Professional Documents
Culture Documents
Webinar 1521 Slides
Webinar 1521 Slides
Webinar 1521 Slides
Sponsored by
Why Multi-factor
Authentication Can’t Prevent
Pass-the-Hash Attacks and
Alternative Mitigation Methods
Made possible by
Thanks to
1
10/4/2018
Password hashing
NTLM challenge / response
Pass-the-Hash
Preview of Key MFA
Points OTP
Push
Smartcard
Real mitigating PtH
ESAE
NTLM blocking
Injecting MFA into network logons when warranted
Common
Misconception Require Multi-Factor authentication at the desktop and now all
resulting access is protected
2
10/4/2018
How Pass-the-
Password hashing
Hash Works NTLM Challenge/Response Protocol
Pass-the-Hash
Hash
Password Algorithm
Hashing
Hash
Active Directory /
SAM
3
10/4/2018
The risks used to be about cracking password hashes back to clear text
password
Changing risks Windows got better at protecting hashes and hashing in general
PtH came along so that you don’t NEED the clear text password
Just the hash
To access REMOTE computers
Because of NTLM challenge / response
4
10/4/2018
Client Server
I want to logon
to you
key
NTLM hash Encrypt Challenge
Challenge
Response Encrypt hash
Response Compare
OK you are
authentic,
come on in
Attacker
Collect hashes
Server
I want to logon
to you
Challenge
key
NTLM hash Encrypt
Challenge
Response Encrypt hash
Response Compare
OK you are
authentic,
come on in
5
10/4/2018
User enters
password
at Workstation
• OTP
factor
Logon
Logon session
begins
Privileged
malware obtains
password hash
artifact
Using PtH,
accesses remote
system as user
Smartcard
interactive logon
No smart
card
required Remote
system
6
10/4/2018
Where MFA
Protects You Keeps other users from logging on as Bob
interactively at a workstation
Other applications and websites where MFA is synchronously required
7
10/4/2018
8
10/4/2018
Red Forest /
ESAE
Domain Admins
9
10/4/2018
Inject MFA
demands into
network
Jeff will demonstrate new capability that allows you to
logons based monitor for likely PtH exploitation
on dynamic and immediately use MFA in response
to determine if the user is in control
risk – or an attacker…
assessment
PAGE
PAGE 20
20
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
10
10/4/2018
PAGE
Guidance from Microsoft
PAGE 21
21
• Assume breach
• The problem cannot be solved by
implementing a single strategy or deploying
a single feature
• When an effective program is implemented,
attackers may find too many barriers and
trigger detection mechanisms that could
help organizations stop the attack.
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
Attacks That Bypass MFA
PAGE 22
22
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
11
10/4/2018
PAGE
Credential Theft Barriers
PAGE 23
23
System Configuration
• Storing Credentials in Registry/Memory
• Credential Guard
Access Control
• Local Administrators
• Logon Policies
• Protected Users
Best Practices
• LM Hashes
• Password Policy (Strong, Unique, Rotating)
• ESAE
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
MFA Supported Applications
PAGE 24
24
Interactive Login
MFA
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
12
10/4/2018
PAGE
No MFA for Non-Interactive Logins
PAGE 25
25
MFA No MFA
NTLM Hash
TGT / TGS
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
The STEALTHbits Approach
PAGE 26
26
No MFA
Normal Logins
(login type 3, 4, 5, 9)
MFA
NTLM Hash
Interactive Login
(login type 2, 10) TGT / TGS
MFA
Abnormal Logins
(login type 3, 4, 5, 9)
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
13
10/4/2018
PAGE
Securing Credential Storage - Registry
PAGE 27
27
Number of previous logons to cache
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
Securing Credential Storage - LSASS
PAGE 28
28
TokenLeakDetectDelaySecs
TokenLeakDetectDelaySecs
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
14
10/4/2018
PAGE
PAGE 29
StealthDEFEND
29
Data Sources
StealthDEFEND Threats
Active Directory
SIEM
Response Playbooks
Data Context
Alerts
…
Investigations
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
StealthDEFEND Threat Models
PAGE 30
30
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
15
10/4/2018
PAGE
Threat Response – Credential Compromise
PAGE 31
31
MFA - PASSED
Approve
Behavior
START BEHAVIOR
Pass-the-Hash
Pass-the-Ticket MFA
Escalate Incident
Deny AuthN Block Account Kill Sessions
(Alert, Ticket, etc.)
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
PAGE 32
32
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
16
10/4/2018
PAGE
STEALTHbits’ Solution
PAGE 33
33
collection monitoring
remediation response
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
STEALTHbits’ Active Directory Product Portfolio
PAGE 34
34
Product Purpose
State-based auditing, analysis, reporting, management and governance for
StealthAUDIT for Active Directory
Active Directory objects, configurations, and Group Policy Objects
State-based auditing, analysis, and reporting for Active Directory object-
Active Directory Permissions Analyzer
level permissions
Real-time monitoring and prevention of Active Directory changes and
StealthDEFEND for Active Directory
authentication, attack detection and prevention, and behavior analytics
Real-time change monitoring and control for AD objects, configurations,
StealthINTERCEPT for Active Directory
Group Policy Objects, and AD-integrated DNS
StealthINTERCEPT Enterprise Password Enforcer Real-time prevention of weak, well-known, and unapproved passwords
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
17
10/4/2018
PAGE
Next Steps
PAGE 35
35
• Learn More
– Attack Tutorials https://attack.stealthbits.com
– Attack Series https://blog.stealthbits.com
– Products https://www.stealthbits.com
• Try Us Out
– Free Trial https://www.stealthbits.com/free-trial
• Contact Us
– Email info@stealthbits.com
– Phone +1.201.447.9300
– Web https://www.stealthbits.com/contact
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
PAGE
PAGE 36
36
©STEALTHbits Technologies, Inc. All rights reserved. STEALTHbits and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of STEALTHbits Technologies as of the date of this presentation. Because STEALTHbits must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of STEALTHbits, and STEALTHbits cannot guarantee the accuracy of any information provided after the date of this presentation. STEALTHBITS MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUATORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Copyright © 2018 STEALTHbits Technologies, Inc. All rights reserved. | STEALTHbits Confidential
18