Privilege Escalation Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Cryptography and Network Security Chapter 20 Intruders
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
IT Security for Users By Matthew Moody.
The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Staying Safe Online Keep your Information Secure.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Computer Security Preventing and Detecting Unauthorized Use of Your Computer.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
Disruption Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Security at NCAR David Mitchell February 20th, 2007.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
Security CS Introduction to Operating Systems.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Topic 5: Basic Security.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Role Of Network IDS in Network Perimeter Defense.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
CSCE 201 Identification and Authentication Fall 2015.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Understanding Security Policies Lesson 3. Objectives.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Understanding Security Policies
Malware and Computer Maintenance
Common Methods Used to Commit Computer Crimes
Disruption Baseline, Monitor, Detect, Analyze, Respond, & Recover
Lesson Objectives Aims You should be able to:
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
Cybersecurity Awareness
Stealing Credentials.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Presentation transcript:

Privilege Escalation Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

Overview Privilege Escalation – Concepts, Examples, Motivations Hands-on Cyber Attack – Concept – Establishing a Baseline – Demonstration of the Attack – Monitoring & Detection – Analyzing the Attack – Response & Recovery – Enacting Mitigation Actions 2

Privilege Escalation Privilege Escalation is the act of obtaining credentials (usernames, passwords, key files, etc), beyond what is normally available to them, for the purpose of accessing systems or information. 3 SYSTEM ADMIN ADMIN USERUSER USER

Privilege Escalation Some Examples: Username / Password Brute Forcing – try combinations of usernames and passwords until a working set is found Keystroke Loggers – installation of programs to capture keyboard input, with the purpose of finding usernames and passwords Social Engineering – eliciting information directly from personnel Exploits - Buffer overflows, impersonation, or other technical attacks against an operating system or application 4

Privilege Escalation Username / Password Guessing Requires 3 Pieces of Information: – An IP Address, Application, or other “Target” – A Username – A Password This is not so difficult for the attacker: – She will usually know the target already (2 pieces left) – She can usually guess the username (root, admin, or administrator – 1 piece left) – She only needs to guess the password 5

Privilege Escalation Attackers use what’s called a “dictionary attack” to build lists of possible passwords from dictionary words – Password dictionaries include thousands of words, and exist for just about every language, including Klingon… – Some dictionaries or password crackers (e.g. John the Ripper) will improve standard dictionary words by making typical substitutions and creating another possible password (e.g. root become r00t and root!) – usually referred to as “hybrid” – There are also dictionaries for “keyboard progression” passwords (e.g. 6

Privilege Escalation If the dictionary attack doesn’t work, an attacker may try to brute force the password – This takes an incredibly long time assuming ideal conditions, but is guaranteed to work at some point (perhaps in 150 years!) – There are ways to speed this up (parallel attempts, pre-computed password hashes, etc) 7

Privilege Escalation Keystroke Loggers are Commonly Available The hard part for the attacker is getting one installed and the captured keystrokes out They can be installed by: – Malware or trojans (“check out this new game”) – Social engineering (“please copy this document from my USB pen drive”) – Physical access (unlocked computer) Once running, they send the captured information out through the network, or store it for later pickup 8

Privilege Escalation Keystroke Loggers 9

Privilege Escalation Social Engineering is Usually Easy! – Doesn’t require any technical tricks – People are often very friendly and helpful For example, “Hi I’m Bob from Registrar X – please validate your account for me” The lower threat to the attacker, the more likely they are to try it: – s are free – Phone calls can be traced, but “throw away” phones are available 10

Privilege Escalation More subtle social engineering attempts are “spear” phishing messages which look like the real thing 11

Privilege Escalation The Technical Tricks of Privilege Escalation are Many – See MetaSploit, Core’s IMPACT, or milw0rm.com 12 Operating Systems Applications Web Applications Buffer / Heap / Stack Overflows SQL Injection Remote & Local

Privilege Escalation Who Does Privilege Escalation: – Employees – “I want to see some else’s inbox” – Hackers – “I need the router password to shut it down” – Competitors – “I need Bob’s password to see his files” Motivations: – Access information or systems they wouldn’t normally have access to – Corporate espionage – Conduct larger cyber attack 13

Privilege Escalation Why are these attacks important to you? – Violates the security policy of your system and allows people access they wouldn’t normally have – Potentially compromise sensitive information – Potentially provide access for malicious attacks These attacks usually follow enumeration, as the attacker has found an “interesting” system and wants to access it These attacks may affect your network – Technical exploits are often unstable, causing seemingly random operating system or application crashes 14

