The Quest for Identity and Internal Threats

my job's done here so yeah all right how is everyone doing now formerly I'm asking you well so here's the good news I'm not going to speak about threat intelligence we had thick enough talks today about it both battalion and crane I'm going to speak about identity identity as the new perimeter I'm going to talk about some of the challenges related to detecting identity access and permissions within the network but first rest of a hand who is here within IT operations okay whew with your pen testing security guys okay and anyone threat intelligence know that I'm going to talk about it but just from curiosity okay so actually I myself originally from Israel from my career started at

the Israeli intelligence scope so I have been in the into the intelligence community for a long time I moved here to the US 2002 moved to New York and worked for multiple vendors as a security engineer as a threat intelligence engineer but then I made a move into inside threat and worked for companies in the users behavior analytics so anyone here is into machine learning that's where I started that's what my passion really to machine learning started when i when i got into machine learning so we'll start with a couple of stories and then we'll talk about identity and access based prevention and machine learning so this guy is name is Victor and he he was a

Toronto police officer he got shot he got shot when he was 25 years old 2015 just when he came out of a restaurant and so an investigation started around this which led to that lady that lady's name is Aaron and Aaron worked in the Toronto Police Department and why was this murder case related to Aaron well it looks like Aaron was searching within their Police Department database information about Victor just couple of months before his death but not only for Victor there were other five searches that for each one of those people the person that Aaron was looking for was either murdered or there was an attempt to murder them that's you don't want your name to be searched by that

woman and it took 60 months until the dots were connected and the question was why and you won't believe it but when they found out who the killer is and they're trying to connect it to Victor the only connection was that Victor gave a traffic ticket to that guy so the guy that murdered the police guy probably murdered him as a revenge for getting a traffic police so the question is Aaron you think is Aaron a threat was she a threat to the Toronto Police Department who thinks she was I guess she did she was an internal threat well another story anyone knows this guy yeah who's this he was poisoned with Tyrrhenian he was a

former KGB guy Russian guy and why was it poisoned well the guy started his career in the KGB and then at some point he in his career he had a conflict with the KGB leadership well which at the time was connected and still connected to put it and he started to write articles against their activity specifically against their activities by bombing houses and then blaming Georgia and ventually helping bring Putin Putin into leadership so the end of the story is that he met some people that made sure that he's not going to survive for a long time and we all know this guy right so Vladimir Putin is a threat isn't he he has a whole group of cyber espionage

behind him and they're all relating to making sure Russia and specifically he stays in power and he is in power over 20 years by the way started in the KGB moved in all the steps until he was a president started 2000 made a little iteration that will make sure that it can be president for more than five years and so on so easier threat well to some people obviously is right so why am I telling you those stories but the idea is that threat whether it's an external or internal has some commonality in both cases there is some kind of intent or some kind of an identity that eventually leads to action leveraging capabilities whether it's malware or anything else

and leveraging vulnerabilities and so the idea behind identity is the new parameter is let's look for those identities right putting is a is an easy identity that everyone is familiar with but let's find the airings let's find those inside threat so this is what I'm going to do today I'm going to talk to you about the identity related attack vectors and they'd entity related that that vectors are mostly around passwords around privilege escalations and around lateral movements so we will talk about those things and how hackers are using them and then we'll look at some solutions that are in the market today spoiler alert there's no silver bullet that can fix all of those right it's gonna take

more than one we have today to fix the problem but let's look at what we have out there and then we'll try to kind of wrap up and and I'll be happy to have any Q&A and by the way you guys are welcome to ask any questions at any time I like to make it interactively sounds like a plan great so disclaimer I'm I'm just an Israeli with a Russian accent I speak Russian and that's why I like it interactively right if you don't agree with what I say no arms you know there's there's a lot of ways to kind of trying to solve this problem so feel free to follow me on twitter and feel free to

voice your opinion I think on this one we're all going to agree passwords are problems and passwords are easy to crack even when they're not as simple as those ones but people keep on using simple passwords because they need to remember them and people keep on using passwords that reminds them their date of birth or their college or their pet name what have you and how many of you guys using the same password in more than one application there you go and we're in a security conference now think about the typical users and I'm guilty as well because it's great it's crazy right and how many of you really changing your password how many of you have a password that haven't

been changed for the past year well thank you for being honest we have everyone promise between those two questions so let me show you something that I found kind of funny but explains that that's the problem better than I am

but

[Music]

