Learning to Live with an Advanced

Persistent Threat

John Denune
IT Security Director
University of California, San Diego
jdenune@ucsd.edu
 ACT Infrastructure services

E-mail Database Administration

Data Center Active Directory

Security
Telecom
Networking
ID Management
UNIX and Windows Support
 ACT Security

Policy and Compliance

9 Staff SSL Certs
Firewall
Anti-virus and FDE
Forensics
VPN
Patch Management
Incident Response
Vulnerability Assessment
Intrusion Detection
What is an APT?

It’s not
Opportunistic
Varied Attacks Espionage
Technical
Targeted
Patient
Corporate APT
State-Sponsored
Skilled
Hacktivism Theft
Physical threats
Social Engineering
APT Lifecycle

External
Recon

Initial
Expand
Compromise

Complete
Mission

Internal Establish
Recon Foothold

Escalate
Privileges
Initial Detection
June 2012
 Lesson #1

Pay attention to
anti-virus alerts
Lesson #2

Don’t
(completely)
rely on your
anti-virus
product
Lesson #3

Where possible,
track IP’s instead
of blocking them
 Initial Recon
February 2012

Initial Compromise
April 2012
Gh0st RAT
Lesson #4

Make your
local FBI agent
your new best
friend
Lesson #5

Have a secure
communications
plan in place
Lesson #6

Log everything,
especially
authentication,
netflow and DNS
Attack timing

All attacks took

place Sunday –
Thursday
between the
hours of 6pm
and 3am Pacific
Attack Path
Malware Observations

You don’t need to rely on a

lot of malware when you’ve
already got a long list of
credentials

You don’t need to crack

passwords when you
can just pass a hash
 Interactive Authentication

Client computes LM and NTLM

hash and stores them in memory.
Plaintext password is reversibly
encrypted and stored in memory.
Password hash is salted with
username and stored in registry.
 Administrator Hash

So, let’s say the

domain administrator
RDP’s to the client…

Domain Admin
NTLM hash now
stored in client
memory.
 Pass the Hash

Attacker compromises client…

Steals hashes from memory…
Accesses both server
and domain controller
Mitigations

• Change passwords multiple times per day

• Fast track two factor authentication
• Compartmentalized passwords
• Separate user and admin credentials
• Minimize lateral trust
• Scan entire domain for scheduled tasks
• Rebuild Domain Controlers
Lesson #7

Reconsider
traditional
password best
practices
Good passwords?
*tecno9654postgres
A Matt Hale Tribute CD would be cool..
Access-Control-Allow-Origin
Abundance4me2day
Bulletformyvalentine123
Elementarymydearwatson
Putin is nothing but commie scum.
Video killed the radio star?
antcolonyoptimization
Emergency Action
September 2012
Lesson #8

Effectively and
securely
communicating
a password
change is hard
We are not alone
Reengagement
July 2013
Parting Thoughts

• Detection can be subtle and an art

• Have a good AD Team
• Logging visibility is essential
• Regular password changes are a MUST
• Be prepared to re-image any system
• Firewalls to prevent lateral movement
• Separation of user and admin credentials
• Require two-factor for OU Admins
A New Hope
A New Hope
• Strengthened LSASS to prevent credential
dumps
• Many processes no longer store credentials
in memory
• Better ways to restrict local account use over
the network
• RDP use without putting the credentials on
the remote computer
• Addition of a new Protected Users group,
whose members' credentials cannot be used
in remote PtH attacks
Further Reading
Know Your Digital Enemy – Anatomy of a Gh0st RAT
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-
know-your-digital-enemy.pdf

Mitigating Pass-the-Hash (PtH) Attacks and Other

Credential Theft Techniques
http://www.microsoft.com/en-us/download/details.aspx?id=36036

APT1: Exposing One of China's Cyber Espionage Units

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
“If ignorant both of your enemy and
yourself, you are certain to be in peril.”
― Sun Tzu, The Art of War