BlackHat资料us-14-Hathaway-Why-You-Need-To-Detect-More-Than-PtH-WP.pdfVIP

Black Hat USA 2014: Why You Need to Detect More Than PtH Matt Hathaway matthew_hathaway@ Jeff Myers jeff_myers@ Black Hat USA 2014: Why You Need to Detect More Than PtH Introduction It does not matter where or how the attack started – while many attacks start with credentials, at some point all attacks look like an insider. On this premise, we believe that reducing the effectiveness of known attack techniques is as important as ever. Practitioners need to educate users, reduce the use of administrative privileges in an organization, actively avoid RDP, and do as much as possible to eliminate NTLM authentications. In spite of the progress Microsoft has made in recent years to mitigate known attacks like Pass-the-Hash (especially in Windows 8.1) this threat has not been eliminated. We wrote this paper with no intention of introducing new attacks or expanding on the excellent Pass-the- Hash presentations over the last several Black Hat events. This is a defensive guide providing a series of steps necessary to make detection achievable for the incident response team. It is wholly intended to highlight where to look and what to look for so that compromised credentials can be detected. Mitigation is Just That Every security professional has an example fresh in mind: the new CFO that gives his assistant all of his passwords, the development team that simply cannot function without local administrator privileges, the domain administrator with the best ticket close rate in company history because he breaks proper account use policy if it means the ticket can be marked ‘closed’ an hour earlier. After speaking with security te