Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Similar documents
TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Using a Vulnerability Description Ontology for vulnerability coordination

CyberArk Privileged Threat Analytics

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Information Security and Cyber Security

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Security Fundamentals for your Privileged Account Security Deployment

Computer Security Trend 2008 from Japan. SQL Injection, DNS cache poisoning, Phishing, Key logger Malware and Targeted Attacks

Tracking mimikatz by Sysmon and Elasticsearch

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Carbon Black PCI Compliance Mapping Checklist

Detecting Lateral Movement through Tracking Event Logs (Version 2)

ICS Security Monitoring

Active Directory Attacks and Detection Part -II

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

JPCERT/CC Incident Handling Report [October 1, 2015 December 31, 2015]

the SWIFT Customer Security

Active Directory Attacks and Detection

10 FOCUS AREAS FOR BREACH PREVENTION

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

T22 - Industrial Control System Security

K12 Cybersecurity Roadmap

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Ransomware A case study of the impact, recovery and remediation events

Pass-the-Hash Attacks

Ransomware A case study of the impact, recovery and remediation events

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Building Resilience in a Digital Enterprise

I Was APT d. What Did They Steal?

Intrusion Attempt Who's Knocking Your Door

CYBERSECURITY RISK LOWERING CHECKLIST

Built-in functionality of CYBERQUEST

RSA INCIDENT RESPONSE SERVICES

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Nebraska CERT Conference

A YEAR OF PURPLE. By Ryan Shepherd

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Modern Realities of Securing Active Directory & the Need for AI

An Analysis of Local Security Authority Subsystem

Security Architecture

ANATOMY OF AN ATTACK!

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

align security instill confidence

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Defining Computer Security Incident Response Teams

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

CNIT 50: Network Security Monitoring. 9 NSM Operations

CCNA Cybersecurity Operations 1.1 Scope and Sequence

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

JPCERT/CC Internet Threat Monitoring Report [July 1, September 30, 2014]

How Breaches Really Happen

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

vol.15 August 1, 2017 JSOC Analysis Team

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Becoming the Adversary

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

RSA NetWitness Suite Respond in Minutes, Not Months

2015 HFMA What Healthcare Can Learn from the Banking Industry

Juniper Vendor Security Requirements

Medical Device Vulnerability Management

WHO AM I? Been working in IT Security since 1992

CERT Development EFFECTIVE RESPONSE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Mapping BeyondTrust Solutions to

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

GE Fanuc Intelligent Platforms

How security intelligence can be used for incident management. Volker Rath, Techn. Lead Consulting Services

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

McAfee Endpoint Security

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Security and Authentication

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

CIS Controls Measures and Metrics for Version 7

MEETING ISO STANDARDS

Make IR Effective with Risk Evaluation and Reporting

Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Segmentation for Security

APT Log Analysis - Tracking Attack Tools by Audit Policy and Sysmon - Shusei Tomonaga JPCERT Coordination Center

CYBER RESILIENCE & INCIDENT RESPONSE

Transcription:

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Agenda Introduction to JPCERT/CC About system-wide intrusions Analyzing Windows event logs Conclusion 2

Self-introduction Shingo Abe Information Analyst at ICS security Response Group, JPCERT/CC since 2014. In the past Implementation of a cryptographic algorithm Mobile Device Management (MDM) Developed key management system etc Now ICS security IoT security Log analysis etc 3

About JPCERT Coordination Center Foundation - October, 1996 Organization Status & Constituency - An independent, non-profit organization - Internet users in Japan, for enterprises - Mainly providing service through technical staffs with high degree of professionalism in enterprise International and Regional Activities 4

Prevent Watch Respond JPCERT/CC - 3 Services and 6 Basic Activities - -Vulnerability Information Handling Coordinate with developers Coordinate on unknown with vulnerability developers on information unknown vulnerability information Secure Coding Secure coding - Information gathering / analysis / sharing - Internet Traffic Monitoring Alerts / Advisories Alert / Advisories - Incident handling Mitigating the damage Mitigating the damage through efficient incident through efficient incident handling handling Information sharing to Information sharing to prevent similar incidents prevent similar incidents Early Warning Information CSIRT Establishment Support Industrial Control System Security Artifact Analysis Domestic Collaboration Information sharing with critical infrastructure enterprises, etc. Capacity building for internal CSIRTs in enterprises / overseas national CSIRTs Activities to protect ICS, such as incident handling and information gathering / sharing Analysis on attack methods / behavior of malware (unauthorized program) Collaboration with various security communities in Japan International Collaboration Collaboration with overseas organizations for smoother handling of incidents and vulnerabilities Assigned by METI as the vulnerability handling organization. 5

About the Industrial Control Systems security Response Group Industrial Control Systems security Response group (ICSR) JPCERT/CC created a dedicated team for "Control Systems Security Response" in the summer 2012 Activities related to controls systems security originally started at JPCERT/CC in 2007 Main activities include: 1. Reception of ICS incident reports and provide response assistance 2. Vulnerability handling of ICS related products 3. Collect / Analyze / Transmit information related to ICS security 4. Provide self-assessment tool (J-CLICS/SSAT) 5. Public Awareness, Collaboration Hold an annual control systems security conference Administration of various communities Etc. In the US, ICS-CERT exists and specializes in control systems (since 2009) 6

