Drastically Improve Your Information Security Posture for free.
By: Timothy McLaurin
Director of Security
Back in August, the Cyber security firm Praetorian published a report that details the top 5 attack methods used by the firm over 100 separate penetration test engagements. The report was based on what are the tools and techniques used by Penetration testers once they already have a foothold within the network. This premise is based on the fact that it is near impossible to insure that all employees will not click on a bad link emailed to them that may run code or steal their credentials. The report show the most common ways they went from getting that user to click a bad link to owning the entire network.
The top 5 methods in order were:
- Weak Domain User Passwords
- Broadcast Name Resolution Poisoning (WPAD)
- Local Administrator Attacks (Pass the Hash)
- Cleartext Passwords Stored in Memory (Mimikatz)
- Insufficient Network Access Controls
You'll quickly notice that 4 out of the 5 deal credentials. 0 out of 5 of these methods even deal with patch levels. And 5 out of 5 of these methods are not the sexy zero day in which you have no defense. The common misconception is that attackers use methods that are cutting edge to take control of a network. In actuality and practice attackers use commonly used methodologies and tools to exploit systems. Additionally the top 5 security holes Praetorian identified have been known for many years now.
So the bad news is that these security holes have been around for years. The good news is that these security holes have been around for years. This is good news because the ways to mitigate these issues are readily available and do not require the acquisition of some additional software or security appliance.
Weak Domain User Passwords
A lot of organizations feel safe because they have followed what has become common place in thinking what a secure password is. "Well my domain is set to require 8 characters, 1 special character, 1 capital letter, and 1 number as a password." Sadly, this does not make for a secure complex password. In order to satisfy these requirements users will commonly use passwords like P@ssword123 and Winter!2016. I don't believe that anyone would consider either of these examples of secure passwords. Organizations need move away from passwords towards pass phrases. Where Winter!2016 is considered weak !LoveTheWinter!0f2016 is orders of magnitude more difficult to crack simply because of the increased number of characters used. Pass phrases are easy to remember and provide enough security to thwart most attempts to crack.
Additional guidance is that when possible two factor authentication should be implemented especially for administrative and remote access. An organization with less strict password rules has a dramatic net positive impact when complimented with a second factor of authentication.
Broadcast Name Resolution Poisoning
Broadcast Name Resolution Poisoning attacks leverage how systems attempt to find other systems on the network to steal credentials. If a system looks for a system that is neither set in the local hosts file or in DNS looks to NetBIOS/LLMNR for answers. NetBIOS/LLMNR broadcasts traffic across the network to search for a system. Because this is broadcast traffic all systems see it and all systems can respond. An attacker can leverage this function to gather credentials that can either be cracked offline or replayed to other systems to increase network access.
Most organizations have no business need for NetBIOS/LLMNR. The guidance is to disable this and populate the DNS servers with entries for the enterprise systems. Web proxy auto discovery (WPAD) operates similarly to NetBIOS/LLMNR. This function should also be disabled within web browsers. An organization can also choose to forward WPAD traffic to an internal proxy that is controlled.
Pass the Hash
A lot of organizations do not know how to properly manage the local administrator password on the many client systems across a network. Often they have the same username and password across each of the systems because that makes for ease of administration. Unfortunately, if an attacker gains access to one system and is able to compromise the password hash they are then able to have administrative access to all systems that use that account without the need for cracking the hash.
To mitigate the exposure to pass the hash attacks, organizations should look to apply a defense in depth type approach. First is to restrict the ability Domain and Enterprise administrators to login workstations. This way the credentials will never be on the system to be stolen. Another technique is to remove the ability of workstations to initiate inbound connections to other workstations. In general there should be no reason for client to client communications to occur. Only trusted administrative network segments should be allowed to login remotely. Later versions of windows allow you to remove the ability of storing credentials in local databases.
Microsoft also has released the Local Administrator Password Solution (LAPS) that generates a random password for each local administrator account. That password is then stored in Active Directory with the computer object. Domain administrators can then grant permissions to certain users to read the password to perform administrative functions.
Clear text passwords stored in memory
Mimikatz is a popular attack tool used to steal cleartext passwords from the LSASS process in windows. If an attacker is able to obtain administrative or system level privileges, usernames and passwords can be pulled directly from memory.
Later versions of windows have resolved this issue by default but older versions must have been patched with KB 2871997 and have modified the registry to set HKLM\SYSTEM\CurrentControlSet\Control SecuityProviders\Wdigest UseLogonCredential REG_DWORD to 0. This should be considered a high value registry key so it should be monitored to make sure it hasn't been changed.
Insufficient Network Access Controls
This attack vector was touched on in the pass the hash mitigation strategy. Attackers often have free reign on a network once they get a foothold. They are able to touch other client systems as well as all of the critical systems due to a lack of network access controls that segregate systems. The network should be restricted in such a way that systems should only be able to talk to each other if there is a business need to do so.
Organizations often grasp the concept of having a DMZ and segmenting their network into trusted zones in regards to untrusted traffic coming in from the outside. The same logic should be applied internally. Client systems should be barely trusted because while administrators do have some control of the system, the end user may have engaged in some bad behavior that lead to the compromise of the system that has yet to be detected. The defender must think in terms of limiting the damage that system can do as much as possible while not significantly impeding the end user from completing daily tasks.
To accomplish this network administrators must work with business units to identify what are critical systems and understand what personnel should and should not have access to.