BlackHat资料us-14-Hathaway-Why-You-Need-To-Detect-More-Than-PtH.pdfVIP

Why You Need to Detect More Than PtH Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7 Who We Are Matt • Former Hardware/Software Engineer • Worked on Storage director boards • Entered security through credit card anti-fraud invention Jeff • Java developer before (and after) it was cool • Years in Storage software (coincidence) • Entered security to build first Rapid7 Incident Response product Agenda Stolen credentials are going to be used How not to detect them How you can detect the characteristics What is more important then the exact characteristics You Cannot Stop Stolen Credentials… or Marketing Cannot Stop Compromised Credentials - Discover Credentials are weak (and will be stolen) • Spearphishing is sophisticated • Passwords are constantly reused • Your users are focused on productivity, not security • Target last year, ebay this year, etc. You Cannot Stop Compromised Credentials - Reach It only takes one… • …valid set of credentials • …entry point without 2FA • …drive-by download victim The Microsoft Guide to PtH is Unrealistic* Mitigation 1: Restrict and protect high privileged domain accounts • Exceptions are always made for privileged accounts  An endpoint was accessed in an emergency  A new service was urgent and needed admin-level access Mitigation 2: Restrict and protect local accounts with admin privileges • No organization has eliminated local administrator privileges  Executives demand them (productivity)  Developers demand them (productivity) Mitigation 3: Restrict inbound traffic with the Windows Firewall • Applies only to Windows-to-Windows authentications • Rules must be constantly changing * - The Windows 8.1 mitigat