cannot believe in Israeli will do that

alright so so yeah could be as simple as that but even if it's not as simple as that there's just just multiple other ways to to crack passwords generally speaking you can use algorithms to correct password if you have hashes you can start to try to recover passwords out of hashes and there's this anyone heard about the rainbow tables that reverse hashes so this is one one way to do that others are vulnerabilities so there are there cases for example Azure Active Directory agent can basically replicate permissions of a local Active Directory so that a Microsoft were vulnerable 'ti that allows replication of hashes and from there we use something like rainbow tables in order to reverse the

cryptographic hash into a password so that's a problem I think we all can agree on that so people started to think of a different approach right let's try to use a password less solutions probably all familiar with their biometric right you have this iPhone with the face recognition or the fingerprint this kind of working there's couple of problems with it right the first problem is that if someone's getting a hold of database that's basically like he got ahold of the barometric footprint so it's still something that you need to protect the other ideas are around the keyboard basically timing of your stroking the keyboard so the idea behind it is the machine learning algorithms will be able to identify by the way you

click the information who are you it's not even close to be a exact science and it cannot be used today but it's a nice idea and anyone heard of of Windows hello so Windows Microsoft realized that yeah password is a problem and so they are trying to come up also with solutions that relates to authentication based on hardware and not passwords so a couple of the two tools Benjamin Debbie delphi's mimikatz everyone's heard of that that that's one of the most popular tools that can help you with cracking passwords John to repair that's a free tool by the way it started with UNIX but now it has over 16 platforms that you can use with it and

like I mentioned earlier rainbowcrack so that philip ashland and it's really helping with the faster time memory kind of trade trade up technique that helps you find out the passwords so the second attack vector is around privilege escalation so now we harvest the password either as you can see in this example you just ask people and sometimes they giving it out but even if using spear fishing and spear fishing is still number one attack vector you're getting a password normally it's not going to be in the privilege level that really allows you to create enough damage or to steal enough information so you need to go through that layers of privileges that makes sense and Windows

has there that you have the system kind of level or the current level and you have the user space in in Windows we have more layers Microsoft actually doing a better job there than the default Linux which has only two main layers but the question is how are we going to do that how we're going to escalate privileges so there's a list of ways to escalate privileges you can still other credentials after you stall the users credentials and those credentials might have enough privileges you actually can recover to dentures from hashes that associated with ntlm for example if everyone if anyone's familiar with that protocol and then you can what I would call leverage applications

vulnerabilities okay so a lot of applications having executables that calling DLL and then what we can do is we can move from the user's space privilege into that application space privilege by injecting a another DLL now maybe in the path of the executable there is already an expected DLL so I can look up this specific DLL it will replace it or add mine in a place within the past you know for me with the past that the application is looking for and then kind of playing men in the middle and and do whatever I want with my DLL code so so that's that's the tools and this is another video that kind of illustrate what privilege escalation

looks in a physical life

can you guys hear that by the way is that's really real I think let me just get off now make sure my yeah I'm on full so and if there's something we can doing that but

that's okay well we'll basically yeah oh thank you a little bit better but I'll give you a little bit background okay that's that's basically a person that is trying to impersonate a marshal police guy so the guy is coming in having a weapon

okay that's not funny anymore right bad bad so I had a funny video but that's not really addressing that so not everything is going to be funny so privilege escalation also have a few tools I think one of the the main tools for Linux is be root and the idea there actually be root is now also supporting Windows but basically the idea is to help you escalate those users into either a kernel system mode or a Windows administrator local administrator anyone heard of power up power up is a partial tool that identifies abused vulnerabilities services so the example I gave you earlier with the DLL powerup can automatically kind of search for those executables that looking for dll's

and help you with identifying them there's a Python implementation for mimikatz whoever likes Python so this is the the pipe I cuts epic arts I guess you pronounce it and and once you you start to get a hold of those tools you basically can use one of them so just as an example of what I mentioned earlier using the path variable for Windows then you search for the dll's power up is one of them powershell empire's another one made up metasploit support that and then you inject the DLL take the privileges and start to communicating and moving laterally and this is exactly the next attack vector that I want to address lateral movement anyone is familiar with

the kill chain so the kill chain is all about external threats right it's usually when we identify those adversaries guru like the one we just mentioned from you know apt 28 from from Russia they're doing the reconnaissance they're infiltrating by weaponizing some kind of a malware into their emails or their spoofing a domain and at that point they're inside the network they need to do lateral movement because that's not their goal that's not where the the crown jewels are in ninety percent of the time there's not a hundred and so what I'm trying to do show here is that regardless whether it's an external threat or internal threat we have this idea of step by step that an internal

