Attackers Process. Compromise the Root of the Domain Network: Active Directory

Transcription

1 Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH FOOTHOLD ESCALATE PRIVILEGES INTERNAL RECON COMPLETE MISSION ACTIVE DIRECTORY & NMAP SCAN hello@javelin-networks.com W. 5th Street Austin, TX 78701

2 Your Active Directory is the building block for every APT campaign. THE PERFECT CRIME Through the careful examination of all recent APT campaigns, we see what attackers have known for a long time: the Active Directory is the most targeted asset in the organization. Attackers are not only aware of its security flaws but also its value it holds the information of every IT component whether it s a user, server, or application.

3 INTRODUCTION: PROBLEM STATEMENT When prevention tactics and hygiene fail, how does the defender stop an attacker? We witness case after case where money, motivation, and time allow adversaries to accomplish an objective. Software will never be perfect and without vulnerability. Companies infrastructure will never be free from all misconfiguration or vulnerability. The attacker only needs to be right one time; the defender must be right every time. Companies today are focused on defending endpoints, applications, servers, mobile devices, networks, etc. Yet Active Directory (AD), used by 9 out of 10 companies around the world, is exposed by design and remains unprotected. In fact, most of the breaches and APT campaigns are based on AD enumeration and reconnaissance. AD is a database containing all information about the organization and is freely accessed from any machine connected to the domain. It only takes one compromised domainconnected machine to jeopardize the entire organization. After compromising a machine, attackers utilize trusted applications and built-in tools to steal domain credentials and move laterally through the network. The use of trusted applications, as opposed to malicious binaries, makes detection, forensic tracing, and hunting nearly impossible. Attackers understand this and will hide amongst the authorized user population while using credentials to move around the organization. They will remain within the bounds of access looking like a normal user on the domain, stealing sensitive data, and opening additional doors for persistence. ACTIVE DIRECTORY: THE MOST CRITICAL ASSET Active Directory (AD) contains a database where attributes about all users, computers, servers, applications, and printers of an organization are registered. Each employee who uses a computer within a domain receives a unique user account that can then be assigned access to any resource within the domain based on a predefined company policy. With this technology, Microsoft took over the IT department in every organization and bought itself a place inside every corporation, hospital, and government on the planet. Unfortunately, with this ubiquitous adoption, AD creates a new, dangerous threat: one compromised machine connected to the Domain Network jeopardizes the entire organization. Default queries, which cannot be disabled, provide the attacker much of what they need to achieve the objective. The AD was designed to give information to authenticated users, and attackers are taking advantage of that built-in capability.

4 Fast forward to 2017, where 9 out of 10 organizations around the world use Active Directory Look at these two computers. Do you see any difference? DOMAIN VS. NON-DOMAIN COMPUTER Most people will say that they don t see any difference between the two computers above and from first glance, it s impossible to tell. They look identical, but there is a critical difference. The computer on the right is connected to the domain, receiving access to the Active Directory which contains information about all users, servers, applications, and identities. With these attributes, a map of the environment can be made. If this computer is compromised, it can put the entire organization in danger. If, however, the computer on the left is comprised, it won t put the whole organization in immediate danger because it s not connected to the domain. Therefore, it cannot access the Active Directory. The cyber industry obsessively focuses on defending endpoints, applications, networks, and mobile devices. Yet AD is exposed to numerous risks by design and remains entirely unprotected. Attackers can freely access AD at anytime from any machine connected to the domain. Currently, there is no technology preventing this from happening. The industry has offered User Behavioral Analytics tools and Honeypot appliances as compensating control for attackers compromising user and admin accounts. However, there are no methods for determining Patient Zero by such tools, nor is there a forensic ability to know how the Patient Zero was compromised. These tools are primarily focused towards threat discovery but require much hunting upon detection (expensive and time consuming). An attacker can fly under the baseline, potentially under multiple accounts, which is why this approach will not work.

5 All PCs All Servers All Applications All Users With one compromised endpoint, attackers can effortlessly gain full visibility to all connected resources and identities by simply querying AD. They can even gain full, unprivileged access by locating and stealing admin identities. Then the attackers can easily learn about the entire organization s resources, employees, their identities, their roles, and their privileges. Furthermore, they can learn about the applications running inside, databases, servers, storage, and internal security components. At this stage, all they must do to achieve their goal is to steal domain credentials and move laterally. With a few commands entered at the compromised endpoint, LDAP and SAM queries are generated and sent to the database of Active Directory, revealing the reconnaissance information the attacker needs to continue his progress. This helps locate where the sensitive data lives and how to access it. Here s the problem: AD can t distinguish between a legitimate query and an illegitimate query. As long as the query came from an authenticated user, it has no choice but to answer, revealing the organization s biggest secrets. With a legitimate query, the attacker doesn t get just part of the organization s information they get all of it in a matter of seconds without any risk of being detected. This is why attackers prefer Active Directory reconnaissance over network scans. THE MAIN CHALLENGE The main challenge in detecting this type of attack is that after compromising a Domain Network machine, attackers use trusted applications and built-in tools to steal credentials and move laterally. The use of trusted applications as opposed to malicious binaries makes detection, forensic tracing, and hunting nearly impossible.

6 THE KEY THREE When an attacker gains access to a single computer, he only knows that the door is open. He must gather information the reconnaissance phase to move off that single machine and into the network. He uses this information to answer three key questions: 1. Where am I? 2. Where can I go? 3. How can I get there? There are only three ways to gather nformation: Hacker Use % LLMNR Protocol scan 1% Network scan 1% Active Directory query 98% The first two methods have serious limitations for the hacker. First, they are network scans and only ascertain that a computer is present. Second, the attacker gains no additional information as to whether the machine has any value or is real (i.e. it could be a deceptive honeypot). Third, it s noisy and time consuming with a high degree of detection. That leaves the third option: Active Directory. The Active Directory is a database Microsoft created to control the entire organization and make IT infrastructure management easier. As a result, every computer connected to the Active Directory has read only access to openly and naturally query the database for other users, computers, applications, services, policies, permissions, credentials, etc. We can now understand that basic information is extremely valuable to hackers. The native query capabilities answer all the questions an attacker needs to move beyond the single compromised machine and into the network. Simple, undetectable queries from a normal user account to Active Directory reveal all the database servers, file servers, and high privileged accounts giving the attacker a map of the organization. With this information, the attacker plots which passwords to steal from the endpoint. Then, he takes those stolen credentials and uses the information from Active Directory to move laterally in the environment. In this manner, he "disappears" into the normal business as an authorized user and steals anything he wants. No security tool will detect him once he has valid credentials and the network topology. Behavioral analytics, deceptive honeypots, network monitors, identity and access management (privileged account) products none of these will be able to identify the malicious activity because it is disguised as normal user behavior. The attacker is using legitimate, authorized, and approved information the network and organization trusts. We now have a clear picture of why so many companies are hacked today. Attackers only have to get their initial compromise foothold, and from there, Active Directory gives them everything else they need to carry out a successful operation.

7 INTRODUCING AD PROTECT: ACTIVE DIRECTORY PROTECTION Javelin AD Protect defends the Active Directory while providing autonomous breach containment, incident response, and threat hunting capabilities. The platform will also show the defender and AD Admin the domain from the attacker s perspective, allowing for immediate risk mitigation to reduce the attack surface. Javelin combines technologies such as Native Language Processing, obfuscation, and advanced forensics methodologies at the point of a breach. HOW IT WORKS AD Protect controls the attacker s perception of the organization s internal resources all endpoints, servers, users, applications, and locally stored credentials right at the point of breach. AD Protect autonomously learns the organization s AD structure in its entirety (servers, endpoints, applications, etc.) and uses this data to create an authentic and unlimited obfuscation. It then projects this perspective to the domain-connected asset that the attacker has compromised. The attacker gives themselves away while interacting with Javelin s perception or attempting to move laterally from the compromised machine. It triggers a highfidelity alert without the attacker realizing that they have been detected. BREACH CONTAINMENT, IR, AND HUNTING Designed for Domain Environment: Using unique IR methodologies specifically designed for a Domain Network environment, AD Protect effortlessly collects and analyzes forensic evidence from disk and memory, determining if the attack is a local incident or part of a bigger effort. The moment an attack is detected, an alert is triggered from the endpoint, and an on-demand scan of the memory gathers specific forensic information related to the attack. By automating the forensic process and scanning for the right information only when an attack is detected, AD Protect monitors the process and hunts it back to patient zero to identify where the attack originated. Then, autonomous features contain the breach in real-time. A variety of mitigation methods are available depending on corporate policy and objective. PERSISTENCE AND PREVENTION OF DARK CORNERS Designed for Domain Environment: In a Domain Network environment, attackers leave behind backdoors and persistence hooks that allow them to come back at any time. AD Protect continuously probes for domain misconfigurations and persistence. This activity can save thousands of dollars on consulting or assessment activities. Most importantly, it continuously helps the organization reduce attack surface and risk.

8 Secure Your Domain W 5th St. Austin, TX California Avenue Palo Alto, CA 94306