Page 83 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 83

As the next step, the attacker logs in to a domain controller, stops the auditing agent, and disables
            security logging. With the security camera effectively turned off, the attacker modifies accounts, groups,
            Group Policy Objects (GPOs), DNS records, and other AD-related objects – creating backdoors that can
            be used at a later stage.

            The organization finds out that something is wrong within 10-15 minutes from the time the attacker logged
            in to the DC. They connect to the machine, terminate the attacker’s session, disable the compromised
            Domain Admin account, and gain back control… or do they?

            The reality is the attacker was perfectly aware they were about to get exposed. So, the question now
            becomes, what did they do during those 10-15 minutes?

            Another way that attackers can bypass security logging is to inject data directly into the Active Directory
            replication  stream.  That’s  exactly  what  DCShadow  does,  making  it  invisible  to  SIEM  systems  and
            worrisome to security teams. (More on DCShadow can be found here.)




                                     Keeping the Security Camera On


            How do you deal with a scenario where the auditing agent was disabled, or the logs can’t help because
            they were never there?

            The answer is having another source of data that is independent of any single machine. As you probably
            know, all of the information in Active Directory (excluding some event details) doesn’t stay with a single
            server, but is replicated across DCs and can be picked up from any DC in the domain.

            This is how Semperis provides visibility of changes made even if security logging or auditing agents are
            disabled,  or  changes  are  made  below  the  radar.  The  Semperis  solution  gathers  changes  from  two
            independent data sources – one of them being the AD replication API.

            So, in the example above, even if the auditing agent is disabled or changes aren’t logged, the hacker’s
            nefarious activity is captured when AD replication takes place. Changes are stored in a SQL database
            where the information can be used for forensic analysis and remediation. This allows you to identify and
            undo the unwanted changes made by the attacker – eliminating backdoors, and truly regaining control of
            your Active Directory.

            Have you encountered hacks where attackers bypassed security logging? Are such hacks part of your
            risk assessment? I would love to hear about your experience and thoughts on the topic.














                                 83
   78   79   80   81   82   83   84   85   86   87   88