How We're Getting Creamed

(1)

Targeted Attacks Targeted Attacks

By Ed Skoudis J 9 2011 June 9, 2011

(2)

$ cut -f5 -d: /etc/passwd | grep -i skoudis

• Ed Skoudis

• Started infosec career at Bellcore in 1996 working for phone companies… eventually got into…

– Pen tests

– Incident response – Digital forensics

• SANS Instructor

– Author of classes on Incident Handling (SANS 504), Network Penetration Testing (560), Windows Command Line (531), and Metasploit (580)

• InGuardians Co-Founder… Infosec research and consulting

• Author -- Counter Hack Reloaded & Malware - Fighting Malicious Code

• Expert witness on over 100 large-scale breach cases since 2002

• Expert witness on over 100 large scale breach cases since 2002

(3)

l

Outline

• Introduction

• Attack techniques used most often inAttack techniques used most often in today’s targeted attacks

• A Scenario

• Lessons Learned C l i

• Conclusions

(4)

Introduction Introduction

• Attackers are growing more sophisticated and more

• Attackers are growing more sophisticated and more brazen

• They are attacking major organizations that design, build,

d t d ld

secure, and operate our modern world

– Google – RSA

– Lockheed-Martin Corp

– Large-scale petroleum companies – Large-scale credit card breaches

• Each attack is different in its particulars… but there are some common threads

• We need vast improvements in our defensive capabilities

• We need vast improvements in our defensive capabilities around these common techniques

(5)

l

Outline

• Introduction

• A Scenario

• Conclusions

(6)

Common Bad Guy Techniques in Recent Cases

• Proliferation of initial infection vectors – SQLi

– Wireless

– Targeted phishing… often as prelude to…g g

– <blink> Client-side exploitation </blink>

– P2P leakage

– Infected home machine brings attacker in (mobile laptop or VPN)g ( p p )

• Social networks for in-depth reconnaissance

• Merciless pivoting

– Flat unsegmented networks are easy pickin’s for the bad guysFlat, unsegmented networks are easy pickin s for the bad guys

– But, even segmented networks are subject to attack through pivoting…

attackers are getting very clever about pivoting

• Reverse shell / “phone home” malwareReverse shell / phone home malware

(7)

Additional Common

Techniques Used in Breaches Techniques Used in Breaches

• Pass the hash & token stealing attacks are very widespread

Grab Windows hashes from one machine and use them to spread throughout – Grab Windows hashes from one machine and use them to spread throughout

domain without ever knowing the actual password

– Seize a security token from a machine where a domain admin is logged in – Didja see Hernan Ochoa’s new version of Win Credentials Editor (1 2) with – Didja see Hernan Ochoa s new version of Win Credentials Editor (1.2) with

pass-the-ticket for MS Kerberos?

• Memory scraping

– Bypasses network and file system encryption – Bypasses network and file system encryption – End-to-end encryption is NOT a panacea!

• Local privilege escalation

Especially when combined with client side exploitation – Especially when combined with client-side exploitation

• Use of sysadmin tools for attack

– Microsoft SysInternals psexec very common

Remember that it leaves behind a psexec service which we can look for

• Remember that it leaves behind a psexec service which we can look for

• Some use of custom malware, but often intermixed with common stuff

(8)

l

Outline

• Introduction

• A Scenario

• Conclusions

(9)

Attacker Places Malicious Content C i d Thi d P t Sit on a Compromised Third-Party Site

Database Database Server Server

Public Public Website Website

Li k dI Li k dI File

File Distribution Distribution

Service Service

Facebook Facebook

Intranet Intranet Server Server with with Juicy Juicy

T t

LinkedIn LinkedIn Service

Service

Juicy Juicy Secrets Secrets

Target Corporate

Network

Internet

Firewall Firewall Firewall Firewall Infrastructure Infrastructure

Internal Network Users Internal Network Users Evil

Content

Web Site Web Site in the Cloud in the Cloud

(10)

Harvest Employee Information f S i l N t k Sit

from Social Network Sites

T t

Service

Company Affiliation and

Hobbies, Interests, and

R l ti hi ^Juicy^Juicy

Secrets Secrets

Network

Internet

Firewall Firewall

E-mail Addrs Relationships

Firewall Firewall Infrastructure Infrastructure

Mistake #1: Lacking a policy and awareness campaign for social network Internal Network Users

Internal Network Users Evil

Content

Mistake #1: Lacking a policy and awareness campaign for social network

(11)

Spear Phishing Spear Phishing

T t

Service

Convincing

e-mail with ^Juicy^Juicy

Secrets Secrets

Network

Internet

Firewall Firewall e-mail with

enticing link

Mistake #2: Inbound filtering didn't block the phishing e-mail Internal Network Users Internal Network Users Evil

Content

Mistake #2: Inbound filtering didn t block the phishing e mail.

