD Ameritrade Threat Intelligence Lead Frank Ableson Chief Executive Officer navitend Course Administrator 2017 TAG Cyber Security Invitational Course 2

3 Week 16 Agenda In Real Life... Kerberos Elegant Complexity for a Simple Problem Ed Amoroso This Week in Hacking... Threat Intelligence 1/3 1/10 Ed Amoroso, Jose Dominguez Our First Guest... Secure Network Utility Services, Bruce Flitcroft, Alliant Technologies Our Drop-In Guest... Cyber Security Advice for the White House, Kiersten Todt Our Third Guest... Threat Information Sharing Paul Kurtz, TruSTAR Admin Issues... Course Surveys, Final Exam, CPE Certificates 2017 TAG Cyber Security Invitational Course 3

4 Kerberos: A Complex Solution to a Simple Password Problem Alice (Human) Alice s PC (A) Key Distribution Center (KDC) In Real Life Bob s Server (B) Basic Kerberos Concept: Invented at MIT in 1980 s as part of Project Athena Goal is that Alice (client) can authenticate to Bob (server) without using a password on the local area network (); Key Distribution Center (KDC) enables this process using conventional cryptography (i.e., no public key technology) 2017 TAG Cyber Security Invitational Course 4

5 Kerberos Preconditions Infrastructure Preconditions: Alice (Human) Alice s PC (A) Key Distribution Center (KDC) Bob s Server (B) password password Kerberos password set up for Alice to log into her PC (Never used over any ) 2017 TAG Cyber Security Invitational Course 5

6 Kerberos Keys Infrastructure Preconditions: K KDC : KDC s Encryption Key (Created by KDC) Alice (Human) Alice s PC (A) Key Distribution Center (KDC) Bob s Server (B) password password Key (Issued by KDC) K A : Alice s Encryption K B : Bob s Encryption Key (Issued by KDC) Kerberos KDC creates and issues three cryptographic keys: K A, K B, K KDC { { m } K A } KA = m { { m } KB } KB = m { { m } KKDC } KKDC = m Encrypt Decrypt 2017 TAG Cyber Security Invitational Course 6

7 Kerberos Clocks password password, K A K A, K B, K KDC K B Synchronized clocks produce current time t c for A, KDC, and B Alice (A) wants to login to Bob (B) (server) 2017 TAG Cyber Security Invitational Course 7

8 Kerberos Step 1: Type in Local Password password password, K A, t c K A, K B, K KDC, t c K B, t c Step 1: Alice types in Kerberos password 2017 TAG Cyber Security Invitational Course 8

9 Kerberos Step 2: Request TGT and Session Key password password, K A, t c K A, K B, K KDC, t c K B, t c Step 1: Alice types in Kerberos password Step 2: A makes request for a Ticket-Generating-Ticket (TGT) 2017 TAG Cyber Security Invitational Course 9

10 Kerberos Step 3: Create Session Key and TGT password password, K A, t c K A, K B, K KDC, t c K B, t c Step 1: Alice types in Kerberos password Step 2: A makes request for a Ticket-Generating-Ticket (TGT) Step 3: KDC performs the following computations: - Create Session Key S A for A - Create TGT = {S A, A } K KDC 2017 TAG Cyber Security Invitational Course 10

11 Kerberos Step 4: Provide Session Key and TGT password password, K A, t c K A, K B, K KDC, t c K B, t c Step 1: Alice types in Kerberos password Step 2: A makes request for a Ticket-Generating-Ticket (TGT) Step 4: KDC sends session key S A and TGT to A, encrypted with K A Step 3: KDC performs the following computations: - Create Session Key S A for A - Create TGT = {S A, A } K KDC { S A, TGT } K A 2017 TAG Cyber Security Invitational Course 11

