CSG Spring 2015 – Security 3.0: Learning to live with an advanced persistent threat.

We’re at Penn State University for the Spring CSG meeting. The first workshop is titled Security 3.0

John Denune – UCSD – Learning to live with an advanced persistent threat.

What is an APT? Not an opportunistic attack – they’re after something you have. Targeted, skilled, and won’t stop till they reach their goals. Can take years to break into your systems. Can be technical means (0 days, custom malware), or social engineering. Can be theft for financial information, corporate espionage, state sponsored.

APT Lifecycle: External recon (looking at projects, org charts, etc), initial compromise, then establish a foothold, escalate privileges until they get what they want.

Initial detection started in June 2012.

Tried to drop malware on a departmental machine – not all that unusual. Came in the same way the following night. Came in on separate VPN accounts to VPN concentrators, and logged in to servers with OU admin credentials. Over next several nights reset passwords, rebuilt machines, etc.

Lesson learned: Really pay attention to anti-virus alerts, but don’t (completely) rely on your AV product – only one caught this and it only caught one out of several instances.

Where possible, track IPs instead of blocking them.

Initial Recon was traced back in February 2012 – scoured departmental web servers. Initial compromise happened in April. Found a dozen compromised machines they didn’t know of.

Called in help: Make your local FBI agent your new best friend. They knew why hackers would be interested in the international studies department. Also were very helpful technically.

One piece of malware was a custom version of Gh0st RAT. Another technique was Dynamic DNS Beaconing. Talking to different servers every hour or day. Makes it difficult to track IPs. Had to turn up logging as high as they could bear, especially authentication, netflow (on VPN concentrators), and DNS. Found another dozen systems that had been compromised.

All attacks took place Sunday – Thursday between 6pm and 3am Pacific: 9-5 Monday-Friday in Beijing.

You don’t need to rely on a lot of malware when you’ve already got a long list of credentials. You don’t need to crack passwords when you can just pass a hash. Can get the hashes from compromising a client, and if it’s an admin can then get access to servers and domain controllers.

Mitigations: change passwords multiple times per day; fast track 2FA; Compartmentalize passwords; separate user and admin credentials; minimize lateral trust – host based rules to prevent system-system access; scan entire domain for scheduled tasks; rebuild domain controllers.

Emergency Action – September 2013

Hadn’t forced password change in a dozen years. Effectively and securely communicating a password change is hard. Now doing it on a yearly cycle.

Reengagement – July 2013

Hackers kept trying to get access with stored credentials. After a week of failure they disappeared for a while, and then tried passing old hashes for all upper level management. Failed at attempts so far.

Infrastructure changes: Yearly PW changes; monitoring the network for pass-the-hash (not easy because that’s the normal Microsoft way for getting access to file servers, so looking for hashes that don’t correspond to direct client logins); implement 2-factor for OU admins; additional “bastion hosts”, limit lateral access; more logging and splunk analysis; security clearances for some personnel so they can talk to the FBI; Windows 8.1 and Server 2012 R2 features: RDP use without putting the credentials on the remote computer, addition of a new Protected Users group whose credentials cannot be used in remote PtH attacks.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: