Robert Wilson - Mitigating Lateral Movement: Quick Wins

good morning my name is Robert Wilson I'm the IT director for the South Carolina Department of Commerce so I live kind of just up the road a little bit in Columbia South Carolina today I'm going to be talking about lateral movement just a little bit of background I work for the state of South Carolina at the Department of Commerce I've primarily worked in the public sector for state and local government and have been in the IT field for about 25 years and my current role I'm basically responsible for all of IT and security for an economic development agency so we do things like trying to get companies to come to the state we also are involved

with workforce things so like here at the site the b-sides and the cyber Center in Augusta we do some of that kind of stuff for the state of South Carolina also so my twitter is FR Columba you can reach me that way or via email and I am a GSE which I highly recommend if you're on the sands track to you go ahead and try and be a GSE so why this presentation today lateral movement is a hot thing you hear people talk about lateral movement and the attack framework is also hot so there's a lot of chatter about those two items so I wanted to pick something that's part of the attack framework and apply

it to Windows networks and it's something where anybody who anytime there's a compromise there's going to be the tendency for an adversary to have to move so I want to address that and then the other big thing is that I talk to a lot of IT people and I've talked to security pure security people also and you may or may not be surprised how many people actually don't use the Windows Firewall at all they either turn it off or they don't know what kind of function idiot has and there's a lot of people here who maybe in the beginning of their career or they might be a student and they don't know a lot about kind of

things that you can do in Windows that are free this doesn't require any kind of fancy licensing it doesn't require buying a third party product it's all built in so related to that is giving me some ammunition about limiting lateral movement and talked a little bit about some best practices so there are people in here who don't don't know what it what TTP's are so you go to some of these presentations and you hear somebody up here talking about stuff and they they just drop this ttp bomb on you and you might not know what they are so whenever we're talking with people and we're talking amongst ourselves we have to use common language and the mitre

attack framework gives us a common language to talk about stuff informational security stuff so level movement is what's referred to as a tactic so you have tactics techniques and procedures so a tactic is a high level thing and then you move down to a technique which is a way of accomplishing a tactic and then a procedure is the actual way that you you perform it so in in the instance of lateral movement some of the examples are passing the hash and Windows passed the ticket which is using Kerberos so what Kara burrows is an authentication method that's used in Windows RT P connections connecting to remote services admin shares windows remote management stuff like that so one of the

things that I want for you to think about is think about the tactic level which if you've seen the mitre attack framework across the across the top or all the tactics so lateral movement privileged escalation discovery things like that start thinking of those as a is a principle that someone must accomplish right so the in in the case of lateral movement the principle that they have to accomplish is moving from one machine to another then once you start thinking about it in that way what you want to get toward is you don't necessarily care what technique they're using because you're concerned about what the tactic is and obviously there's going to be cases where you you can't 100% do this

which is something that we'll talk about a little bit later but lateral movement is one of the good ones that you can think about think about the principle of lateral movement rather than the the actual technique that someone is going to use so the thought exercise or the war game or tabletop or whatever to think about is a flat network with servers and workstations that intermix with each other there's no host-based firewalls turned on and you have a bunch of credential reuse so if you remember back to two years ago with the big MS 1710 attacks the you know the not petia and wanna cry and all that kind of stuff there are a number of organizations who had

multi-million dollar problems because of the fact that they were not limiting lateral movement so that's kind of the principle that you want to get toward is get away from flat networks as much as you can which has to do with do you know what machines you have are they classified together or all your workstations in one Greve your servers and another group stuff like that so just as a quick review as I was saying there's people in here that don't use the Windows Firewall they're not familiar with it it came out around the windows XP time period they've changed the name a couple of times it has multiple configuration methods kind of the modern way of doing it