12 Kerberos Step 5: Decrypt Session Key and Store TGT password password, K A, t c K A, K B, K KDC, t c K B, t c Step 1: Alice types in Kerberos password Step 2: A makes request for a Ticket-Generating-Ticket (TGT) Step 4: KDC sends session key S A and TGT to A, encrypted with K A Step 3: KDC performs the following computations: - Create Session Key S A for A - Create TGT = {S A, A } K KDC { S A, TGT } K A Step 5: A performs the following computations: - Decrypt received message - to get Session Key and TGT { { S A, TGT } KA } KA = S A, TGT 2017 TAG Cyber Security Invitational Course 12

13 Kerberos Through Five Steps: Eve Cannot Hack password password, K A, t c K A, K B, K KDC, t c K B, t c Step 1: Alice types in Kerberos password Step 2: A makes request for a Ticket-Generating-Ticket (TGT) Step 4: KDC sends session key S A and TGT to A, encrypted with K A Step 3: KDC performs the following computations: - Create Session Key S A for A - Create TGT = {S A, A } K KDC { S A, TGT } K A Step 5: A performs the following computations: - Decrypt received message - to get Session Key and TGT { { S A, TGT } KA } KA = S A, TGT Intercept - TGT: Useless for replay - { S A, TGT } KA : Useless, cannot decrypt Eve 2017 TAG Cyber Security Invitational Course 13

14 Kerberos Result of Five Steps password password, K A, t c K A, K B, K KDC, t c K B, t c TGT, S A TGT, S A Five step process for KDC to distribute TGT and S A to A 2017 TAG Cyber Security Invitational Course 14

15 Kerberos Step 6: Request Login to B password password, K A, t c K A, K B, K KDC, t c K B, t c TGT, S A TGT, S A Step 6: A makes request to connect to B, Provides TGT and Authenticator { t c } SA 2017 TAG Cyber Security Invitational Course 15

16 Kerberos Step 7: Create Session Key and Ticket to Bob password password, K A, t c K A, K B, K KDC, t c K B, t c TGT, S A TGT, S A Step 6: A makes request to connect to B, Provides TGT and Authenticator { t c } SA Step 7: KDC performs the following computations: - Decrypt TGT to get S A - Use S A to decrypt authentication and check time - Create Session Key S AB for A to use to communicate with B - Create Ticket-to-Bob (TBOB) { S AB, A } KB 2017 TAG Cyber Security Invitational Course 16

17 Kerberos Step 8: Send Session Key and Ticket to Bob password password, K A, t c K A, K B, K KDC, t c K B, t c TGT, S A TGT, S A Step 6: A makes request to connect to B, Provides TGT and Authenticator { t c } SA Step 8: KDC sends session key S AB and TBOB encrypted with S A { S AB, TBOB } SA Step 7: KDC performs the following computations: - Decrypt TGT to get S A - Use S A to decrypt authentication and check time - Create Session Key S AB for A to use to communicate with B - Create Ticket-to-Bob (TBOB) { S AB, A } KB 2017 TAG Cyber Security Invitational Course 17

18 Kerberos Step 9: Decrypt Session Key and Store Ticket to Bob password password, K A, t c K A, K B, K KDC, t c K B, t c TGT, S A TGT, S A Step 6: A makes request to connect to B, Provides TGT and Authenticator { t c } SA Step 8: KDC sends session key S AB and TBOB encrypted with S A { S AB, TBOB } SA Step 7: KDC performs the following computations: - Decrypt TGT to get S A - Use S A to decrypt authentication and check time - Create Session Key S AB for A to use to communicate with B - Create Ticket-to-Bob (TBOB) { S AB, A } KB Step 9: A performs the following computations: - Decrypt received message - to get Session Key and TBOB { { S AB, TBOB } SA } SA = S AB, TBOB 2017 TAG Cyber Security Invitational Course 18