(12)

User Clicks on Link, Launching

B t S f t Att k ' C t t Browser to Surf to Attacker's Content

T t

Service

Network

Internet

Firewall Firewall Request for

web page

Mistake #3: Lack of use awareness undermines security

Internal Network Users Internal Network Users Evil

Content

Mistake #3: Lack of use awareness undermines security.

(13)

Evil Content Includes Cli t Sid E l it Client-Side Exploit

T t

Service

Network

Internet

Firewall

Firewall Evil

Mistake #4: Evil content (with client-side exploit) makes it through Internal Network Users Internal Network Users Evil

Content

Evil Content

Mistake #4: Evil content (with client side exploit) makes it through network-based IPS and evades detection on internal host.

(14)

Client-Side Exploit Runs with No

F th U I t ti

Further User Intervention

T t

Service

Network

Internet

Firewall

Firewall Back-

Mistake #5: Malicious content runs and exploits client software often Internal Network Users Internal Network Users

door

Mistake #5: Malicious content runs and exploits client software, often

(15)

Outbound Access Yields Inbound Att k C t l

Attacker Control

T t

Service

Network

Internet

Firewall

Mistake #6: No blocking of command-and-control channel (reverse shell) Internal Network Users

Internal Network Users door

Mistake #6: No blocking of command and control channel (reverse shell) for backdoor, which may be a connection to a geographic location where the organization does not do business.

(16)

Still Lacking Domain Admin, Bad Guy

S f W k DMZ S

Scans for Weak DMZ Servers

T t

Service

Network

Internet

Firewall

Mistake #7: Vulnerability scan goes undetected

Internal Network Users Internal Network Users

door

Mistake #7: Vulnerability scan goes undetected.

(17)

SQL Injection Flaw on Public Website DMZ

on DMZ

Database Database Server Server More Evil

More Evil Content

T t

Service

Network

Internet

Firewall

Mistake #9: Attacker exploits SQL injection flaw to upload malicious Internal Network Users Internal Network Users

door

Mistake #9: Attacker exploits SQL injection flaw to upload malicious content to website, whose web pages are dynamically built from content on back-end database server.

(18)

Inject Malicious Content into Target's O DMZ W b it

Own DMZ Website

T t

Service

Network

Internet

Firewall

M E il Firewall

Firewall Infrastructure Infrastructure

Mistake #10: Another intranet user accesses more evil content through Internal Network Users Internal Network Users

door

Mistake #10: Another intranet user accesses more evil content through

(19)

Another Backdoor Installed with

C d d C t l Ch l

Command-and-Control Channel

T t

Service

Network

Internet

Firewall

Firewall Back- Back-

door

(20)

Local Privilege Escalation to G t

L l

^{SYSTEM P i}

Get

Local

SYSTEM Privs

T t

Service

Network

Internet

Firewall

door

Mistake #11: Organizations deploy patches for local privilege escalation Mistake #11: Organizations deploy patches for local privilege escalation

(21)

Attacker Uses

Local

SYSTEM Privs to G b T k f

D i

^{Ad i}

Grab Token for

Domain

^Admin

T t

Service

Network

Internet

Firewall

door

Mistake #12: Domain admin credentials must be used very sparingly!

Cached credentials on machines can be harvested by attackers and used.

Even an incident responder or forensics analyst could use psexec and Web Site

Web Site in the Cloud in the Cloud

(22)

Attacker Uses Domain Admin Token to

A I t t S

Access Intranet Server

T t

Service

Network

Internet

Firewall

door

Mistake #13: Log monitoring of access to juicy secrets is very limited Juicy

Secrets Mistake #13: Log monitoring of access to juicy secrets is very limited, Secrets

(23)

l

Outline

• Introduction

• A Scenario

• Conclusions

(24)

d Lessons Learned

• Top four areas of focus in securing against

• Top four areas of focus in securing against these kinds of attacks:

– User awareness is keyy

– Client-side patching is vital

– Monitoring thoroughly and carefully is extremely important

important

• Unusual access times and destinations

• Large-scale data transfers (make sure you log size)

• Intranet and DMZ scanning

– Customized malware makes behavior-based detection more important than ever

Signatures (strict and fuzzy) must be augmented with

• Signatures (strict and fuzzy) must be augmented with

(25)

Conclusions Conclusions

• Sensitive data breaches show no signs of letting up

– Attackers are getting more clever and more lethal than ever

– More breaches than ever, at a smaller scale of compromised accounts… still messing you up!

compromised accounts… still messing you up!

• Thorough incident and log analysis is really helpful, but only if it is done proactivelyy p y

• Most organizations need to change their culture regarding log analysis

(26)

Q & A

• Any questions?

• Feel free to contact me at [email protected]