Microsoft wants to push you toward using cloud services they you know they were not recurring income so you can configure it with in tune you can configure it with group policy you can configure it manually it has IP set functionality which is one of the big things that people don't realize that makes it a little bit different than some of the other firewall types related to that it has Kerberos and/or integration so the Kerberos integration what it allows me to do is I have a IP table set up on a Linux machine and I have two computers that need to talk to each other and have IP address a and IP address B IP address a can connect to

port 22 on IP address B right that that's kind of a traditional firewall type operation in the Windows Firewall what you can actually do is use cameras and integration to use authentication headers to create a connection between one Windows machine and another Windows machine and taking into account that machines domain account and also the user account of the person that's on the computer so I can make a connection to Martha's computer from Roberts machine but only if I am Robert so that that is considerably different than the way that something like IP tables works it's also on by default just like all of the Microsoft stuff the default is probably not what you want but it's a good

beginning so an example of that that I always like to bring up and anybody at Microsoft takes the hint is if I have an enterprise version of Windows 10 why does it have an Xbox app on it so Microsoft has a lot of you know built in you know I have an e5 license for for Windows 10 enterprise why does it have candy crush some at some point maybe they'll start taking some of that stuff out all right so default rules this is a bunch of gobbledygook you know you see all this stuff this is these are the default rules in a Windows 10 Enterprise firewall so all these are on by default what's happening is any

inbound connection that isn't listed is blocked any outbound connection is allowed so inbound out-of-the-box you're getting casted cast to device streaming server HTTP streaming in I don't even know you know it's for miracast basically but you probably don't want those things to be on and if you haven't looked at this you probably should take a look so these are the outbound rules you see a lot of stuff by default it's going to let everything go out anyway but if you were to change the default action to deny and only allow outbound things that are listed in the rule set you're gonna get Microsoft pay going outbound Microsoft people solitare sticky notes you know all these things

that you a lot of these are Windows Store apps that are installed by default in us in weather all these kinds of things so as if you are a quote-unquote old-school person that you're thinking in terms of I want to let port 53 outbound for DNS TCP and UDP or whatever Microsoft is not in that realm they're thinking in terms of apps which is cool but you might want to move toward using traditional thinking for that kind of stuff and for your outbound connections in force and then explicitly list you know I want to do this via TCP or I'm not to let this computer talk to this computer alright so the connection security rules stuff is the thing that I

was talking about before about our computers talking to each other so in this case what I did was I set up a connection Security ruling Kerberos between going sorry going from any computer to this machine 192 168 1 dot 50 that I'm not to require inbound and outbound authentication for the connection and I want to use Kerberos and make sure that it's the user that I specify in the list and the computer so if Robert Wilson makes a connection to 192 168 1.50 from a computer that is not listed the connection doesn't occur which is a lot different than allow these two IPS to talk to each other so how many people actually knew or know

that you can do that kind of stuff in Windows a few alright that's good I actually have been doing Windows stuff for a very long time and I had no idea until probably five years ago that you could do any of this kind of stuff so related to that connection security rule here we have a firewall rule that in this case it's RDP in I want to authenticate that connection and then I actually want to encrypt it with IPSec so you can use you can do authentication header you know a H connections only and leave the traffic and clear text or you can actually encrypt the traffic also so here's one of my notes from the field

this is actually someone on Twitter responding to you a conversation that I was having and this is a government person actually in Europe not not in South Carolina - his response to some of this kind of stuff was his IT people he this is a security person his IT people will not let them even turn on the Windows Firewall so some of that is a is antiquated thinking and some of it is it might not be your organization might not allow you to do it for legitimate reasons but I think we've kind of moved beyond that and the MS 1710 stuff is when that really occurred because we've been moving away from whatever you want

our tournament and in where that outside of your network is crunchy and the inside you know is all mushy you can't really think that way anymore so here's a few resources for Windows Firewall stuff this Microsoft support article is basically a layout everything that's required for Microsoft networking all the ports that are required for domain controllers everything that's required for sequel this is what a endpoint needs in order to do stuff so one of the big things about that is related to tearing which I'm going to talk about in just a minute is it necessary for a domain controller to reach out and talk to a workstation does the domain controller initiate the connection No

