How We're Getting Creamed

Transcription

1 ed Attacks How We're Getting Creamed By Ed Skoudis June 9, 2011 ed Attacks Ed Skoudis 1

2 $ cut -f5 -d: /etc/passwd grep -i skoudis Ed Skoudis Started infosec career at Bellcore in 1996 working for phone companies eventually got into Pen tests Incident response Digital forensics SANS Instructor Author of classes on Incident Handling (SANS 504), Penetration Testing (560), Windows Command Line (531), and Metasploit (580) InGuardians Co-Founder Infosec research and consulting Author -- Counter Hack Reloaded & Malware - Fighting Malicious Code Expert witness on over 100 large-scale breach cases since 2002 ed Attacks Ed Skoudis 2

3 Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks Ed Skoudis 3

4 Introduction Attackers are growing more sophisticated and more brazen They are attacking major organizations that design, build, secure, and operate our modern world Google RSA Lockheed-Martin Corp Large-scale petroleum companies Large-scale credit card breaches Each attack is different in its particulars but there are some common threads We need vast improvements in our defensive capabilities around these common techniques ed Attacks Ed Skoudis 4

5 Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks Ed Skoudis 5

6 Common Bad Guy Techniques in Recent Cases Proliferation of initial infection vectors SQLi Wireless ed phishing often as prelude to <blink> Client-side exploitation </blink> P2P leakage Infected home machine brings attacker in (mobile laptop p or VPN) Social networks for in-depth reconnaissance Merciless pivoting Flat, unsegmented networks are easy pickin s for the bad guys But, even segmented networks are subject to attack through pivoting attackers are getting very clever about pivoting Reverse shell / phone home malware Often only to single IP address, making it easy to block that'll change ed Attacks Ed Skoudis 6

7 Additional Common Techniques Used in Breaches Pass the hash & token stealing attacks are very widespread Grab Windows hashes from one machine and use them to spread throughout domain out ever knowing the actual password Seize a security token from a machine where a domain admin is logged in Didja see Hernan Ochoa s new version of Win Credentials Editor (1.2) pass-the-ticket for MS Kerberos? Memory scraping Bypasses network and file system encryption End-to-end encryption is NOT a panacea! Local privilege escalation Especially when combined client-side exploitation Use of sysadmin tools for attack Microsoft SysInternals psexec very common Remember that it leaves behind a psexec service which we can look for Some use of custom malware, but often intermixed common stuff ed Attacks Ed Skoudis 7

8 Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks Ed Skoudis 8

9 Attacker Places Malicious on a Compromised Third-Party Site Internal Users ed Attacks Ed Skoudis 9

10 Harvest Employee Information from Social Sites Company Affiliation and Addrs Hobbies, Interests, and Rlti Relationships Internal Users Mistake #1: Lacking a policy and awareness campaign for social network sites, an organization's employees will often post inappropriate sensitive information or succumb to "friends" asking to click on links. ed Attacks Ed Skoudis 10

11 Spear Phishing Convincing enticing link Internal Users Mistake #2: Inbound filtering didn't block the phishing mail. ed Attacks Ed Skoudis 11

12 User Clicks on Link, Launching Browser to Surf to Attacker's t Request for web page Internal Users Mistake #3: Lack of use awareness undermines security. ed Attacks Ed Skoudis 12

13 Includes Client-Side Exploit Internal Users Mistake #4: content ( client-side exploit) makes it through network-based IPS and evades detection on internal host. ed Attacks Ed Skoudis 13

14 Client-Side Exploit Runs No Further User Intervention ti Backdoor Internal Users Mistake #5: Malicious content runs and exploits client software, often zero-day exploit that makes client fetch and install backdoor software. Customized, targeted backdoor malware evades anti-virus signature and host-based IPS. ed Attacks Ed Skoudis 14

15 Outbound Access Yields Inbound Attacker Control Backdoor Internal Users Mistake #6: No blocking of command-and-control control channel (reverse shell) for backdoor, which may be a connection to a geographic location where the organization does not do business. ed Attacks Ed Skoudis 15

16 Still Lacking Domain Admin, Bad Guy Scans for Weak DMZ s Backdoor Mistake #7: Vulnerability scan goes undetected. Internal Users Mistake #8: SQL injection flaw discovered on DMZ server. ed Attacks Ed Skoudis 16

17 SQL Injection Flaw on on DMZ More Backdoor Internal Users Mistake #9: Attacker exploits SQL injection flaw to upload malicious content to website, whose web pages are dynamically built from content on back-end database server. ed Attacks Ed Skoudis 17

18 Inject Malicious into 's Own DMZ More Backdoor Internal Users More Mistake #10: Another intranet user accesses more evil content through their own DMZ website, infecting this machine. ed Attacks Ed Skoudis 18

19 Another Backdoor Installed Command-and-Control d C Channel More Backdoor Backdoor Internal Users ed Attacks Ed Skoudis 19

20 Local Privilege Escalation to Get Local SYSTEM Privs More Backdoor Backdoor Internal Users Mistake #11: Organizations deploy patches for local privilege escalation flaws very slowly (often many months after release!), giving the attacker local SYSTEM privileges. ed Attacks Ed Skoudis 20

21 Attacker Uses Local SYSTEM Privs to Grab Token for Domain Admin More Backdoor Backdoor Internal Users Mistake #12: Domain admin credentials must be used very sparingly! Cached credentials on machines can be harvested by attackers and used. Even an incident responder or forensics analyst could use psexec and leave an delegate token for domain admin privileges. ed Attacks Ed Skoudis 21

22 Attacker Uses Domain Admin Token to Access t More Backdoor Backdoor Internal Users Mistake #13: Log monitoring of access to juicy secrets is very limited, letting the bad guy exfiltrate large amounts of sensitive information out getting noticed. ed Attacks Ed Skoudis 22

23 Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks Ed Skoudis 23

24 Lessons Learned Top four areas of focus in securing against these kinds of attacks: User awareness is key Client-side patching is vital Monitoring thoroughly and carefully is extremely important Unusual access times and destinations Large-scale data transfers (make sure you log size) and DMZ scanning Customized malware makes behavior-based detection more important than ever Signatures (strict and fuzzy) must be augmented behavior-based detection in host- and network-based IPS ed Attacks Ed Skoudis 24

25 Conclusions Sensitive data breaches show no signs of letting up Attackers are getting more clever and more lethal than ever More breaches than ever, at a smaller scale of compromised accounts still messing you up! Thorough incident and log analysis is really helpful, but only if it is done proactively Most organizations need to change their culture regarding log analysis ed Attacks Ed Skoudis 25

26 Q & A Any questions? Feel free to contact me at [email protected] ed Attacks Ed Skoudis 26