Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into the context of typical hygiene of any IT environment.
Let’s try to understand, where we stand today. Contrary to a few years back, we unfortunately see more skilled people in the space looking for either fast money or information. The criminals are more skilled and I guess we see the state actors attacking infrastructures as well. The big change, however, is that these attacks are not what they used to be. Today, they are targeted, executed by highly-skilled people with a clear goal and time. There is no rush but you want to get a bang for the buck. They want to make sure that once they penetrate a network, the probability for getting discovered is low and they want to stay in there as long as possible. This often leads to the fact that customers do not know that they are compromised and once they figure it out, they cannot assess the impact as the attacker is on the network longer than the backups of the logs last…
To be clear, this is not to scare anybody, this is the reality we have seen in many, many customer networks across the globe in the last one to two years.
If we look at a typical attack, it often follows similar patterns:
- The attacker seeks a way to compromise a first computer. This is often done through social engineering, rarely through a sophisticated technical attack. The attacker distributes USB sticks with infected code, he sends a mail to motivate the user to click on a link etc. All very well-known patterns.
- The user executes the malicious code and installs mainly a remote access software allowing the user to take over the machine. Most probably the user needs admin access to get this done (not always)
- The attacker downloads the needed tools and gains access to the local cached credentials. Now, the attacker can only do this, if he has administrative privileges – in other words, if the user runs as admin (or the attacker finds a vulnerability locally).
- From here on the attacker tries to move laterally (to other user machines) until he finds a higher value credential to move towards a higher-value target.
- This chain often ends with a compromised Domain Administrator and therefore a lost Active Directory.
This describes a fairly typically attack leveraging Pass the Hash. The paper Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques describes this very well. If we look at the mitigations described in this paper and the mitigations, which come from the above mentioned attack pattern, they are actually not too hard to implement – they are in a major part natural for a good network hygiene:
- Restrict and protect high privileged domain accounts
- Restrict and protect local accounts with administrative privileges
- Restrict inbound traffic using the Windows Firewall
These are kind of the key mitigations, however there are some key recommendations in this paper, which should be implemented:
- Remove standard users from the local administrators group: For how long do we already talk about this? User Account Control, which came with Windows Vista, was the technology, which would enable this. It is really, really hard with Windows XP!
- Limit the number and use of privileged domain accounts: To me this goes in the same bucket as the local admin…
- Configure outbound proxies to deny Internet access to privileged accounts: Why should your Domain Administrator be able to access an obscure server somewhere in a foreign country?
- Ensure administrative accounts do not have email accounts: Obvious, no? You would be surprised how often we see admins doing daily business tasks with privileged accounts
- Use remote management tools that do not place reusable credentials on a remote computer’s memory: This is a bit harder to do probably but is should and could be done.
- Avoid logons to less secure computers that are potentially compromised
- Update applications and operating systems: Patch, patch, patch. And then keep your software to the latest versions. I will come back to this.
- Secure and manage domain controllers
- Remove LM hashes
That’s not too hard to do, isn’t it? It should be part of your natural, everyday maintenance of you network, shouldn’t it?
One point, which is not mentioned so far is monitoring. This is all about finding the needle in the haystack but it can be done – we (at Microsoft) do it. Why should a machine all of a sudden connect to another country, when it never did it before? There might be reasons for this, but sometimes, there are none. If you read my latest post, you see one of these examples: An Attack via VPN – Really?
Let me add a few final comments:
- A lot of customers we find compromised are surprised that they have unpatched machines (well, some of them have unpatched machines and are not surprised…). Implement a strong patch management process, involving not only the Microsoft product suite. Ours is the easiest to keep up-to-date. I did not say it is easy, I said it is the easiest based on the technology, the update mechanism and the information we provide. That’s not only me saying this, a lot of customers telling me this.
- Get off Windows XP!
That’s probably the number 1 thing which keeps me up at night. There are too many Windows XP out there. Windows XP is more than a decade old! Think back, how you used the Internet a decade ago and then think again about the ability of Windows XP to protect you. It does not anymore. It was a great OS, it is rock-solid and just works – but it is out of date! I have two slides showing the evolution of the Internet and the evolution of the threat landscape as well as the evolution of security in Windows since Windows 95. If you are interested, I am happy to share.
- Implement network isolation: At Microsoft IT, we use IPSec Authentication to segment the network and isolate trusted from less trusted from untrusted systems. This is a technology, which is out there since ages – use it.
Therefore, if you think about network hygiene in 2013, look at the points above and get started. It is basically just normal maintenance of your network. Just do it