so for stuff like group policy the workstation calls out over four four five to the domain controller to get the stuff so you have to think through those types of scenarios one of the best possible classes for learning about this kind of stuff and my personal opinion is the 5 out of 5 class which Jason folson wrote heavy-duty stuff in Windows PowerShell and a considerable amount of time is spent talking about the Windows Firewall Jessica Paine who works for Microsoft in their security group she is awesome so you should definitely follow her a presentation in New Zealand whatever the equivalent of ignite or whatever maybe in New Zealand where she talks about the Windows Firewall there's

actually a lot of good stuff that comes out of Palantir regardless of what you might think about Palantir their windows people are excellent and there's a lot of stuff that they've written like medium posts and stuff like that so getting back to the attack framework and thinking of stuff as principles the principle and lateral movement is adversary new movement so you have east-west movement so in that case workstations talking to other workstations and then you have a north-south movement which is an example would be going out of a workstation subnet into a server subnet so you could call that longitudinal I don't know why everything has to be lateral because in that case its longitudinal so from a

series perspective they are always wanting to know who I am and where am I this is the the idea of graphs that attackers working graphs and defenders work in lists which is you know this big thing that people came up with a few years ago Microsoft another Microsoft person and they need to pivot to get to other machines from a defender perspective you actually want to move toward thinking of your machines as cattle instead of pets which is something that's kind of come out that analogy came out having to do with cloud stuff but it's also applicable to internal environments where in the case of cattle you have a this equip thing you know if you're into mr. robot where

you don't care about equal sales 19 that's cattle a pet is Elliot's local printer in the accounting group share it out to the rest of the people in their work station subnet so you're already having to create a unique situation for that computer which is not good if you been this morning show the that crazy traffic jam picture and then the picture of you know the NASCAR race if you're moving toward the NASCAR race you need to think of your machines as cattle which sometimes is you know it's obviously it's easier said than done but all of this is a journey you know that you need to iterate through this stuff so this is Microsoft's tiering

which has to do with these things called privileged access workstations so you want your tears to use similar kind of firewall rules in this case so down there at tier two these are all workstations workstations don't talk to other workstations they talk to servers and domain controllers servers generally don't initiate talk communications to workstations unless it's like necess or something like a scanner a workstation calls up a web server web servers don't call workstations so the quick wins the number one thing is do not turn off the Windows Firewall the second part of it is iterate through rule sets so begin with the default rules which I showed at the beginning using a group policy in tune or whatever

to roll them out and don't merge the local rules so all that godly goop that we saw at the beginning with Microsoft pay and mirror cast and all that kind of stuff those are the default rules you may begin with that but what you want to move to you is using group policy or Intune or whatever your methodology is you have a list that you apply to your cat so all of the workstations get this firewall configuration and you move away from having to create some kind of local exception for this ap persons printer or whatever because you can get an HP laser you know for a thousand dollars or whatever and replace it so they you you

don't have to create exceptions exceptions are generally a problem so don't let workstations talk to each other that's the Tier two thing because what's going to happen is somebody gets fished and you get lateral movement and we're south traffic you want to make that if possible pass through something where you can get net flow so best-case scenario all of those connections would actually go through a firewall also so not only do you have host-based firewalls but you have network segment firewalls and not just parameter firewalls Palo Alto is can be relatively cheap depending so two hypothetical situations the exploitation of remote services there was a zero owed a zero day however you want to pronounce it an

RDP a little while ago the blue keep stuff which took a long time for there to be a working exploit but let's say that there was one you have a compromised endpoint that person scans the cert the current sub subnet RDP should not be listening on workstations and that in this scenario now if you have developers then you're gonna have a lot of pets so it depends on where we're you know what kind of an environment you're trying to secure so the the second one there is when RM which is awesome when RM and itself is cool but if I'm gonna make an outbound when our M connection to somewhere else where is it coming from should you be allowed to

make outbound win RM connections from this theoretical accountant probably not that computer needs to be managed via when our in but they probably don't need to make outbound when our em so and that's an area you could use the Kerberos stuff to confirm in case somebody's trying to do something funny with you know IP addresses or or whatever so this one is for the evil people if you were in some place where they were using the Windows Firewall and they had everything blocked like I can't talk to these other computers and this theoretical Accounts Payable person gets compromised but you want to get the CFO theoretically you could use this taint shared content attack which is the other