identity needs to go by we spoke about stealing the password now that we administrator the next step will be lateral movement and lateral movement is kind of repeating activity because what you do with lateral movement is you're trying to find the next host that you have access to but that's not necessarily the final destination so you're finding a host right and then from that host you're trying to see if you can curve her out a little bit more privileges or services and then you see if it that gets you any closer to your target but again this is a process that keeps on repeating itself you find the host you might need to privilege X

escalate privileges again and move to the other host until you get your destination and so from lateral movement here are some of the techniques used for lateral movement by the way there's a good description of each one of them at mitre attack framework if you familiar with it just look it up at packed with with am percent instead of a there's a lot of ways to do it if you are a Windows environment anyone here doesn't work in a Windows environment doesn't work okay well good for you but if you do then you deal with Kerberos and with golden tickets and with all this fun and there's a lot of good stuff that you can do here there's

also there's also information relates to lateral movement relates only to to Linux or to Mac but I'm going to focus on Windows now so how cameras works just as an example anyways familiar with Kerberos great that's gonna be a very short less than then so so yeah so that's basically two tickets that you're using and it's kind of like when you're going into a music pop you're getting one ticket the TGT the ticket granting ticket which is just allows you to get into the park but doesn't allow you to go on any of the rides and then the other one is going to be a ticket that has to do with the service that you want to access so it's

going to be a service ticket and a service ticket is allowing you to access only specific service okay like only the printer or only the finance app or only whatever so that's exactly how Kerberos works you start by identifying yourself you don't use your password within the network you using basically a specific hash that you encrypt with your password but then when you get a ticket you basically use it to authenticate yourself against Active Directory or against the KDC the key distribution center within Active Directory and at that point any time you want to access something that is cameras supported you go back into the service center within the Active Directory which is basically sitting within a domain

controller you ask for that depending on your user rights you can get there there's a ticket that the the Kerberos gives both to the server that you're trying to access and to you and that's how you authenticate makes sense

so in order to do that mapping between the Kerberos tickets that you're trying to to access or the services rather that you're trying to access and those specific services you need kind of a mapping schema and it's called SP n SP ends basically the principal names of those services that Active Directory can give you access to so it's basically telling you what are those services so later on when you want to access the service you can say okay I want to access my sequel or Microsoft sequel solution right so if I'm getting this ticket I need to ask Active Directory on SPN I can use that also as a hacker so if I'm getting a foothold within the

network and now I want to figure out what's going on I'm doing reconnaissance the reconnaissance internally I can start looking for all the SPN services within the network okay so what they do is and that's not necessarily going to be detected immediately because that's their that's the way it works right that's how other users will ask to access services within the network that makes sense so the SPL query this query is not going to be detected unless you run scanning so what you do with scanning is basically you're trying to serve the problem accessing each and every endpoint within the environment and ping and have to do scanning on the ports and figure out which services they

have instead that you can just do an SP n all to the domain controller and say just send me back all those services that are supported Kerberos within the network okay now this is something that normally shouldn't be done and so the idea here is that if we'll try to look at identities that doing stuff like that like scanning the entire active the rectory for all services or enumerated users those kind of things this is something that you can literally watch on the network you can literally monitor and the only question is should we do it or not the other thing that is dangerous when it goes into the Windows system and identity authentication is that there is

one big secret that only did the domain controller knows and that's called the kerb TGT passwords account anyone's familiar with that that's basically the account that the Kerberos system is using in order to hash their tickets to prove that this is basically authorized authorizing coming in from the active directory so that secret node is only known to the domain controller nobody else know that secret and that's basically the way it it allows you to define which services you're going to so it takes it ticket the ticket says okay I'm allowed to go to that printer and then design this with the kirb kirb TGT password so everything is it's fine and dandy but what if someone can't hold on

to the domain controller right what if the user is basically somehow moving laterally getting in to the domain controller and using mimikatz just to dump the hash which has the hash of the kerb TGT account the master hash the key to the kingdom if you get this thing at this point you can create your own tickets it's almost like you can print money right so at this point I can create what they call the golden ticket so I can say okay the ticket is not going to have any expiration time and by the way this ticket is going to be able to access any other service in the network and by the way this ticket

belongs to user X I don't even have to use my own user so I can play some else and the ticket will work because I have the Kerberos account password so this is how I you look at it right the general admission is that the first digit II the first ticket that everyone needs to get in order to even authenticate itself against the Active Directory now every time as a user I will need to get an admin ticket for specific user but if I go through the attack patterns that I just mentioned I'm getting the golden ticket I can access anything on the network just one example of lateral movement again you can look at mitre attack framework to

