版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
EPMFundamentalsCredentialTheftProtection
andEventMonitoringThissessionwillexplainthefollowingconceptsandfunctionality:ThreatDetection
PrivilegeThreatAnalytics(PTA)andSIEMIntegration
ReportsandDashboardsObjectivesWhatriskdocompromisedcredentialsrepresent?GivedirectaccesstoaccountsonvariousplatformsUserspecifiessamepasswordforseveralaccountsondifferentplatformsThreatDetectionmonitorsfordifferentattackvectorsNoadditionalendpointrequirementotherthanEPMagentFunctionalityintendedtobecontinuouslyupdatedDetectandBlockSuspectedCredentialTheftAttemptsbyMaliciousUsersandApplicationsHowtheTechnologyisDesignedCyberArkLabinvestigates
variousattackvectorsAlertissenttoEPMconsoleAttackindicationareextracted(e.g.unexpectedaccesstoLSASSmemory)EPMinternalpolicyisupdated
byR&DwiththeindicatorsEPMdevicedrivernowhookstheseaccessestoLSASSAccessisblockedBLOCKINGMODEAccessisdetectedDETECTIONMODEDetectaPotentialSecurityThreat(1)RulesNameDescriptionProtectsLSASSCredentialsHarvestingLocalSecurityAuthoritySubsystemService(LSASS)isresponsibleforenforcingthesecuritypolicyonthesystem.ItverifiesusersloggingontoaWindowscomputerorserver,handlespasswordchanges,andcreatesaccesstokens.Itretainsuserscredentialsinmemory,bothashashesandcleartext,andisamainattackpoint.AllworkstationsandServersSAMHashHarvestingTheSecurityAccountManager(SAM)storesusers'passwords.Itcanbeusedtoauthenticatelocalandremoteusers.CredentialsaresavedinSAMasNTLMhashes,whichcanbeeasilyuncoveredwithnewcomputers.AllworkstationsandServersDetectaPotentialSecurityThreat(2)RulesNameDescriptionProtectsDomainCredentialTheftFromLocalCacheTheDomainCredentialsCache(msvcachedv2)containshashesofdomainusers'credentials.Itisusedtovalidatedomainuserswhologinfromoutsidetheirorganization'snetwork.AllworkstationsandServersCredentialTheftFromServiceAccountServicescanbeexecutedwithdifferentpermissions,usingdifferentusers.Toenabletheservicetostartevenwhentheuserisnotloggedin,thecredentialsarestoredonthemachine.Anattackercanusethesecredentialstorunmaliciouscodewiththeserviceuser’spermissions.SomeMicrosoftservicescontaindomainusercredentials.AttackerscanharvestencryptedservicecredentialsfromtheLocalSecurityAuthority(LSA)Secretsregistryhiveandinjectthemintoanewmaliciousservicetoachievelateralmovementandfulldomaincompromise.AllworkstationsandServersDetectaPotentialSecurityThreat(3)RulesNameDescriptionProtectsAgentSafeProtectionWindowsSafeModeisbuiltintoallWindowsOperatingSystems(OS)onbothPCsandservers.InWindows10,SafeModeturnsoffMicrosoft’sVirtualSecureModule(VSM).AttackerscanremotelyactivateSafeModetobypassandmanipulateendpointsecuritymeasures,achievelateralmovementandstealcredentials.AllworkstationsandServersCredentialTheftFromWindowsCredentialManagerWindowscredentialmanagerallowsuserstosavetheirlogininformationforwebsites(IEandEdgebrowsers),connectedapplications,andnetworks.Attackerscaneasilyfetchtheusers’credentialsbyusingundocumentedwindowsAPIs.AllworkstationsandServersDetectaPotentialSecurityThreat(4)RulesNameDescriptionProtectsCredentialTheftFromActiveDirectoryDatabase(NTDS.DIT)TheMicrosoftActiveDirectoryDataStore(NTDS.dit)containsdatabasefilesandprocessesthatstoreandmanagedirectoryinformationforusers,services,andapplications.Anattackercanstealthekrbtgtaccount,whichisapreliminarysteptotheGoldenTicketattack,andharvestalltheorganizationuserhashestoexecutepassthehashattacksandlateralmovesintheorganizationnetwork.Servers(DC)LocalSecurityAuthority(LSA)SecretsHarvestingLSASecretsisaspecialprotectedstorageforimportantdatausedbytheLocalSecurityAuthority(LSA)onWindows.Thesecretscancontainuserpasswords,serviceaccountpasswords,RASconnectionpasswords,userencryptionkeysandmore,allofwhicharevaluableforattackers.AllworkstationsandServersDetectaPotentialSecurityThreat(5)RulesNameDescriptionProtectsPassTheHashAttackPasswordhashesareequivalenttoclear-textpasswords.Anattackerwhoobtainsapasswordhashcanuseittogainaccesstoasystemwithouttheneedtoknowtheactualpassword.ThistypeofattackisknownasPassTheHash.AllworkstationsandServersCryptoRSAMachineKeysHarvestingRSAisanasymmetricencryptionalgorithm.Theprivatekeycanbeusedforauthentication,encryption,andsigning,andforasymmetrickeyexchangeduringestablishmentofanSSL\TLSsession.Stolenprivatekeyscanbeusedforavarietyofpostexploitationattacks,suchasstealingauthenticationtokensfromanyidentitymanagementsolutionthatstoresitskeyintheWindowsprivatekeystore.Serversonly(identitymanagementsolutionslikeADFSandOkta)DetectaPotentialSecurityThreat(6)RulesNameDescriptionProtectsKerberosTicketHashHarvestingKerberosticketsaretheauthenticationobjectsusedinadomainenvironment.PasstheticketisamethodofauthenticationtoasystemusingaKerberosticketwithouthavingaccesstotheaccount'spassword.Inthisattack,avalidKerberosticketisobtainedandinjectedinthememoryoftheattacker'ssession.AllworkstationsandServersTotalCommanderCredentialsTheft(*Beta)TotalCommanderisapopularfilemanagerforWindowsthatcanalsomanageFTPconnections.UserscanstoretheirFTPServerpasswordslocallyusingTotalCommander,exposingtheircredentialstopotentialattackersrunningonthemachine.AllworkstationsandServersDetectaPotentialSecurityThreat(7)RulesNameDescriptionProtectsPuTTyCredentialsTheft(*Beta)PuTTyisapopularSSHclientforWindows.TheapplicationstoresprivateSSHkeysthatcanbeusedascredentialstoremoteServers.Inaddition,PuTTyenablesyoutostorepasswordsforproxyServerslocally.StoringtheprivateSSHkeysorproxypasswordleavesusercredentialsexposedtoattackers.AllworkstationsandServersOktaADAgentTamperProtection(*Beta)OKTAhasanADAgentthatmanagesconnectionfromanActiveDirectoryenvironment.Theagentstoresatokentothedomainthatcanbeabusedbyanattackertostealusercredentialsfromthedomain.EPMprotectsthistokenandtheagent’sprivatekey(usingtheCryptoRSAMachineKeysHarvestingrule)frombeingstolen,theADagentfrombeingmanipulatedandtheauthenticationprocessfrombeingtamperedwith.OKTAADAgentserversThreatDetectionUIClickingonThreatDetection
showsallpoliciesShowswhetherstatusisactiveornotforeachpolicyAlsoshowsifpolicyissettodetectorblockattackActivatingTheftDetectionPoliciesClickonOptionsthenActivateallToactivatesinglepolicies,selectdesiredpolicythen:RightclickonpolicyandclickActivateindrop-downClickonOptionsthenActivateEditingaThreatDetectionPolicyActivatingapolicysetsactiontoDetectbydefaultToblockandchangeadvancedpolicysettings,right-clickonpolicyandclickEditEditingaThreatDetectionPolicy(Action)ActivatingapolicysetsactiontoDetectbydefaultDetect:
Credentialtheftattemptsarenotblocked,butgeneratealertsBlock:
BlockfutureattemptsofcredentialtheftEditingaThreatDetectionPolicy(ApplyPolicytoselectedComputersinSet,ADComputerGroups)ThreatDetectionPoliciescanberestrictedto:SpecificComputersEPMComputerGroupsADComputerGroups
EditingaThreatDetectionPolicy(ExcludedApps)Ifnecessary,excludespecificapplicationsfromPolicyClickonNewtoaddexclusionsExclusioncanbeappliedtofilename,pathWildcardscanbeusedforfilenameorpathEditingaThreatDetectionPolicy(End-UserUI)SetwhetheruserwillbealertedwhenpolicyistriggeredDefaultisShowNothingOtherwise,selectwhichmessagewillbedisplayedtoend-userviasystemtraybubble.DefinitionsarestoredinPASPD.DLL
CyberArkwillreleasenewversionsoftheDLLwithenhancedprotectionagainstnewattackvectors
UpgradedfilescanbeuploadedbyaccountadministratorsThreatDetectionDefinitionsFileUpdatingThreatDetectionDefinitionsFileLoginasanaccountadministratorBrowsetoConfiguration=>ThreatDetectionClickonUpgradeBrowsetoandselectupdatedfile,thenclickonOKStep1–Activateforapilotgroup(e.g.activatethepolicyonlyontheITgroupthatisconsideredasEPMchampions)Step2–Defineexclusionasneededbasedonpilotgroup(e.g.exclusionforbackupsoftware)Step3–Expandpolicyapplicationfortheentiregroup/organization.Step4–MonitorandadjustaccordingtoneedsPolicyactivationmendationsPrivilegeThreatAnalytics(PTA)
andSIEMIntegration*PTAintegrationnotavailableforSaaSinstallationsNOTE:PTAIntegrationtoShowCredentialsTheftIncidents*ThreatDetectioneventsinEPMcantriggeralertsinPTA(PrivilegedThreatAnalytics)AlertsaredisplayedinthePTAconsoleSOC(SecurityOpsCentre)staffcandrilldownintoeventtoseemoreinformationRetrievingConnectionCredentialsfromPTATheconnectionbetweenEPMandPTAneedstobeauthenticatedRequiredcredentialsarestoredinfilecalledprepwiz.logonPTAserverForPTA3.3,fileislocatedin/opt/apache-tomcat-7.0.40/prepwiz/logsSearchforEPPcredentials,noteUsernameandPasswordConfiguringPTAintegrationIntheConfiguration=>ThreatDetectionsection,clickonPTAConfiguration
EntertheUsernameandPasswordretrievedfromprepwiz.log
ClickonSaveConfiguringEventListenersAllowsconfigurationofexternallistenerssuchasSIEM
InServerConfiguration=>EventListenerssection,clickonNonenexttoThird-PartyListenersConfiguringEventListenersOntheChangeConfigurationParameterValuescreen,clickonOffnexttothelistener
SelectOnfromthedropdownSettheconfigurationasrequiredClickOKthenSaveSupportedEventListenersLogstash-Systemforlogcollection,processing,storageandsearchingactivities.TextFile–XMLfilecreatedontheEPMServerSysLog-Astandardformessageloggingthatpermitsseparationofthesoftwarethatgeneratesmessages,thesystemthatstoresthem,andthesoftwarethatreportsandanalyzesthem.Splunk-Captures,indexesandcorrelatesreal-timedatainasearchablerepositoryfromwhichyoucangenerategraphs,reports,alerts,dashboardsandvisualizations.MoreinformationiscontainedintheCyberArkEndpointPrivilegeManagerSolutionGuideReportsReportsReportscanbegeneratedundertheReportstabinthemainSetUIReportsaresplitintofunctionalcategoriesReportsReportsareavailabl
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 初一应用数学教学计划
- 2024年高中化学 第三章 有机化合物 第二节 来自石油和煤的两种基本化工原料苯1教案 新人教版必修2
- 2024年春七年级历史下册 第二单元 辽宋夏金元时期 民族关系发展和社会变化 第9课 宋代经济的发展教案 新人教版
- 每天考勤签到表
- 分数的初步认识-几分之一说课稿
- 《忆读书》教学设计
- 平行四边形的面积教案
- 2024大型设备采购合同范本
- 家电回收处理合同
- 2024电脑产品购销合同范本电脑产品购销合同样本
- 3.2 参与民主生活 课件-2024-2025学年统编版道德与法治九年级上册
- 《 大学生军事理论教程》全套教学课件
- 幼儿园中班科学《多变的天气》课件
- 电梯检验员个人总结五篇
- 利达信TK832-A型数字集团电话说明书
- 视频监控项目日常巡检表
- 中考英语听说之口头作文
- KYN28A-12说明书模板
- 猫的介绍-英文PPT_图文.ppt
- 学校违纪万能检讨书1000字
- IDC成本收入分析
评论
0/150
提交评论