One Key to Rule Them All: Detecting the Skeleton Key Malware
- 3. • The Villain:
• The Damsel:
• Damsel in distress:
• Knight in shining Armor:
- 28. • AES uses the username for salt
• RC4-HMAC doesn’t have any!
• AES uses PBKDF2= Thousands of SHA
rounds
• RC4-HMAC doesn’t have any!
- 37. Automatically…
• Learn entities and their context
• Profile entity activities and behaviors
• Build the entities interaction graph
• Identify suspicious activities
• Connect suspicious activities into an Attack Timeline™
How Microsoft ATA works
- 38. 1
ATA Analyzes all Active Directory-
related traffic and collects relevant
events from SIEM
3
ATA Builds the organizational security
graph, detects abnormal behavior,
protocol attacks and weaknesses and
constructs an attack timeline
2
ATA automatically learns all entities’
behaviors
ANALYZE LEARN DETECT
- 39. Abnormal Behavior
• Anomalous logins
• Abnormal behavior
• Unknown threats
• Password sharing
• Lateral-movement
Security Risks
• Weak Protocols
• Known protocol vulnerabilities
• Broken Trust
Attacksinreal-time
• Pass-the-Ticket (PtT)
• Pass-the-Hash (PtH)
• Forged PAC (MS14-068)
• Reconnaissance
• Bruteforce
1
2
3
Editor's Notes
- http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
http://image.slidesharecdn.com/pivotaldatalakearchitectureitsroleinsecurityanalytics-140707093240-phpapp02/95/pivotal-data-lake-architecture-its-role-in-security-analytics-7-638.jpg?cb=1415961449
- http://images.rapgenius.com/995335ab10386f992dde5f3797e92c65.1000x682x1.jpg
- NTLM relay talk 2014 by Oren Ofer
- 3 Data sources – Network traffic, AD data and SIEM events
Create traps (Honeytokens) to mislead attackers
- Classifying the SAs to 3 types
- Risks (Misconfiguration), Deterministic and Behavioral based
(Who access what and when)