INSIDER THREAT SECURITY BLOG

Sifting Through The Sands In the last post, we looked at how to find file shares where data we may want to steal lives. We used both Python-based and PowerShell based approaches to this. Now we’re going to take the next step and find actual files of interest. Even the smallest organization can have many thousands of files. The bad guys would drown in all that data if they didn’t have ways to narrow down what they’re looking for. Let’s start by seeing what PowerSploit has to offer on the Powe…

Finding Where Interesting Information May Live We’re going to make some assumptions at the start of this attack. We will assume we already have full access to any credentials we need. Why? Because we’ve already shown you how you can grab any credential you might need all the way up to the highest level of administrative rights. The question you now need to ask is this: what can you do with those rights? Credentials are the means, but data is the ends. So the first thing you do with all these…

There’s a lot of news coverage on threats like ransomware, malware, and phishing that are all about punching holes in organizations to grab quick spoils. But what isn’t getting a lot of coverage is the careful, patient planning attackers do once inside your Microsoft Active Directory (AD) environment. They fly under the radar scoping out your domain and amassing privileges so they can spread out, dig in, and access a smorgasbord of sensitive data. These meticulously executed—and ultimately mo…

Stealthbits CTO, Jonathan Sander, recently returned from a road trip across the U.S. where he met with several customers. One of them remarked that finding sensitive data across his organization was like trying to find Waldo in the children’s book series, Where’s Waldo. The customer went on to say, ‘Even if we find it, we don’t have a foolproof way of keeping our sensitive information safe.’ He’s not the only one facing this dilemma. Organizations that have successfully implemented a least pr…

Credentials Are the Means to Attack Data If you’ve been reading the attack blog series until now, you’ve seen we have focused on attacks against Active Directory – like attacking core AD infrastructure, leveraging AD service accounts to attack, attacking AD with misconfigured permissions, and our series on Mimikatz attacks. Of course, AD is the hub for so much access to data in any organization that it may feel like those attacks actually compromise everything else. Today we’re kicking off ou…

The New York State Department of Financial Services (NYS DFS), announced 23 New York Code Rules and Regulations 500 (23 NYCRR 500), a cybersecurity regulation for all financial institutions doing business in New York. Today marks the end of the first major deadline for this regulation, 180 days after going into effect on March 1, 2017. By now, financial institutions doing business in New York should have a cybersecurity program, cybersecurity policies, a Chief Information Security Officer …

Active Directory DACL Backdoors In my last blog post, we examined Active Directory (AD) backdoors and how to defend against them. The botnets’ primary communication mechanism relied on abusing AD attributes. Once established, these botnets allow attackers to communicate across internal security controls, exfiltrate data—and most importantly—gain a foothold that is very difficult to detect and remove. All accomplished without one line of malicious code. Now that’s a real life advanced persi…

In our sixth edition of the Insider Threat Podcast, once again we spoke with our resident white hat hacker, Jeff Warren. Jeff has just finished another in our ongoing blog series about insider attacks on Active Directory (AD). This time, the focus was the Mimikatz toolkit and all the ways it’s being used to exploit weaknesses in AD. You can find out more in the main series of blog posts about Mimikatz attacks as well as supplementary posts covering Skeleton Key, changing passwords, DCSYNC and…

Active Directory Enterprise Attack Vectors Active Directory (AD) enterprise attack vectors continue to get a lot of attention from security researchers. If history is our guide, it is only a matter of time before we see more active exploits in the wild. I sat in on Ty Miller and Paul Kalinin’s Black Hat presentation, “The Active Directory Botnet” this year and they unveiled a novel way to use, or more accurately abuse, Active Directory user attributes to create a communication channel betw…