ABOUT SYSTEM-WIDE INTRUSIONS 7

Background Targeted attacks today are becoming more sophisticated and it is difficult to completely prevent attacks by just defending the border Attackers remain within the systems of an organization and cleverly steal information over a long period of time If detection is delayed, damages increase. It is critical to detect as soon as possible to stop the attack. Prepare Intrusion Lateral Movement Activity Plan Prep Initial intrusion Base prep Internal intrusion Investigate Execute Destroy evidence Today s focus 8

System-wide intrusions explained Attackers attempt to spread infections to achieve their goals or search for information that may be of value To spread infections within the system, attackers may use the following methods (for lateral movement) 1. Unauthorized use of domain administrator account 2. Unauthorized use of Local Admin account 3. Replacing files on a server in an unauthorized manner Focus here Corporate Network? User Device A User Device B 9

Number of confirmed cases for unauthorized use of domain administrator rights Out of the targeted attacks cases handled during FY 2015 at JPCERT/CC, the number of cases (relatively clearly) confirmed where attack activity (system-wide intrusion) was on-going within the target network 16 cases No unauthorized use of domain administrator rights 1 case Cause for unauthorized use Unknown 4 cases Password obtained 5 cases 10 Unauthorized use of domain administrator rights 15 cases AD vulnerability + Password obtained 6 cases After intrusion, almost all cases (15 / 16) resulted in unauthorized use of domain administrator account Almost half of the Domain Controllers (Active Directory) were not updated to address known vulnerabilities

[Case Study] Unauthorized use of domain administrator account Domain administrators have rights that allow them to perform various operations, thus become a target for attackers Methods used to steal domain account administrator rights include: Exploit vulnerabilities in Active Directory Use local device registry keys, domain administrator account password hash values stored on memory Attack example that JPCERT/CC observed Domain Controller (Active Directory) Traces left in the event logs 3Unauthorized access using domain administrator rights Attacker 1Obtain Local Admin information User Device A (Infected) 2Intrusion using Local Admin info User Device B (Administrator) 11

ANALYZING WINDOWS EVENT LOGS 12

Motivation behind the analysis and considerations Motivation To more effectively discover system-wide intrusions in traditional IT systems as part of incident response by narrowing analysis targets to specific events and fields Method Considerations In order to control a device from another device within the same domain, authentication via Kerberos or NTLM is required If authentication is performed, event IDs related to the authentication are recorded in the Domain Controller Events related to authentication contain fields for device requesting authentication and administrator account 13

What event IDs to look for in the target? Perform an investigation targeting the following event IDs: Successful Login (Event ID:4624) Failed Login (Event ID:4625) Kerberos Authentication (Event ID:4768) Kerberos Service Ticket (Event ID:4769) NTLM Authentication (Event ID:4776) Assignment of Administrator Rights (Event ID:4672) * These event IDs are for Windows Vista / Server 2008 and later 14

Event IDs and Fields to be extracted Successful Login (4624),Failed login (4625) Event Log Item Name Time New Logon: Account Name Account Name: Device Requesting Authentication Network Information: (IP Address) Source Network Address: Device Requesting Authentication Network Information: (Host Name) Workstation Name: Error Code Failure Information: 4625 only Status: Kerberos Authentication(4768), Kerberos Service Ticket (4769) Event Log Item Name Time Account Information: Account Name Account Name: Device Requesting Authentication Network Information: (IP Address) Client Address: Additional Information: Result Code Result Code: NTLM Authentication(4776) Time Event Log Item Name Account Name Logon Account: Device Requesting Authentication Source Workstation: (Host Name) Result Code Error Code: Assignment of Administrator Rights(4672) Time Account Name Event Log Item Name Account Name: 15

Analysis results to output List of devices that use domain administrator accounts Relationship between domain administrator account and devices that requested authentication To check the validity of the devices that use domain administrator accounts The number of authentication attempts per day for each domain administrator account To check for sudden changes in the number of authentication attempts or accounts not typically used during certain periods of time List of users with specialized rights To check for uses of such special rights by accounts that do not normally use these rights 16

Sample of results output By visualizing the relationship between the devices requesting authentication and domain administrator account, dates and number of authentication attempts, validity can be easily checked for Devices requesting authentication and domain administration accounts 192.168.32.A 192.168.32.B 192.168.32.C 192.168.32.D Authentication requesting device AdminA AdminB Account Devices requesting authentication and number of authentication attempts AdminB 192.168.32.C 192.168.32.D 01 WED 02 THU 03 FRI 2016/06 04 SAT 05 SUN 06 MON 07 TUE 4624 5 8 11 6 4625 4768 4769 4776 5 13 7 6 4624 1 32 14 4625 20 4768 30 18 4769 123 4776 17

