Last Updated:

Lessons from the Target data breach of 2013

abhishek rai CYBER501x

***************************************************************************************
***************************************************************************************
File Name: Additional-Resources-General-Unit-One-A-13042018
About: Notes from additional resources (General) supplied in unit one of RITx:CYBER501x course on Edx.
Author: Abhishek Rai
Date: 13th April 2018
Day: Friday
***************************************************************************************
***************************************************************************************

|||> 11 Steps Attackers Took to Crack Target <|||

 Link to the article
==========================================================

1. Vendors - High Risk


a. Can compromise information security, if they are non-compliant.
b. Access should be limited and quarantined. But how?
- Requires audit of what is essential for them.
- Access on Need-To-Know basis only.
- Pertinent access to parent network is evil, as far as vendors are concerned.


2. Malware - Citadel, a general purpose malware used.

 

- Research on what it is and how it works? [#td]
- Other similar tools? [#td]
- Patches available? [#td]
- How to know when the malware installs itself?
- Signatures? [#td]



3. Web services dedicated to vendors


- Application Security?
- Access to whom and why?
- 2FA on these systems?
- Credentials security?
- Routine forced update?
- Storage audit?
- Automatic credentials expiry, in case of personnel movement, internal or external.


4. Which kind of files are allowed to be uploaded in to the system?


5. "Hiding in plain sight", like renaming the malicious components as popular and important files / components?

6. Obfuscation of Active Directory


- Storing everything in a single directory is high risk.
- Restricted access to directory querying.
- LDAP Protocol [#td]
- Obfuscation of services string, so that their purpose cannot be inferred just by reading their name.


7. Security of DNS Server


- Query is allowed?


8. "Pass the hash" attack technique [#td]


9. New account alert to domain admin group or any such administrative group.


- Account addition with 2FA only


10. Monitoring of access paterns.


- Admin accounts
- Domain accounts


11. Monitoring for reconnaisance


- Querying
- Is there any history or precedence for such querying?


12. Angry IP Scanner (Tool Used) [#td]


13. Porrt forwarding tool (Tool Used) [#td]


14. Microsoft PSExec utility (a telnet-replacement for executing processes on other systems) (Tool Used) [#td]


15. Microsoft Orchestrator management solution to gain persistent access. (Tool Used) [#td]

16. Custom written malware tool - Kaptoxa (Tool Used)


17. From the article:



Be'ery recommends that organizations take the following steps to protect themselves:

a. Harden access controls. Monitor and profile access patterns to systems to identify abnormal and rogue access patterns. Where possible, use multi-factor authentication to sensitive systems to reduce risks associated with theft of credentials. Segregate networks, limit allowed protocols usage and limit users' excessive privileges.

b. Monitor users' lists for the addition of new users, especially privileged ones.

c. Monitor for signs of reconnaissance and information gathering. Pay special attention to excessive and abnormal LDAP queries.

d. For sensitive, single-purpose servers, consider whitelisting of allowed programs.

e. Don't rely on anti-malware solutions as a primary mitigation measure since attackers mostly leverage legitimate IT tools.

f. Place security and monitoring controls around Active Directory as it is involved in nearly all stages of the attack.

g. Participate in Information Sharing and Analysis Center (ISAC) and Cyber Intelligence Sharing Center (CISC) groups to gain valuable intelligence on attackers' Tactics, Techniques and Procedures (TTPs).