RSA Talk - “The Pivot” - Jonathan Trull, VP for Information Security, Optic ( @jonathantrull )
This talk was delivered 04 March 2016 at the RSA Conference in San Francisco.
I'm providing a brief reaction/summary, and then my notes. The notes are my sort-of free-form notes, so if they are only semi-comprehensible.
The idea that we need to move beyond just perimeter protection and do better on detection of and response to ongoing intrusions is a repeated theme in the industry over the past several years. Many organizations are still not really implementing this, though, or implementing it well.
This was a great talk with lots of good practical ideas for defense that are implementable my mid-sized organizations. See the notes for specific technical details, but the key points are:
- Don’t just go with default logging settings on devices and security tools.
- Central logging and analysis is key.
- Develop a strategy of specific indicators to look for to make that central logging and analysis effective.
Attackers’ immediate goal is to exploit and compromise a host.
However, this is not their true goal. They want to get deeper and gain access to your key systems and information.
To do this requires the attacker to move on from that initial compromised host — to pivot.
On average, attackers’ “dwell time” in a victim network is 205 days (2015 numbers from Verizon DBIR).
Organizations are still most frequently made aware of compromises by law enforcement or other contacts from outside the organization.
"We don’t necessarily have to be that good, but we have to be better than this."
60% of attackers are able to compromise an organization within minutes.
75% spread from Victim 0 to Victim 1 within 24 hours.
Time is NOT on Our Side:
- 50% of users open emails and click on phishing links/attachments within 1 hours.
- Median time to first click is 1 minute, 22 seconds.
- Half of CVEs are being actively exploited within a month of their publication.
Optiv Simulated Attack Lifecycle:
- Set up lab environment with nine common types of security software/tools
- Conducted simulated attacks: exploitation, lateral movement, exfiltration
- Monitored tools to see what they were able to do to aid in detection of these attacks
How attackers typically pivot & move laterally in a network:
- leveraging native tools: cmd.exe, powershell, at.exe, Net use, WMI
- Difficult to detect, as no software is written when these tools are being used
- using tools to compromise creds: Mimikatz, WCE
Telltale signs of a pivot:
- Signs can appear on the source host where the attacker is already operating, on the destination machine that they are trying to access, and on the network between them
- Unusual use of commands that end-users rarely use: scheduled tasks (at.exe), WMI, PowerShell, RDP
- nmap and ncat and other similar things occasionally; also sysinternals tools (PSExec,
- mapping shares
- Windows Event Logs
- Events to look for:
- Account lockout (4740)
- User added to privilege group (4728, 4732, 4756)
- Security-enabled group modification (4735)
- Successful User Account Login (4624)
- Failed User Account Login (4625)
- Account Login with Explicit Credentials (4648)
- Process Created (4688)
- Service Being Started (7035/7036)
- Windows Logon Types:
- batch (scheduled tasks)
- Using Process Created Event (4688)
- documents process, user, and parent process
- Does NOT include command line arguments (by default)
- This is disabled by default — can be enabled by Group Policy
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking
- Enable command line args by Group Policy also
- Enable via GPO – “Include command line in process creation events”
- Prefetch Files
- Good place for forensic analysis to see executable, DLLs called, count of times process has run, most recent run time
- Windows Special Groups
- Introduced in Windows 7/Windows Server 2008
- Tracks logons of privileged accounts
- Event ID 4964
- Pass the Hash
- Event ID 4624 (for success; 4625 if failed) - Logon Type 3, Auth Package NTLM
- Filter: Not a domain logon, not an anonymous logon
- New Scheduled Tasks
- Event ID 7035 created by at[#].exe
- Privilege Escalation
- Login from one non-workstation host to another non-workstation host
- Login from one workstation to another
- Login with service account (or attempt to do so)
- Creation of new domain admin (or elevation of account)
How to identify/detect the signs and defend against the pivot:
- 100,000 foot view vs. In the weeds
Optic’s Results on Comparing Seven Common Endpoint Security Solutions:
- Intentionally unpatched/vulnerable hosts
- Endpoint security solution was the only defense measure on the host
- Endpoint Protection Platforms (full suites)
- Exploitation Mitigation
- Exploit Detection and Response (EDR) with App Control (whitelisting)
- EDR without App Control
- None of the types of controls were silver bullets
- None blocked most pivot attempts; EDR partially blocked most types
- Generally they logged the info necessary to detect the pivot, but not clear out-of-the box (required research and testing to find)
- Enable sufficient logging
- Develop a threat model for how an attacker would go after your “crown jewels"
- Central logging and analysis is key
- Consider using honeypot(s)
- Implement enhanced authentication for admins and pass-the-hash mitigation
http://www.secopslabs.com has some results and other details and recommendations