learn others this is a pretty pretty powerful one so what can we do about it well here's the problem a lot of those things are done by people and they the main question is what's their intent and one of the things I mentioned earlier you know when I came from threat intelligence I looked at it and said yeah that makes sense but when it comes to you know identity within the organization I realize that sometimes people just make mistakes some time people are just stupid just doing stuff not because they have bad intention so that's why I was like mmm this all threat thing is not always true right so how do we do that how do we identify

activity and kind of trying to figure out if that person just made a mistake or maybe that really a malicious actor or maybe that's just a user that is trying to extract rate data because it's going to live in a week and it's angry right all of those might have the same exact behavior how do we differentiate because people will make mistakes and people adversaries included have needs so we need to understand people almost like to that motivating or serums start understanding their motivation we need to understand their behavior and is anyone familiar with the the most cause IRT of needs basically this this common commonalities around all of us right we all want this love the affection

sometimes we do think just to feel great about it sometimes we do things because we want security sometimes we don't do the right thing because we're afraid all of those things should be kind of considered when we're looking at the users activities there are all kind of different use cases but it's all come to the individuals and the problems people don't like to change and it's no it's not necessarily a problem it's actually kind of helping us because when we're using user behavior analytics we are counting on that people are boring so each and every of us I mean when I say people are born I mean their behavior is boring sorry not people but every time we go into

work right we go and log in and probably logging into the same machine we have kind of a pattern of behavior there are working hours there are specific servers that we're responsible to to work on and so over time we can kind of create a baseline and that baseline is not an internet generally speaking not going to really change around people so giving all this stuff right people make mistakes you know people don't like to change and people have some needs how can we start learning what the normal behavior is and we do that on the network right today we're using network activities monitoring devices that tells us what is the bandwidth on the network

what's the memory usage what's the CPU usage right we're looking at activities with regards to citizens right the seasons of activities we're looking at east west north west what have you we're looking at the number of pages that are being hit on a specific website we have ways to get that from a network perspective well from a user's perspective it's a little bit more complicated but we can still start to move into identifying what the right user behavior or what's a normal user behavior is so how can we do that well first of all we're starting to monitor those logins information that I just mentioned earlier every time you login into Active Directory it's really

easy for us to know that every time you're looking into your applications through the firewall we know that we have monitoring the firewalls every time you're accessing the network from a VPN we can monitor that as well that makes sense now we started to create a profile of users activity and with time we know also obviously where you working which department you're working at what your peer groups are doing so we can compare your activity to other's activity within your team or your activity to your activity a week ago one thing that we are we can use is basically a single sign-on that's going to help us with what why single sign-on can help us with

identity behavior analytics anyone well if you are signing in with the same username and password I can eventually link that access to specific one username and that username is going to be accountable for whatever is being done there okay so think about this way if I will have one account on a cloud and another account within the enterprise and I access those in two different ways with two different password how would anyone know that this is not two different people right you'll have to start making those links between the accounts it's making it much more easier if you have one username and password and using single sign-on and you basically have a unified visa of the activity of the individual so

this couple of pros and cons basically the whole idea behind SSO is that it does help both from a user's perspective experience right you don't need to login twice with a password again and again and also it reduces the attack surface because whenever you used your password you expose it and there's a there's a way or the risk that someone's going to get it the cons is that if someone's getting hold of your passwords you probably lost access to much more or many more applications right so you need to be careful about that now we're doing timewise we could be time yeah other option is MFA anyone familiar with those with the phones that you get the alerts whenever

there is a we want to double check your authentication that's a great solution why because this is a physical phone that you hold and prove that you are who you claim well you are okay that's great also if you familiar with the key fob right anyone uses or use key fob in the past same idea one-time password all of those things are helping to identify double identify there is a problem however with with our with those and the problem is that there's a lot of pushback from the organization on the usability right imagine that you will go to a place where every time you login into your PC you have to approve that this is you by

punching they you know getting an SMS and punching a a code if you have an option you're probably not going to stay at that workplace for long so just it has to be some kind of a balance between the security requirements but also from me you know user experience perspective the places of course is that definitely whenever you approve or verify well answer a challenge that you basically just prevented another event going into the same another alert that will end up using being a false positive because it is you so so that that's definitely helping the security organization so what do we do we starting with the baseline this is what the machine learning is getting into space we don't

know exactly what everyone's going to do and whatever they're going to use so we need to look at a lot of parameters we need to harvest all those indicators and we need to do a machine learning baseline baseline telling us okay this is from what we see is normal and then from here we're going to deviate every time it deviates we give a small increment of risk or to the guy or the girl right and every time they're coming back to normal we'll reduce it so it's a dynamic thing and it's not binary it's not 0-1 it's always a risk or it could be between zero and a hundred that tells us okay how risky this user John is