19 Kerberos Through Nine Steps: Eve Cannot Hack password password, K A, t c K A, K B, K KDC, t c K B, t c TGT, S A TGT, S A Step 6: A makes request to connect to B, Provides TGT and Authenticator { t c } SA Step 8: KDC sends session key S AB and TBOB encrypted with S A { S AB, TBOB } SA Step 7: KDC performs the following computations: - Decrypt TGT to get S A - Use S A to decrypt authentication and check time - Create Session Key S AB for A to use to communicate with B - Create Ticket-to-Bob (TBOB) { S AB, A } KB Step 9: A performs the following computations: - Decrypt received message - to get Session Key and TBOB { { S AB, TBOB } SA } SA = S AB, TBOB Intercept - TGT: Useless for replay - Authenticator cannot be replayed (time staleness) Eve - { S AB, TBOB } SA : Useless, cannot decrypt 2017 TAG Cyber Security Invitational Course 19

20 Kerberos Result of Nine Steps password password, K A, t c TGT, S A, S AB, TBOB K A, K B, K KDC, t c TGT, S A, S AB, TBOB K B, t c Four step process for KDC to distribute TBOB and S AB to A 2017 TAG Cyber Security Invitational Course 20

21 Kerberos Step 10: Send Bob the Ticket to Bob password password, K A, t c TGT, S A, S AB, TBOB K A, K B, K KDC, t c TGT, S A, S AB, TBOB K B, t c Step 10: A sends to B the Authenticator { t c } SA and TBOB = { S AB, A } KB 2017 TAG Cyber Security Invitational Course 21

22 Kerberos Step 11: Decrypt Ticket to Bob and Check Time password password, K A, t c TGT, S A, S AB, TBOB K A, K B, K KDC, t c TGT, S A, S AB, TBOB K B, t c Step 10: A sends to B the Authenticator { t c } SA and TBOB = { S AB, A } KB Step 11: B performs the following computations: - Decrypt TBOB to get S AB - Use S AB to decrypt authentication and check time 2017 TAG Cyber Security Invitational Course 22

23 Kerberos Result of Eleven Steps password password, K A, t c TGT, S A, S AB, TBOB K A, K B, K KDC, t c TGT, S A, S AB, TBOB K B, t c S AB, TBOB Two step process (plus nonce messages) for A to use TBOB to get S AB to B 2017 TAG Cyber Security Invitational Course 23

24 Kerberos Realms Step 2: Realm 1, KDC 1 Forwards Request to Realm 2, KDC 2 Realm 1 Realm 2 KDC 1 KDC 2 aaaa Step 1: Client A Requests Access to Remote Server X from Realm 1, KDC 1 Client A Step 3: Realm 2 KDC 2 Forwards Access to Local Server X Server X Client B Step 4: Realm 2 KDC 2 Services Local Access Request from Client B to Local Server X 2017 TAG Cyber Security Invitational Course 24

25 Threat Intelligence 1/3 to 1/10 This Week In Hacking Item 1: Vermont Grid Issue An apparently bogus report was issued about Russian involvement in the Vermont Power Grid. CISO Issue It is getting nearly impossible to tell what is true and what is not. The issue of timely reporting versus accurate information becomes an important local consideration for debate. Item 2: Hello Kitty Attacked The Japanese company Sanrio, parent company to Hello, Kitty reported a breach of 3.3M user accounts this week involving mostly children and teens. CISO Issue Once again, it seems that no company is immune to disclosure breaches, and no clear correlation exists between breach and consequence. Make sure to reinforce that employees must draw a clear line between personal and business account and should never, ever reuse passwords between the two domains TAG Cyber Security Invitational Course 25

26 Bruce Flitcroft Providing Secure Network Utility Services Our First Guest 2017 TAG Cyber Security Invitational Course 26

27 Kiersten Todt Cyber Security Advice for the White House Our Drop-In Guest 2017 TAG Cyber Security Invitational Course 27

28 Paul Kurtz Techniques for Threat Information Sharing Our Third Guest 2017 TAG Cyber Security Invitational Course 28