How We're Getting Creamed

ed Attacks How We're Getting Creamed By Ed Skoudis June 9, 2011 ed Attacks - 2011 Ed Skoudis 1

$ cut -f5 -d: /etc/passwd grep -i skoudis Ed Skoudis Started infosec career at Bellcore in 1996 working for phone companies eventually got into Pen tests Incident response Digital forensics SANS Instructor Author of classes on Incident Handling (SANS 504), Penetration Testing (560), Windows Command Line (531), and Metasploit (580) InGuardians Co-Founder Infosec research and consulting Author -- Counter Hack Reloaded & Malware - Fighting Malicious Code Expert witness on over 100 large-scale breach cases since 2002 ed Attacks - 2011 Ed Skoudis 2

Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks - 2011 Ed Skoudis 3

Introduction Attackers are growing more sophisticated and more brazen They are attacking major organizations that design, build, secure, and operate our modern world Google RSA Lockheed-Martin Corp Large-scale petroleum companies Large-scale credit card breaches Each attack is different in its particulars but there are some common threads We need vast improvements in our defensive capabilities around these common techniques ed Attacks - 2011 Ed Skoudis 4

Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks - 2011 Ed Skoudis 5

Common Bad Guy Techniques in Recent Cases Proliferation of initial infection vectors SQLi Wireless ed phishing often as prelude to <blink> Client-side exploitation </blink> P2P leakage Infected home machine brings attacker in (mobile laptop p or VPN) Social networks for in-depth reconnaissance Merciless pivoting Flat, unsegmented networks are easy pickin s for the bad guys But, even segmented networks are subject to attack through pivoting attackers are getting very clever about pivoting Reverse shell / phone home malware Often only to single IP address, making it easy to block that'll change ed Attacks - 2011 Ed Skoudis 6

Additional Common Techniques Used in Breaches Pass the hash & token stealing attacks are very widespread Grab Windows hashes from one machine and use them to spread throughout domain out ever knowing the actual password Seize a security token from a machine where a domain admin is logged in Didja see Hernan Ochoa s new version of Win Credentials Editor (1.2) pass-the-ticket for MS Kerberos? Memory scraping Bypasses network and file system encryption End-to-end encryption is NOT a panacea! Local privilege escalation Especially when combined client-side exploitation Use of sysadmin tools for attack Microsoft SysInternals psexec very common Remember that it leaves behind a psexec service which we can look for Some use of custom malware, but often intermixed common stuff ed Attacks - 2011 Ed Skoudis 7

Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks - 2011 Ed Skoudis 8

Attacker Places Malicious on a Compromised Third-Party Site Internal Users ed Attacks - 2011 Ed Skoudis 9

Harvest Employee Information from Social Sites Company Affiliation and E-mail Addrs Hobbies, Interests, and Rlti Relationships Internal Users Mistake #1: Lacking a policy and awareness campaign for social network sites, an organization's employees will often post inappropriate sensitive information or succumb to "friends" asking to click on links. ed Attacks - 2011 Ed Skoudis 10

Spear Phishing Convincing e-mail enticing link Internal Users Mistake #2: Inbound filtering didn't block the phishing e-mail mail. ed Attacks - 2011 Ed Skoudis 11

User Clicks on Link, Launching Browser to Surf to Attacker's t Request for web page Internal Users Mistake #3: Lack of use awareness undermines security. ed Attacks - 2011 Ed Skoudis 12

Includes Client-Side Exploit Internal Users Mistake #4: content ( client-side exploit) makes it through network-based IPS and evades detection on internal host. ed Attacks - 2011 Ed Skoudis 13

Client-Side Exploit Runs No Further User Intervention ti Backdoor Internal Users Mistake #5: Malicious content runs and exploits client software, often zero-day exploit that makes client fetch and install backdoor software. Customized, targeted backdoor malware evades anti-virus signature and host-based IPS. ed Attacks - 2011 Ed Skoudis 14

Outbound Access Yields Inbound Attacker Control Backdoor Internal Users Mistake #6: No blocking of command-and-control control channel (reverse shell) for backdoor, which may be a connection to a geographic location where the organization does not do business. ed Attacks - 2011 Ed Skoudis 15

Still Lacking Domain Admin, Bad Guy Scans for Weak DMZ s Backdoor Mistake #7: Vulnerability scan goes undetected. Internal Users Mistake #8: SQL injection flaw discovered on DMZ server. ed Attacks - 2011 Ed Skoudis 16

SQL Injection Flaw on on DMZ More Backdoor Internal Users Mistake #9: Attacker exploits SQL injection flaw to upload malicious content to website, whose web pages are dynamically built from content on back-end database server. ed Attacks - 2011 Ed Skoudis 17

Inject Malicious into 's Own DMZ More Backdoor Internal Users More Mistake #10: Another intranet user accesses more evil content through their own DMZ website, infecting this machine. ed Attacks - 2011 Ed Skoudis 18

Another Backdoor Installed Command-and-Control d C Channel More Backdoor Backdoor Internal Users ed Attacks - 2011 Ed Skoudis 19

Local Privilege Escalation to Get Local SYSTEM Privs More Backdoor Backdoor Internal Users Mistake #11: Organizations deploy patches for local privilege escalation flaws very slowly (often many months after release!), giving the attacker local SYSTEM privileges. ed Attacks - 2011 Ed Skoudis 20

Attacker Uses Local SYSTEM Privs to Grab Token for Domain Admin More Backdoor Backdoor Internal Users Mistake #12: Domain admin credentials must be used very sparingly! Cached credentials on machines can be harvested by attackers and used. Even an incident responder or forensics analyst could use psexec and leave an delegate token for domain admin privileges. ed Attacks - 2011 Ed Skoudis 21

Attacker Uses Domain Admin Token to Access t More Backdoor Backdoor Internal Users Mistake #13: Log monitoring of access to juicy secrets is very limited, letting the bad guy exfiltrate large amounts of sensitive information out getting noticed. ed Attacks - 2011 Ed Skoudis 22

Outline Introduction Attack techniques used most often in today s targeted attacks A Scenario Lessons Learned Conclusions ed Attacks - 2011 Ed Skoudis 23

Lessons Learned Top four areas of focus in securing against these kinds of attacks: User awareness is key Client-side patching is vital Monitoring thoroughly and carefully is extremely important Unusual access times and destinations Large-scale data transfers (make sure you log size) and DMZ scanning Customized malware makes behavior-based detection more important than ever Signatures (strict and fuzzy) must be augmented behavior-based detection in host- and network-based IPS ed Attacks - 2011 Ed Skoudis 24

Conclusions Sensitive data breaches show no signs of letting up Attackers are getting more clever and more lethal than ever More breaches than ever, at a smaller scale of compromised accounts still messing you up! Thorough incident and log analysis is really helpful, but only if it is done proactively Most organizations need to change their culture regarding log analysis ed Attacks - 2011 Ed Skoudis 25

Q & A Any questions? Feel free to contact me at ed@inguardians.com ed Attacks - 2011 Ed Skoudis 26