Applying to investigate incidents in control systems Motivation behind applying this method to control systems In traditional IT systems, we were able to discover other infected devices and accounts being maliciously used during incident response For the following reasons, we thought that this method could be useful in control systems that do not use AD: 1. Devices and administrator accounts used in control systems are limited 2. The number of total events should be lower than traditional IT systems, so anomalies should be relatively easy to detect 3. Does not require implementing a new "security device" With cooperation from some asset owners, we were able to obtain logs for critical Windows devices (OPC server, etc.) used in control systems and applied this analysis method 18

The effectiveness of this method Effectiveness of this method Utilize for re-examining operations Grasp behavior that differs from the norm Optimize and minimize the number of devices that use administrator accounts Utilize for re-examining log settings Settings for size and rotation of logs Settings for audit policies 19

Audit policies that should be in place Account logon Audit to check credential information Audit for Kerberos authentication service Log on / Log off Audit logons Audit other logon / log off events Audit special logons Enabled by default in Windows Server 2008 / 2012 20

Some remaining challenges When blended in with legitimate authentications, unauthorized use is hard to recognize If there are complexities between the device requesting authentication and the administrator account, it is difficult to determine validity In DHCP environments, devices cannot be identified using IP addresses alone, therefore it is necessary to use DHCP logs 21

CONCLUSION 22

Conclusion Introduced an analysis method to discover system-wide intrusions Was useful in discovering (unauthorized use of devices and accounts) system-wide intrusions during incident response in traditional IT systems Applying the method to Windows devices in control systems left us with a good impression going forward The next step is apply the method against logs after an incident in a control system Looking for partners that may be willing to provide logs for this analysis! 23

For Inquiries and Incident Response Requests JPCERT Coordination Center Inquiries on Control Systems Email:icsr@jpcert.or.jp https://www.jpcert.or.jp/english/cs/controlsystem security.html Reporting Control System Incidents Email:icsr-ir@jpcert.or.jp https://www.jpcert.or.jp/english/cs/how_to_report _an_ics_incident.html Thank you for your attention 24

Details on Kerberos KDC vulnerability Vulnerability where service ticket is issued without properly verifying the PAC (Domain SID and affiliated security group) digital signature when KDC receives TGT ticket Attacker can alter data related to rights within PAC, which may result in assigning itself as part of the domain administrator group Include PAC in TGT, then sign Verify PAC information and digital signature Issue in signature verification Source: http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx 25

Analysis overview of Kerberos KDC vulnerability Check whether there are event outputs when an attack exploiting the Kerberos KDC vulnerability (CVE-2014-6324) to escalate privileges to domain administrator Prior to applying patch Check whether there are special rights assigned to accounts that are not domain administrators (Event ID: 4672) After applying patch Check whether there are authentication failures (Event ID: 4769, Failure Code:0xf) related to service tickets 26 Overview of attack exploiting Kerberos KDC vulnerability

Method to determine whether administrator account is being used appropriately The left example can be determined as standard use since authentication for the administrator account is being performed from the AD administrator device (192.0.2.20). The right example can be determined as unauthorized use since authentication for the administrator account is being performed from a device (192.0.2.40) that is not normally used for authentication Appropriate account use / management Unauthorized account use by attacker Active Directory(DC) (192.0.2.10) Active Directory(DC) (192.0.2.10) Intruded device (192.0.2.40) 2. Issue authentication ticket 2. Issue authentication ticket 1. Request authentication ticket using stolen administrator account 1. Request authentication ticket using the administrator account 3. Login using the ticket 3. Login using the ticket AD Administrator (192.0.2.20) Target Managed Device (192.0.2.30) AD Administrator (192.0.2.20) Target Managed Device (192.0.2.30) 27

Authentication information stored in memory of Windows devices Kerberos Hash Plaintext Password OS Version User TGT LM NTLM Windows Server 2003 Windows Vista and before Windows Server 2008R2 Windows 7 Windows Server 2012R2 Windows 8.1 Local Not saved Saved Saved Saved Domain Saved Saved Saved Saved Local Not saved Not saved 1 Saved Not saved 1 Domain Saved Not saved 1 Saved Not saved 1 Local Not saved Not saved Saved 2 Not saved Domain Saved 2 Not saved Saved 2 Not saved Protected User Restricted Admin Saved 2 Not saved Not saved Not saved Not saved Not saved Not saved Not saved 1: Requires security update (KB2871997) 2: Protected by LSA Protection (function that prevents reading of memory by processes without MS signatures) : Some authentication packages, such as digest require plaintext passwords and may be stored Security has been enhanced since Windows 2012R2 / Win 8.1 28

(Ref) AD authentication events (for Windows 2003) Relationship between event IDs for Windows 2008 and later and 2003 Successful Login Failed Login Kerberos Authentication NTLM Authentication Assignment of administrative rights 2008 and later 2003 Notes 4624 528(local login) 540(network login) After 2008, "logon type" is used to identify 4625 529-537,539 In 2003, different IDs for each failure reason After 2008, "status code" is used to identify 4768 672(success) 676(fail) After 2008, "result code" is used to identify 4776 680 According to Microsoft, NTLM authentication is also recorded in 528 and 520, there is no additional information that can be obtained from 680 4672 576 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback