Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

How to Hunt for Lateral Movement on Your Network

1.336 Aufrufe

Veröffentlicht am

Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?

In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

How to Hunt for Lateral Movement on Your Network

  1. 1. Threat Hunting for Lateral Movement Presented by: Ryan Nolette – Security Technologist Adam Fuchs – CTO
  2. 2. © 2017 Sqrrl Data, Inc. All rights reserved. 2 Your Presenters Adam Fuchs Sqrrl CTO Ryan Nolette Sqrrl Security Technologist 2  
  3. 3. © 2017 Sqrrl Data, Inc. All rights reserved. 3 Agenda   Lateral Movement Overview   What is it?   Common Techniques   The Lateral Movement Process   Compromise   Reconnaissance   Credential Theft   The Lateral Movement event Sqrrl Lateral Movement Detectors   Demo   Q&A
  4. 4. © 2017 Sqrrl Data, Inc. All rights reserved. 4   Techniques that enable attackers to access and control systems within your network   Leveraged for:   Access to specific information or files   Remote execution of tools   Pivoting to additional systems   Access to additional credentials   Movement across a network from one system to another may be necessary to achieve goals   Often key to an attacker’s capabilities and a piece of a larger set of dependencies What am I referring to when I say Lateral Movement?
  5. 5. © 2017 Sqrrl Data, Inc. All rights reserved. 5 Application Deployment Software Exploitation of VulnerabilityLogon Scripts Pass the Hash Remote Desktop Protocol Remote File Copy Remote ServicesReplication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Different Types of Lateral Movement
  6. 6. BAD Patient 0: original Infection Successful Lateral Movement Failed Data access from compromised host after lateral movement Failed Data access from Patient 0 Successful Lateral Movement Successful Data access from compromised host after lateral movement Company’s Customer Financial Records Lateral Movement
  7. 7. © 2017 Sqrrl Data, Inc. All rights reserved. 7 Login to new system •  psexec - shell •  RDP – GUI •  Profit LateralMovement Tools •  Mimikatz •  Pwdump •  Generic memory dump Goal •  To gather either plaintext credential to use for generic system authentication •  Password hash to pass to a system in place of a password •  Ultimately elevate your privileges from the current compromised user to an administrative user CredentialTheft Human Attacker starts running system commands to gather intelligence Examples of recon: •  Network •  netstat – see active network connections •  Nmap – network scanner •  Net use – access to resources •  System •  Net user – manage local/domain accounts •  Task list – what processes are running on system Reconnaissance Stages •  Infected system checks in with command and control server/s •  Human Attacker gives command to infected system to allow access •  remote shell •  GUI interface options •  Human attacker starts reconnaissance Compromise Infection to Lateral Movement Process Infection Techniques •  Phishing email •  Drive by •  Exploit kit •  Flash drive Infection Rinse and Repeat for each system as needed or wanted
  8. 8. © 2017 Sqrrl Data, Inc. All rights reserved. 8   Communication with the compromised systems and C&C (command and control) servers is established   Threat actors need to sustain persistent access across the network   They move laterally within the network and gain higher privileges through the use of different tools Windows  Reverse  Shell   Compromise
  9. 9. © 2017 Sqrrl Data, Inc. All rights reserved. 9   To move laterally within a breached network and maintain persistence, attackers obtain information like network hierarchy, services used in the servers and operating systems   Attackers check the host naming conventions to easily identify specific assets to target   Attackers utilize this info to map the network and acquire intelligence about their next move Recon Local Accounts Recon Domain Accounts Reconnaissance
  10. 10. © 2017 Sqrrl Data, Inc. All rights reserved. 10   Once threat actors identify other “territories” they need to access, the next step is to gather login credentials   Cracking and Stealing Passwords   Pass the Hash: involves the use of a hash instead of a plaintext password in order to authenticate and gain higher access   Brute force attack: simply guessing passwords through a predefined set of passwords   Using gathered information, threat actors move to new territories within the network and widen their control Running Mimikatz in memory via powershell Credential Theft   These activities are often unnoticed by IT administrators, since they only check failed logins without tracking the successful ones  
  11. 11. © 2017 Sqrrl Data, Inc. All rights reserved. 11   Attackers can now remotely access desktops   Accessing desktops in this manner is not unusual for IT support staff   Remote access will therefore not be readily associated with an ongoing attack   Attackers may also gather domain credentials to log into systems, servers, and switches   Remote control tools enable attackers to access other desktops in the network and perform actions like executing programs, scheduling tasks, and managing data collection on other systems Lateral Movement – Using Stolen Credentials   Tools and techniques used for this purpose include remote desktop tools, PsExec, and Windows Management Instrumentation (WMI)   Note that these tools are not the only mechanisms used by threat actors in lateral movement  
  12. 12. © 2017 Sqrrl Data, Inc. All rights reserved. 12 https://xkcd.com/1831/
  13. 13. DETECTING LATERAL MOVEMENT WITH DATA SCIENCE
  14. 14. © 2017 Sqrrl Data, Inc. All rights reserved. 14   LM evidence comes from:   Windows Events   Syslog   VPN   Endpoint sensors   Primary fields:   Source   Destination   User   Time   Extra Information: Data
  15. 15. © 2017 Sqrrl Data, Inc. All rights reserved. 15 Target Specific Techniques •  e.g. Pass The Hash detection •  Very specific means low false positives •  May miss new techniques Search for General Graph Patterns •  Hard to hide from •  May pick up unrelated similar patterns Specialized Generic Abstraction Spectrum Trade-Off
  16. 16. © 2017 Sqrrl Data, Inc. All rights reserved. 16 (3)  Rarely-­‐Seen  Logins   (4)  Fan-­‐outs,  including  failed  logins     (2) Overall Timeframe in expected range (1) Expected Inter-login Time Distribution (5) Not too big, Not too small LM Graph Pattern Characteristics
  17. 17. © 2017 Sqrrl Data, Inc. All rights reserved. 17 Lateral Movement Strategy   Rank individual logins   Train: learn common user login patterns from the data   Predict: assign rank (logLikelihoodRatio) to every login. Rank high those that are unusual   Construct time-ordered connected sequences of logins   Predict: find top N sequences of logins with the highest combined rank
  18. 18. © 2017 Sqrrl Data, Inc. All rights reserved. 18   Used to determine base risk for logins   Extensible feature vectors mix numerical, categorical, and text features TDigests for numerical   Bag of words for text Vectorized categorical statistics   Learns “normal” in-situ   Priors out-of-the-box   Every network is different   Scalable spark implementations Generalized “Rarity” Classifier
  19. 19. © 2017 Sqrrl Data, Inc. All rights reserved. 19 Multi-Hop Predict 192.168.1.101   192.168.1.104   192.168.1.78   192.168.1.83  
  20. 20. © 2017 Sqrrl Data, Inc. All rights reserved. 20 Multi-Hop Predict: Combinatorics   General Problem: Subgraph Isomorphism   5 edges è 25 = 32 subgraphs   10 edges è 210 = 1024 subgraphs   20 edges è 220 = 1,048,576 subgraphs   We run with billions of edges...   Solution: grow small subgraphs in parallel   Prune early and often Aglomerative clustering   Message passing 192.168.1.101   192.168.1.104   192.168.1.78   192.168.1.83  
  21. 21. © 2017 Sqrrl Data, Inc. All rights reserved. 21 Multi-Hop Predict: Message Passing
  22. 22. © 2017 Sqrrl Data, Inc. All rights reserved. 22 Multi-Hop Predict: Message Passing
  23. 23. © 2017 Sqrrl Data, Inc. All rights reserved. 23 Multi-Hop Predict: Message Passing
  24. 24. © 2017 Sqrrl Data, Inc. All rights reserved. 24 Scalable Implementation   Large scale, parallel implementation   Multiple Independent Variable Bayesian Classifier (MIVB)   Spark extension for graph processing   High performance message passing implementation   Used for agglomerative clustering / detection of LM structures
  25. 25. © 2017 Sqrrl Data, Inc. All rights reserved. 25 Processing Workflow Sqrrl Auth/Login Sources Spark / GraphX Classifier Training Single-Hop Predict Multi-Hop Predict Evidence Tables Sqrrl CounterOps Model Trained Classifier
  26. 26. © 2017 Sqrrl Data, Inc. All rights reserved. 26 False Positive Reduction 1.  Rank: 2.  Normalize: •  Smooth out discontinuities in ranking function •  Apply historical context to determine probability of seeing a given rank •  Convert to risk score based on likelihood * impact 3.  Threshold: •  Analysts usually care about LMs over risk X Base risk factor Time risk factor Size risk factor
  27. 27. © 2017 Sqrrl Data, Inc. All rights reserved. 27 Building the LM Detector TTP Alignment Threat Hunters Behavior and Structural Decomposition High-Risk Classifier (Subgraphs) Data Scientists Log-Likelihood Ranking Normality Classifier (MIVB) Scalable Implementation (Spark, GraphX) Computer Scientists Deployable Workflow with In-Situ Training Rank Statistics Normalization Security Analyst Contextual Exploration and Visualization
  28. 28. REAL WORLD THREAT HUNTING FOR LATERAL MOVEMENT
  29. 29. © 2017 Sqrrl Data, Inc. All rights reserved. 29 Lateral Movement
  30. 30. © 2017 Sqrrl Data, Inc. All rights reserved. 30 Lateral Movement
  31. 31. © 2017 Sqrrl Data, Inc. All rights reserved. 31 Lateral Movement
  32. 32. © 2017 Sqrrl Data, Inc. All rights reserved. 32 Lateral Movement
  33. 33. © 2017 Sqrrl Data, Inc. All rights reserved. 33 Lateral Movement
  34. 34. © 2017 Sqrrl Data, Inc. All rights reserved. 34 Lateral Movement
  35. 35. © 2017 Sqrrl Data, Inc. All rights reserved. 35 Lateral Movement
  36. 36. © 2017 Sqrrl Data, Inc. All rights reserved. 36 Lateral Movement
  37. 37. © 2017 Sqrrl Data, Inc. All rights reserved. 37 Lateral Movement
  38. 38. © 2017 Sqrrl Data, Inc. All rights reserved. 38 Lateral Movement
  39. 39. © 2017 Sqrrl Data, Inc. All rights reserved. 39 Lateral Movement
  40. 40. © 2017 Sqrrl Data, Inc. All rights reserved. 40 Lateral Movement
  41. 41. © 2017 Sqrrl Data, Inc. All rights reserved. 41 Lateral Movement
  42. 42. © 2017 Sqrrl Data, Inc. All rights reserved. 42 Lateral Movement
  43. 43. © 2017 Sqrrl Data, Inc. All rights reserved. 43 Lateral Movement
  44. 44. © 2017 Sqrrl Data, Inc. All rights reserved. 44 Lateral Movement
  45. 45. © 2017 Sqrrl Data, Inc. All rights reserved. 45 Lateral Movement
  46. 46. © 2017 Sqrrl Data, Inc. All rights reserved. 46 Lateral Movement
  47. 47. © 2017 Sqrrl Data, Inc. All rights reserved. 47 Thank you! threathunting.org For hunting eCourses, papers and other resources & threathunting.net For a repository of hunting techniques
  48. 48. Q & A

×