advanced targeted attacks
TRANSCRIPT
1
Advanced targeted attacksAndrey Dulkin, Andy Givens, Andy Thompson, Lauren Horaist, Nick Dulavitz
2
What makes an attack “advanced?
An advanced attack is…
a targeted attack against a specific organization, during which an attacker operates extensively inside the
network
Contrary to:
Opportunistic endpoint attacks
Opportunistic endpoint attacks
Quick, targeted attacks (ex: call centers)
3
BREACH• Phishing• USB• Unsecured servers
RECON• Network queries• Passive listening• Probing
LATERAL MOVEMENT• Look for credentials• Look for access
DOMAIN COMPROMISE• Sufficient privileges
ACTIONS ON TARGET• Access servers, apps etc.
Stages of an Advanced Attack
4
Breach▪ Email with malicious attachment
5
Domain Controller
File Server 1
Admin Workstation
Web Server 3
Help Desk Workstation
Recon▪ What privileges do I HAVE?
▪ WHO are the privileged users?
▪ WHERE are they connected?
▪ What privileges can I GET?
Nmap Maltego
COMMON TOOLS USED FOR RECON
6
Domain Controller
Web Server 3
Help Desk Workstation
Lateral Movement▪ Connect to the shared machine
▪ Search for credentials
▪ Steal privileged credentials
File Server 1
Admin Workstation
PsExecmimikatz
COMMON TOOLS USED FOR LATERAL MOVEMENT
*****
Domain Admin credentials found!
7
Domain Compromise▪ Connect to Domain Controller
▪ Steal krbtgt hash
▪ Create a Golden Ticket with required privileges
▪ Locate and access desired system: SWIFTNet Domain Controller
NEXT: Steal the krbtgt hashGenerate golden ticket for full domain access
!
SWIFTNet
8Recipient Bank
SWIFTNet
SWIFT User 1
SWIFT User 2
Actions on target
!
SWIFTNet Server
▪ Access the SWIFT server
▪ Locate pending transaction file
▪ Inject fraudulent transaction
9
Profit!
10
Recommendations
Endpoint Network Credentials Monitoring Remove local privileges Control applications Detect malicious
executions
Patch systems Segment off sensitive
assets Route access through
jump servers
Enforce credential tiers Require multi-factor
authentication Secure and manage
privileged credentials
Set alerts on malicious events
Monitor behavior to detect anomalies
Monitor privileged users
11