eighty Sarah is forty probably I want to watch John a little bit closer than Sarah that makes sense so continuously doing that and the risk R is not only based on the user's behavior analytics but also on the likelihood of this happening and the impact in other words if John is an administrator user he should get a much higher risk or than Sarah if Sarah is is a user with basically no privileges right so depending on who you are you executed or are you a develop or are you HR your finance you might get higher risk or just by the nature of your privileges so this is a table that I created that kind of show an example of

what to look at when you create a risk score so assets right do you have access to the crown jewels do to the credit card service we have services that are critical under your belt do you have executives that you are having access to which applications you're logging into and then these three baselines activities like how often do you log to that where do you look from geographically etc etc and this is eventually how it's going to look like right you can have Rita Parker is having this history activity her risk or have changed every time you change up or down we explained to ourself right why it happened and by the way each and every

one of you guys have a risk or you know why because you're using online banking and using activities that people as a consumer are monitoring so 90% of the banks today monitoring the users and giving them some kind of a risk score each one of you guys have a risk score now this whole machine learning thing is not a you know 100 same kind of guarantee and the problem behind it is that it really depends on on those things that we we mentioned earlier right mistakes improve over time and so the idea is to look at it but not necessarily to use it all the time as as a prevention and of activity it's just a

risk score and the risk score itself is going to improve with time but but it does give you an idea of where to look at from from a user's perspective well actually this video is funny

all right so this is one way to verify your authentication so getting close to summarize what we looked at is we want to create a risk score that is based on your specific activities and specific impact right you can create a list of all kinds of impacts based on activities then we can create a list of responses that's relevant to those activities right and you can basically depending on your organization you want to start being proactive depending on the risk depending on the impact you might just want to reset the password of a user you want to enforce the user to an MFA challenge M&F a you might want to basically go ahead and ask the user to

reset not to reset but the motor privileges and you can keep on watching those things over time and see whether the user is really using those things right and then you can create policies and the policies can be either written policies or actual automations with your organization's that will look at the behavior and automatically take action real-time response okay adaptive challenge for example not NFA whenever you login into a machine but MFA whenever you log in first time to a server that you haven't logged into for the past six months that makes sense and also service accounts everyone is scared of service accounts I'm not going to touch it right like this can break something well did it work in the past

week did it work in the past year does it have a weak password what is the service account all about I mean with too scared to break things and we're not looking at what they're doing is it really a service account or is there an administrator that leveraging those accounts and using it manually this is something that machine learning can easily found because service accounts have specific times specific ways they ran if it runs interactively if it has an interactive login that's probably a human being that's not the script that's not programmatic right so look at those things and then start to be reactive right look at the orchestration tools in your systems and see if they can

leverage those alerts and user behavior analytics look at blocking users that's really doing stupid stuff right really stupid stuff adaptive response be more responsive to things now Microsoft is doing some good stuff around it have to give them a credit right they're starting to work around understanding those Kerberos tickets weaknesses that I showed you earlier the ntlm and so what they're doing is to starting to create what they call a a credential cards they have a very specific memory space where they keep the information so you cannot just dump it you cannot just inject yourself into the else's DLL and see text free text of passwords but we still need to address the humans activities

around passwords okay we need to enforce strong enough passwords we need to educate people to use this pass password responsively because this is the lowing hanging fruits we need to help with understanding with privilege perspective that uses that shouldn't have access to an admin shouldn't be admin local administrators in most cases is not required for regular users and based on their activities see if they're leveraging the users they act the the privilege they have if they don't reduce it in lateral movement be aware of those specific cases specific use cases from mitre attack and the specific one I mentioned here today and try to monitor them look at them over time and create kind of a heat map where you see which

one of those tactics and techniques is used more in your network and then within time you're going to identify where your weakest links all right and then address those things and eventually don't forget that the kill chain is not only external threat it's also internal threat you need to look at those things as well block the kill chain earlier in the stages in the beginning before it really reach the execution by using those step-up authentications the MFA challenge the reset of password those stuff that helps you to identify whether this is a real user or this is a user that basically stole someone else's user so to summarize there's a lot of similarities between internal and

external threats identity behavior can help us identity is the new parameter we just need to leverage the tools there's no silver bullet right but start thinking about those specific tools that are already out there in order to identify lateral movement to identify password harvesting and identify privilege escalation and eventually try to start with controls that make this balance between users experience and security needs thank you and I'm happy to answer any questions [Applause]