Privilege Escalation 15 Cyber Attack - SSH Brute Forcing - While we have chosen SSH to demonstrate this type of attack, there are many, many vectors for conducting brute force attacks. Any externally visible server or application which accepts a username / password is vulnerable to this type of attack SSH, Telnet, SCP, FTP, etc Microsoft Terminal Services, VNC, other Remote Desktops Web Applications

Privilege Escalation Cyber Attack – SSH Administrators frequently access systems via SSH to perform maintenance, monitor their systems… – SSH is an excellent replacement for TELNET, but is still susceptible to attack (its more difficult). Some administrators allow remote access to SSH so they can perform their administrative duties while on the road or from home 16

Privilege Escalation Cyber Attack – SSH Malicious actors might target SSH servers: – Because they are remotely accessible – Attempt to brute force a username / password Why? – Establish remote access – Find credentials they wouldn’t normally have 17

Privilege Escalation Cyber Attack – SSH Recall the components needed for this attack – Target IP address, Username, Password We will try various username / password combinations on your externally visible SSH server 18 © Norwegian Honeynet Project Powered by Wordpress/Arcsin.WordpressArcsin

Privilege Escalation Cyber Attack – SSH Recall Our Secure Operations Framework 19 Monitor Detect Respond Recover Analyze Baseline

Privilege Escalation Cyber Attack – SSH Establish a Baseline for What’s Normal for Your Network: – Who would connect via SSH to your servers? (username) – Where would they connect from? (source IP) – When would they do it? (time) Use this baseline to compare what you currently see to what you expect – Any differences are an indication of something going on! 20

Privilege Escalation Cyber Attack – SSH 21 Attack Demonstration Tail –n 40 –f /var/log/auth.log

SSH Brute Force Attack

Failed Attempts Password/Username Match & Connection

Privilege Escalation Cyber Attack – SSH Monitoring & Detection – Configure your network to detect SSH login attempts – Monitor your detection tool(s) – Establish a Baseline 24 Ex: SSH Logging with SWATCH

Privilege Escalation Cyber Attack – SSH 25 Attack Demonstration (This time you can see how your network views the attack)

Privilege Escalation Cyber Attack – SSH Analysis - what did your detection tools report? Is this really an attack? – SSH Server Logging – Log Analysis What usernames were attempted? Where is attack coming from? Did any of the attempts work? – You may have to correlate multiple sources of information to determine this: – Failed attempts & Successful Attempts – If you see many failed attempts and they stop – one of two things has happened – they gave up or it worked! 26

Privilege Escalation Cyber Attack – SSH Response Actions – aka “I’m Under Attack – What Do I Do Now?!” 1)Prioritize – is anything else happening? 2)Temporarily lock or deactivate the account being used 3)Shut down SSH server 4)Block source IPs at the firewall The action you take must depend on: – What you’re willing to do (firewall discipline) – What you’re willing to live without (shut down SSH) – What you can do quickly (deactivate an account) 27

Privilege Escalation Cyber Attack – SSH Recovery Actions – The attack is over – how do I prevent this again? 1)Ask yourself “What _could_ have happened here?” 2)Use Strong Passwords on Accounts 3)“Whitelist” access to certain IPs 4)Use Identity Key Files for SSH logins 5)Restrict SSH access to specific accounts 6)Configure Max Attempts in SSH 7)Configure Firewall Settings as additional protection - See sshguard for more information 8)Require VPN use 28

Privilege Escalation Cyber Attack – SSH What Other Mitigation Steps Would You Take? – What is appropriate for your network & resources? – Make the attacker’s job as difficult as possible without affecting your ability to your job If your network is difficult to crack, all but the dedicated hackers will move on to someone else! 29 DISCUSSIONS ??

Privilege Escalation Cyber Attack – SSH Enact Mitigation Actions – Secure your SSH Configuration 30 Ex: Securing SSH

Privilege Escalation Cyber Attack – SSH 31 Final Attack Demonstration

Privilege Escalation Cyber Attack – SSH Attack Discussion – Did the mitigation steps help? – How else can you protect your network? – Remember the risk decision: If the risk of remote access by an attacker is greater than the benefit of allowing your admins remote access – turn it off! Other Thoughts Before We Move On? 32

QUESTIONS? 33 ? Do you have any questions about … –Privilege Escalation –Detecting This Type of Attack –Responding & Recovering From This Type of Attack

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.