Transcript
Lateral Movement By DefaultRandy Watkins
2© 2015 Critical Start LLC.
Critical Start is a Threat Management company with the goal to measurably improve the security effectiveness of our customers. We developed a security framework to evaluate the status of your security controls and assess your current environment. The core inputs of our methodology are:
Critical Start: Who We Are
Attack Phase Maturity Following a kill chain methodology understanding the ability to detect initial compromise, lateral movement, breach detection and response
Security EfficiencyControl effectiveness, impact to user experience, upfront costs, and ongoing costs. Security Efficiency is used to prioritize how to address attack phase maturity gaps
Critical Assets and DataWhat is the likelihood outside attackers would specifically target your organization? Critical assets and data is viewed from point of view of 3rd party value versus business impact.
Impact of Compliance What compliance and regulatory requirements are driving security practices within your company?
3© 2015 Critical Start LLC. All Rights Reserved
Agenda
Define Lateral MovementHow It’s Done
Methods of Lateral Movement
Recommendations for Limiting Effectiveness
Can it be Prevented?
We are currently not planning on conquering the world.
– Sergey Brin
What is Lateral Movement?
5© 2015 Critical Start LLC.
Using an Initial point of compromise to migrate to other network assets
What is gained with Lateral Movement?– Establish Persistence– Identify Critical Assets– Find Sensitive Data
Lateral Movement expands attack footprint, and increases Incident Response Efforts, including identifying potential exfiltration.
What is Lateral Movement?
6© 2015 Critical Start LLC.
• Initial compromise can use:– Malware – Easier to detect and prevent– Legitimate Credentials – Go after the user
A (mostly) Hidden Threat
9© 2015 Critical Start LLC.
• Initial compromise can use:– Malware – Easier to detect and prevent– Legitimate Credentials – Go after the user
• Attackers Point of View:– Any user account or machine is valuable to an attacker– Legitimate credentials are less alarming than callbacks– Once an attacker finds their way in…
A (mostly) Hidden Threat
10© 2015 Critical Start LLC.
11© 2015 Critical Start LLC.
• SSC Syndrome – Soft Squishy Center– Most security budget is spent protecting the perimeter– Little security measures preventing spread– Very difficult to weed out false positives to identify lateral
movement– Most Windows machines, Networks, and Active Directory are built
for convenience, including lateral movement.
SSC Syndrome
We are currently not planning on conquering the world.
– Sergey Brin
Methods Of Lateral Movement
13© 2015 Critical Start LLC.
• Attacker installs or gets user to install back door– Phishing Email– Drive by Download
• Computer communicates to C2 server/opens a direct shell to attacker
• Attacker accesses computer
Malware Back Door
14© 2015 Critical Start LLC.
• Attacker Compromised Legitimate Credentials– Spear Phishing– Brute Force– Malware
• Attacker Logs into machine via VPN
• Attacker Does recon to find additional machines
Legitimate Credentials with VPN
15© 2015 Critical Start LLC.
• Attacker Accesses Compromised Machine– Malware– Legitimate Credentials
• Attacker captures cached credentials
• Attacker replays captured hashes to authenticate
• Attacker continues recon to continue spread through network
Pass the Hash
16© 2015 Critical Start LLC.
• Multiple tools will pull Credential in Clear Text– Mimikatz– Windows Credential Editor
Forget the Hash. Plaintext FTW!
17© 2015 Critical Start LLC.
• Malware is Dropped and Credentials are Harvested
• Cycle is repeated to continue exfiltration and attack footprint
• Incident detection turn into incident containment and response
Rinse Lather Repeat
We are currently not planning on conquering the world.
– Sergey Brin
Preventing/Restricting Lateral Movement
19© 2015 Critical Start LLC.
Start at the source– Malware
• Use Anti-Virus or Next-Gen Endpoint product to prevent initial infection• Employ Network Based Detection to find things Endpoint Agents may not
pick up– Legitimate Credentials
• Employ SPAM and Spear Phish filtering• Enforce Strong Passwords• User Education
– Staged Phishing Campaigns– Security Bulletins/New letters
Prevention
20© 2015 Critical Start LLC.
• Have Unique Passwords for Local Admin Accounts– Microsoft LAPS is a free tool for
managing these• Deny Network Logon for
Local Accounts• Remove User accounts from
Local Administrators Group
Control Local Accounts
21© 2015 Critical Start LLC.
• Log Events from Privileged Accounts
• Do not give Privileged Accounts Email boxes
• Do not nest Active Directory Groups into privileged groups
• Enforce Strong Passwords
Control Network Accounts
22© 2015 Critical Start LLC.
• Require Privileged Accounts and VPN users to use 2 Factor Authentication
• Enforce Device Certificate Authentication
• Log all VPN connections and correlate suspicious logins
• Reduce or Remove Default Cached Credential Value
Control Remote Access
23© 2015 Critical Start LLC.
• Use Jump Hosts for Administrative Access• Segment Guest/User/Server/Critical Asset Networks
– Leverage User Segmentation where possible
Control the Network
24© 2015 Critical Start LLC.
• Microsoft Pass The Hash (PTH) Mitigation Paper– http://www.microsoft.com/en-us/download/details.aspx?id=36036
• Microsoft LAPS Technet Security Advisory– https://technet.microsoft.com/library/security/3062591
• Channel 9 Videos– https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Securi
ty-Briefings-Fall-2012-Sessions/BH1208
– https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B210#fbid=
Additional Resources
Critical Start LLC6860 North Dallas Pkwy, St 200Plano, Texas 75024 Phone: 214-810-6762info@criticalstart.com
Learn more about creating your own Defendable Network at: http://www.criticalstart.com/the-defendable-network-2/
top related