Modern Realities of Securing Active Directory & the Need for AI

Similar documents
May the (IBM) X-Force Be With You

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

ISAM Advanced Access Control

Integrated, Intelligence driven Cyber Threat Hunting

IBM MaaS360 Kiosk Mode Settings

Be effective in protecting against the cybercrime

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

The New Era of Cognitive Security

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Penetration testing a building automation system

Fabrizio Patriarca. Come creare valore dalla GDPR

BigFix 101- Server Pricing

Let s Talk About Threat Intelligence

Securing global enterprise with innovation

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Becoming the Adversary

Critical Hygiene for Preventing Major Breaches

Pass-the-Hash Attacks

BigFix Query Unleashed!

Building Resilience in a Digital Enterprise

Ponemon Institute s 2018 Cost of a Data Breach Study

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

IBM Guardium Data Encryption

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Predators are lurking in the Dark Web - is your network vulnerable?

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

MODERN DESKTOP SECURITY

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Incident Scale

ALL ROADS LEAD TO DOMAIN ADMIN BREACH TO CDE A SECTOR CONFERENCE PRESENTATION OCTOBER 2016

Windows Server Security Guide

Introduction to IBM Security Network Protection Manager

The McGill University Health Centre (MUHC)

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

IBM Security Network Protection Solutions

SWD & SSA Updates 2018

Outsmarting the Smart City DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUNS MODERN CITIES

C1: Define Security Requirements

IBM Application Security on Cloud

Identity Governance Troubleshooting

Cyber security tips and self-assessment for business

Using Smart Cards to Protect Against Advanced Persistent Threat

Attacking and Defending Active Directory July, 2017

Hunting Lateral Movement with Windows Events Logs. SANS Threat Hunting Summit 2018 Mauricio

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Deploying BigFix Patches for Red Hat

Security+ SY0-501 Study Guide Table of Contents

Optimizing IBM QRadar Advisor with Watson

Segmentation for Security

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Notice on Names and Logos Used in This Presentation

Pass-the-Hash Attacks. Michael Grafnetter

Analyzing Hardware Inventory report and hardware scan files

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

How AppScan explores applications with ABE and RBE

RastaLabs Red Team Simulation Lab

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

10 Ways Credit Unions Get PWNED

PENETRATION TESTING EXTREME VERSION 1

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Windows 10 Security & Audit

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

IndigoVision. Control Center. Security Hardening Guide

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

What's new in AppScan Standard/Enterprise/Source version

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Windows 7, Enterprise Desktop Support Technician

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

IBM Security Support Open Mic

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

SentinelOne Technical Brief

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CoreMax Consulting s Cyber Security Roadmap

Cyber Essentials Questionnaire Guidance

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

IBM Security QRadar. Vulnerability Assessment Configuration Guide. January 2019 IBM

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

CIS Controls Measures and Metrics for Version 7

Cybersecurity Today Avoid Becoming a News Headline

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Locking down a Hitachi ID Suite server

CIS Controls Measures and Metrics for Version 7

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How Breaches Really Happen

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Building Trust in the Internet of Things

POWERSHELL: FROM ATTACKERS' TO DEFENDERS' PERSPECTIVE

What's new in AppScan Standard version

Security and Authentication

Transcription:

Modern Realities of Securing Active Directory & the Need for AI Our Mission: Hacking Anything to Secure Everything 7 Feb 2019 Presenters: Dustin Heywood (EvilMog), Senior Managing Consultant, X-Force Red

BIO Senior Managing Consultant, X-Force Red EvilMog from Team Hashcat Spoken at Multiple Conferences: BC Privacy & Security Conference, Derbycon, SkydogCon, IBM Think, Security BSidesLV Specialize in Password Cracking, Active Directory Security & Red Teaming Alberta Restricted Locksmith Tools License Senior Pyrotechnician (Proximate Fireworks) 2 Page

Active Directory Tiers Tier 0 Domain Controllers Tier 1 Servers Tier 2 Desktops Source: https://docs.microsoft.com/en-us/windowsserver/identity/securing-privileged-access/securing-privileged-accessreference-material 3 Page

Stage 1 Attacking Desktops Every endpoint can be penetrated for the most part Attack methods include: Man in the middle via Layer 2 (ARP Poisoning, LLMNR/NBT-NS/WPAD) Code Execution with AMSI Bypass (Powershell, vbscript, jscript, hta files, dde, C#, iron python) Misconfigurations Malware PSExec, WMI, WinRM, SMBExec Cold boot and steal SAM/SYSTEM registry hives if drive is not encrypted The point is desktops can be compromised in some way shape or form 4 Page

The problem with Windows Windows keeps credentials in memory on all remote interactive logins with some exceptions until reboot NTLM hashes are just a UTF-16LE Encoded String that is then run through MD4 NTLM hashes are password equivalent in windows All authentication in windows such as Kerberos, NTLMv1, NTLMv2, Smart Cards all come down to knowledge of the NTLM Hash Most sysadmins leave the same common administrator password across workstations and even servers Knowledge of the hash will get you access to other systems, easy lateral movement 5 Page

Powershell Powershell is the go to post exploitation language of hackers Complete access to the Win32 API Zero logging of execution below Powershell 5 Until windows 10 it didn t get scanned by anti-virus On by default on all systems As of Windows 2008/Vista 6 Page

New Techniques AMSI & Powershell v5 AMSI (Anti Malware Scan Interface) is in Windows 10 & Server 2016 Makes things substantially harder as it forces scanning of powershell, vbs, and jscript Powershell v5 Can enforce Script Block Logging, Transcription Logging, Module Logging centrally New evil C#, Iron Python, LoLBins (Living off the Land Binaries/Builtin Admin Tools) Entirely in memory, dynamically compiled, next to impossible to signature Reflective Assembly Loading of C# direct through Common Command and Control, no forensic evidence without memory monitoring Most SIEMS will not catch this without highly tuned rules and things change all the time 7 Page

Malleable C2 C2 is Command and Control Frameworks can now be modified to look like anything on the network from APT s to legitimate network protocols Encrypted with randomized keys Highly variable communications patterns ranging from a few ms to one callback per day and random intervals Communication can be over HTTP, HTTPS, DNS and has API hooks for connections over IRC, SLACK, or anything with an API In memory locations, compile times, permissions, process forking, code caves, everything is customizable Newer attackers are coding their own custom frameworks faster than you can keep up 8 Page

Attacking Servers Servers can be attacked just like desktops Techniques such as Kerberoasting can attack AD Itself SQL Injections Actual Vulnerabilities (MS08-067, MS17-010 etc) Print Spooler Vulnerabilities to force hash disclosure Exchange Vulnerabilities Finally in house applications could have bugs Attack surface is endless 9 Page

Common Issues Server and Domain Administrators manage servers from their desktops Take over the Desktop Tier, if the desktop tier has access to server admins you now control servers Take over a Server Management Jumpbox and you now own the domain Credentials leak over the wire and there are multiple ways to get some kind of foothold 10 Page

Tier 0/1/2 Isolation Tier 0 Domain Controllers Tier 1 Servers Tier 2 Desktops Source: https://docs.microsoft.com/en-us/windowsserver/identity/securing-privileged-access/securing-privileged-accessreference-material 11 Page

Misconceptions Active Directory Domains are security boundaries Vulnerability Scanners need Domain Admin Kerberos Ticket Hash never needs to be rotated Desktops/Servers need the same common local admin password for emergencies Secrets do not need to be rotated 12 Page

Reality Active Directory Forest is the Security Boundary If you own a parent or child domain you can take over the entire forest Anybody who knows the ktbtgt hash owns your domain (Backup Admins, ESX Admins) Vulnerability scanners spray creds that can be captured Kerberos ticket hash needs to be rotated twice a year All local admin passwords should be randomized All privileged secrets must be frequently rotated Workstations should block all incoming connections except from management workstations Assume every system has been compromised 13 Page

Evil Mogs not Patented Active Directory Checklist Turn on Windows Firewall Block 3389,445,139,137, 135, 5895/5896 at every network boundary Disable LLMNR/NBT-NT/WPAD & Block Arp Poisoning, secure Dynamic DNS Updates Get an Endpoint Detection & Response System Windows Defender ATP, Credential Guard, Device Guard and Exploit Guard Minimum of Windows 10/Server 2016 Tier 0/1/2 Isolation with Privileged Access Workstations Consider Red Forest + just in time permissions Deploy Application Whitelisting such as Applocker (or other commercial solution) Deploy a SIEM as well as Windows ATA or other solution (Such as QRADAR) Randomize all local admin passwords 14 Page

Most Important Line of Defense Application Security Testing Penetration Testing Red Team Engagements once you are confident you can detect attacks Vulnerability Management Services Phishing and Social Engineering Engagements Physical Security Assessments Repeat often, testing is a point in time view of security and security posture will change 15 Page

Contact Information Dustin Heywood Senior Managing Consultant, X-Force Red evilmog@ibm.com @evil_mog on Twitter 16 Page

THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Copyright IBM Corporation 2018. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback