TWC: Pass-the-Hash and Credential Theft Mitigation Architectures Mark Simos, Nicholas DiCola

DCIM-B213

AgendaMicrosoft Cybersecurity TeamDetermined Adversaries and Targeted AttacksPass the Hash and Credential TheftCredential Theft Mitigation Architectures

Detecting ThreatsAdvanced tools to find new attacksDeep expertise hunting for the Determined Adversary

Innovative MitigationsMake the most of your existing assetsNew approaches to counter threats

Custom SolutionsSpecialized security solutions from tailored assessments to integrating the Security Development Lifecycle into your software development

Recovery & Mitigations

Sensors & Intelligence

Response & Investigation

Architecture & Advisory

Expert SDL Developer Services

Cybersecurity PracticeGlobal Reach and Delivery with World Class Architects, Consultants, and Engineers

Technology Experts

Key LearningsAstronomical Adversary ROI for internet attacksCheap, effective, relatively easyNo alternate espionage method has comparable ROI

Increased adversary maturityMany are well-resourced, mission-focused, determinedSophisticated targeting of organizations, people, data

Ubiquitous use of credential theft (Pass the hash)Elevate to mission, shareholder value, existential threatExternals effectively conducting insider attacks

Targeted Attacks—Strategies and TacticsEstablish Persistence

Gain control of your identity storePublic: administrator rights, interesting projects and groupsSecrets: passwords and hashes

Hide malware on multiple hostsCustom compiled for attack campaign

Execute MissionDownload terabytes of your data (~99% of cases)Initially: large exfiltration of many typesThen: target specific data (new, valuable, strategic)

Implement the wrecking ball (~1% of cases)

Defender TrendsIT environments not designed for credential-theft class of attacks

IT security resources trying to defend every system equally

Reputation impact concerns hamper defender collaboration

Pass the Hash48 hours (or less)

1. Attacker targets workstations en

masse 2. User running as local admin is compromised, attacker harvests credentials3. Attacker uses credentials for lateral movement or privilege escalation

4. Attacker acquires domain admin credentials

5. Attacker exercises full control of data and systems in the environment

Potential Attacker Pathways

WorkstationAdministrator

User Access

Patient Zero

Servers

User Access

Acc

ess

Data

Server Administrator

User Credential

System or Administrator

Server Admin

PTH

All Local Data

Cre

den

tial R

e-u

sePass the Hash(Local

Accounts)

All Workstations

Domain Administrator Access

All Data

All Active Directory Data (Full Control)All Credentials

(NT Hashes)

Domain Controllers

Domain Admin

Pass the hash (PTH)

Domain Admin

PTH

Domain Admin Logon

PTH

User Action

SAM: NT Hashes

Active User Credentials

Malware Install

Beacon, Command & Control

Vulnerability & ExploitUser = Administrator

Ele

vati

on

All Local Data

Active User Credentials SAM: NT

Hashes

All Local Data

Active User Credentials Security

Accounts Manager (SAM): NT Hashes

All Active Directory Data (Read)

EstablishBeachhead

User’s Data and Keystrokes

DemoPass the Hash Attack

DC Client

Domain.Local

DomainAdmin

Attack Operator

Smartcards alone will not stop PTHSmartcards logon sessions have a NTLM hash:…of the user password…of a random 128 bit value (if smartcard required)

Account attribute restricts interactive logon only:

Smartcard remotely available to attacker when:Malware installedSmartcard inserted in readerPIN captured from a keystroke logger (most malware includes these)

Effective Mitigations1. Credential Theft

Ensure high privileged account credentials aren’t available to be stolen

No Domain Admins on workstations servers

No Server Admins on workstations

2. Credential Re-Use (Illicit)Reduce the usefulness of credentials exposed to high risks (internet)

Local SAM database (NT Hash only)Machine account passwordsServices passwords (if present)

1. Prevent Exposure

2. Limit Usefulness

High Exposure (to Internet/Risk)High Privilege/Value

Credential Theft Mitigation Strategy

1. Privilege escalation• Credential Theft• Application Agents• Service Accounts

2. Lateral traversal• Credential Theft• Application Agents• Service Accounts

Tier 0

Tier 2

Tier 1

Tier Model Restrictions

Tier 2

Tier 1

Tier 0

Domain Controllers

Servers

WorkstationsWorkstation Admins

Server Admins

Forest/Domain AdminsAdmin

Workstation

Admin

Workstation

Admin

Workstation

Same Tier Logon

Higher TierLogon

Lower TierLogon

Blocked

Enhanced Security Admin Environment

Access: Users and Workstations

Admin EnvironmentProduction

Power: Domain Controllers

Management and Monitoring

Production Domain Admins

IPsec Credential Partitioning Hardened Admin

Environment Known Good Media Network security Hardened Workstations Accounts and

smartcards Auto-Patching Security Alerting Tamper-resistant audit Offline Administration

(enforces governance) Assist with mitigating risks

Services and applications

Lateral traversal

Break Glass Account(s)

Red CardAdmins

Data: Servers and Applications

Self-maintaining (to extent possible)Automatic software update application (and reboots)

Small footprintSingle ESAE domain/forestDCs, System Center Operations Manager (Security Alerting)One Administrative Workstation per administrator

Smartcard enforcement and regular NT Hash cycling for all active accounts

Typical Administrative Environment

ESAE - Managing Multiple Forests/Domains

Admin Environment

Privileged Account Workstation (PAW) – On Premises

Workstations& Users

Production Domain(s)

Domain & Forest

Servers and Applications

Domain Admins

Increase Security Protections Enterprise threats Known internet threats

Hardened Workstations Known Good Media 20+ security controls Network Traffic

Restrictions Admin smartcards

(optional)

Server& AppAdmins

SaaS

Privileged Account Workstation (PAW) – Cloud Security

Privileged Account Workstations Increase Security Protections

Enterprise threats Known internet threats

Security Protections include Known Good Media 20+ security controls Smartcards (Optional) Security Alerting (Optional)

IaaSPaaS

Cloud Infrastructure & Services Administration

Social Media, Publishing,

Brand Management

What are these 20+ Security Controls?UEFI/TPM/Secure Boot enabled

BitLocker

Standard User Configuration

AppLocker

USB Media Restrictions

Outbound Traffic restrictions (no Internet)

Inbound Traffic restrictions (default block)

Automatic patching

EMET

System Center Endpoint Protection

Rapid rebuild process

Known Good Media Build Process

Logon Restrictions

Microsoft Security Baselines (SCM)

Unsigned code analysis

Attack Surface Analysis

OU and GPO ACL Lockdowns

Lateral Traversal Mitigation(s)

Restricted administrators membership

Only authorized management tools

Etc.

How MARS works (Auto-Approval example)

Configure Workflows for each RoleNotificationsApproval Requirements Custom Actions

MARS Server

Resource(s)• Managed

Servers• Domain Admin • Schema Admin• Top Secret

Project

12:00

10:00

1. Request Access (10:00)

2a. Auto-Approve (10:00)

3. Access Resource (10:01)

5. Attempt Access (3:15)CandidateAccount

11:00

1:00

2:00

3:00

9:00

Managed Privilege

(Group Membershipor Custom Actions)

2b. E-mail Notification (10:00)4. Privilege Expires (12:00)

Platform UpdatesCore platform changes (Automatically On)Remove LM hashes from LSASSRemove plaintext-equivalent passwords from LSASS (for domain credentials)Enforce credential removal after logoff

Facilitate restriction of local admin accountsS-1-5-113 – Local accountS-1-5-114 – Local account and member of Administrators group

New Configurable FeaturesProtected UsersRestricted Admin Mode Remote DesktopAuthentication Policies & Silos

Enhanced Security Admin Environment (ESAE)

Domain and Forest AdministrationProduction Domain(s)

Domain and Forest

Security Alerting

Server and System Management

Hardened Hosts and Accounts

Managed Access Request System (MARS)

App and Data Management

Privileged AccountWorkstation (PAW)

User Assistance and Support

Lateral Traversal

Mitigations

Application & Service

Hardening

Helpdesk and Workstation Management

Credential Theft Mitigations

RDP w/Restricted Admin

Protected

Users

With 8.1/2012 R2 Features

Auth Policies and Silos

Application and Service Hardening

24

Upstream Risks (Controlling the Application)

Downstream Control

Important: upstream risks also includes hosts where upstream administrator credentials are exposed.

ApplicationApplication agents or

software

Application service

accounts

Business critical data?

Backup and storage administrators

Baseboard Management Controllers (BMCs)

Local operating system administrators

Physical access and virtual machine administrators

ACLs on Computer account, OU, GPO, GPO Content

Management agents on server and scheduled tasks

Application administrator roles

Unpatched Software Vulnerability, Weak OS Configuration

Host Installation Media/Process

Importance of Known Good MediaMedia attack vectorsInfecting gold master imagesInjecting malicious software to download bit-streamsInfecting software packages

Validate Media SourceVerify Printed MediaVerify Downloaded Media (certutil –hashfile) Compare binary to published hashes

Compare from two independent downloads (different machines, internet connections)

Transfer and Storage of Media Save onto read-only media such as a locked DVD (not USB drive)Label as Known Good Media or “KGM.”

Lessons LearnedCredential theft is different than a normal vulnerabilityAttack surface is determined by operational practices

It all starts from host integrityIt only takes one tool to automate a new/difficult attack

Prevention is cheaper than recovery!Recovery still requires preventing reinfection (similar to proactive defenses)Recovery also requires cleaning up attacker presence (never guaranteed)Residual risk is higher in recovery mode

Questions?

Ask now or….

Mark.Simos @ Microsoft.comNicholas.DiCola @ Microsoft.com

Come Visit Us in the Microsoft Solutions Experience!

Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD

For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295

Azure PackAzure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.