cool thing about the attack framework is when you look at it you're you can come up with stuff that maybe you have never thought about and in this case this is the immediate one that I thought about I was like what I've never thought about doing this at all so I can't do normal lateral movement I know that they both have access to a share that has excel files on them I know that that's probably safe because it's internal I don't have to mail anybody something I put a reverse shell macro in the excel document and wait and then the lateral movement occurs because the CFO opens and trusts this excel document and hopefully everything else would fail

which may or may not be the case and I get a shell back elf over the Internet so that that's something to you consider in that case you'd probably have to have sign macros which most people don't even come close to doing sign macros all right so the general review is make sure using the Windows Firewall knew from your default rules to custom based on the environment the other thing that I always like to push talking to people is this is the Nirvana fallacy or you know security absolutism which other people have talked about today already if you have workstation subnets that you need to take care of but you have that one case where

somebody needs to do something special you have one pet don't turn that into the example from Twitter where the guy said maybe someday somebody will let us turn on the Windows Firewall and this is how you you get ammunition for talking to people in control is just bring up Maersk you know the shipping people there's an excellent wired article about lateral movement it's basically what it all comes down to you about their network so the workstation thing to me is the biggest quick win that you can get don't let workstations talk to workstations and you would be surprised probably how many people that's shocking to them you talk to IT people and their immediate thing and their image is kill

the Windows Firewall or not even know that you can even do any of this kind of stuff or even care that you know the argument is we already have a firewall and they're there meaning the perimeter but you should move toward a scene breach which people have been doing for the last ten years at least so in those two cases I'm just talking about outbound this pre before somebody gets the box and they turn off the firewall if somebody gets the Box turns off the firewall the computer that they're trying to talk to you isn't going to answer them anyway because they haven't gotten it yet all right so I'm happy to take a couple of questions now and then

I communicate on Twitter or email or whatever but we have these a lock set and an alpha wireless adapter so if someone wants to you ask a question I will get my assistant to bring you the lock pit set if the question is good yes they're nervous a fallacy is basically it has to do with if I cannot get to Nirvana I'm not going to do anything so it's it's the fallacy of if I can't do the Windows Firewall for all my machines I'm not going to do it for any of them did you see - yes sir

I don't know of one specifically I mean me personally I would start I mean that's basically an architecture issue and I would run through exercises of trying to imagine what this if we're talking about Nirvana what Nirvana looks like and what are the milestones we can take to get there so I would start to examine what is the trade-off between doing it and not doing so if like printing for example printing is one of these things that comes up a lot using a network printer the workstation talks to the network server and then the network server talks back down to the printer and you so in that scenario you never have workstations having to talk to this

computer that you're sharing with a workstation printer off of so just determining what this lists of all those tons that kinds of things are and iterating through this is what we want to get to which is no workstation communication and then this is how we'd go about doing it but I don't I don't know of an author specifically that would talk about that there might be some classes that would go more in depth into architecture stuff but to me that that's depends on you know what what your company or organization does

what which book is that okay Jim Jones and Barlett textbook yes yep yeah right

yeah well yeah yeah I mean personally what I would do is I in in that scenario that's small of a place I would move them off of having a non-print DC at all so in in that scenario it seems like you need to move toward using Azure ad as ur ad join machines and authenticating that way because it doesn't it would be highly unlikely that they would be prepared to maintain that infrastructure anyway so the question would be whether or not that's something that they could take on because it would probably require them redo in a way that they do everything but a lot of those kinds of places seem to have IT guys you know

that some of that's just an education thing and the days of law office running on-prem exchange and a domain controller for a 20-person place that's just you know it's it requires evangelism on our part to move them away from doing that kind of stuff because ultimately it makes it worse for us too because those are the kind of places to get owned and then they're used to do all kind of other stuff but if they've got a little juniper switch or whatever they can do VLANs on there if their IT guy you know knows what they're doing where you can do this kind of stuff even in that scenario but it requires a little bit

or work so yeah I mean if I were a consultant in that scenario I would definitely want to move them into what Microsoft would turn to be a modern environment it in tune and every ad [Applause]