Thank you very much. It's a pleasure to be here and many thanks for you for joining this session today because this is really kind of, for me, it's an honor to be able to share my experience and knowledge with you. So my name's Joseph Carson, I'm the chief security scientist and advisory C with Deia. I'm based in tall Estonia and I'm also, I do a lot of educational content. So most of the hosts of an award-winning podcast. So if you do want to hear me on a frequent basis, do sign up for the podcast. It's called the 4 0 1 Access Denied podcast.
So here we're gonna go through a lot of basically different types of risks that identity attacks identity use, that the attackers use in order to compromise identities. And if you know me from presenting, I like to share demos. So be ready for demos today.
So we've got quite a few demos to go through and let's get into it. So let's go ahead and get started. One of the first things is just recently, if I'm clicking, okay, so one of the first things is recently the Verizon D Data Breach Investigations report was just recently published in May. And this is almost like the security scorecard.
We look at this to find out how did we perform? Did we do better than the previous years?
Are the, what techniques are the attackers using in order to actually gain access? So we look at this for kinda direction and one of the interesting things is if you go back over, you know, the Verizon Data Breach Investigations report has been out, I think 17 years now. But if you go back over the last 10 years, one of the key indicator findings is 31% of the breaches that's investigated has been identity or credential compromise attacks.
So almost one third of all the breaches were related to identities. And that's significant.
That's something that if we actually do better at that area, we can actually make a significant impact. And it's also highlights that there's a massive ecosystem out there. When we look at it, the cyber crime has almost converged. It used to be just digital crime, but now it's converged into organized crime. And that means that you're seeing a lot of the financial motivation is one of the biggest motivations for attackers out there. And one of the methods they want to do is they want identities. Identities are their way into victims, their way into organizations.
I'm gonna share with you some of the techniques that they use. And for many credentials out there, unfortunately most organizations, it's passwords are what's protecting passwords are sometimes the difference between basically protecting the organization and becoming a victim.
It's one of the things that attackers look for. It's one of the things that they try to gain access to. And we think of passwords. Passwords are just a form of a secret.
It's just another way of basically having something that either you can be in the form of passcodes, it can be a form of keys, pins, passphrases, pass keys. It's just a way in order to make sure users are really who they say they are, they have something that they have knowledge of that no one else has knowledge of. So this is one thing that attackers are look into compromise. And one of the things is, as we leave users to make those decisions, as we leave users to choose passwords, to create passwords, to rotate passwords is definitely one of the things that we're leaving it to human mind.
And I can guarantee that we are not the best, best source of creating passwords 'cause we tend to do things that's easy to remember.
That's something that's simple, easy to correct and attackers out there. One of the big methods that was used in the Verizon Data Breach Investigations report is phishing campaigns. And one of the things that I find is attackers, they're amazingly creative.
They're so good at putting well-defined campaigns together that abuse our trust that just give us enough information or enough basically, you know, catching in order to get us to click in something to go and log into something. One of the techniques that's up here that I've used was speeding tickets.
Speeding tickets is one of the methods that I find what actually was one of the most successful methods of phish campaigns and sending a speeding ticket out at 5:30 PM on a Friday afternoon and all the person needs to do is verify that they have this speeding ticket because that's one of the methods you do.
And at five 30, why five 30? Because the transportation agency is closed, they call the number that's on the the ticket Monday to Friday, nine to five. So they can't verify anything directly. So they end up having to go and click on the link.
One of the other favorite ones I had was bad phishing emails, purposely bad generated phishing emails. But what you do is you get commonly, a lot of organizations now have this email looks to be a, you know, suspicious email, please contact the IT or report it. That actually was, the phishing itself was actually the security notification. So it was a really badly written email saying, oh, click here or download this, you know, but this looks to be suspicious. Report it to your IT click.
That was the phish and the actually real it generated was about three pages down because they had huge amounts of spaces in the bottom of the email.
So really the attackers are very creative. They're always looking for ways, and phishing still remains one of the top methods of getting access. The next SUR only increase is DeepFakes. Now DeepFakes is used a little bit differently. DeepFakes tends to be, it's the convergence of what we see of basically digital crime and financial fraud. Financial fraud.
I, I do believe that our industry and cybersecurity and identity and financial fraud will converge at some point because we need to have their knowledge because the attackers have already converged together. They're already working with money launderers and financial fraud out there. They've converged, we as industries have not, the financial fraud industry and financial crimes is still a separate industry, but that will converge and it's DFAS is really driving that. We see dfas, a lot of the DFAS today is not necessarily to gain access to organization.
We see it mostly in things like business email compromise and actually invoice fraud and redirecting or getting people to transfer funds or you know, deliver gift cards and other types of things. So we do see DFAS driving, but what's happened is, is that artificial intelligence has really lowered the bar where DFAS used to be something that was more sophisticated and more advanced attackers with artificial intelligence today, anyone simply with an internet connection on a laptop can generate deep fix basically with a few clicks of a button.
So that means that basically the entry point for cyber crime has significantly lowered. Now one thing is we hear a lot about artificial intelligence and all the fears and threats and we hear a lot in the media. The good news is attackers are not using it that much. They're not using it as what we can assume.
They're not using it to create malware and to do real time campaigns just yet. What they are using it for is to create much better phishing campaigns, much better messages, much better ways of being able to abuse our trust.
One thing that we've seen in Estonia is that with phishing campaigns is that it used to be the language was one of the protections of the country because the language is so complex, it's so complex that quite a few Estonians don't have good grammar in Estonia itself. But what happened is, is that they were able to detect phishing campaigns because the attackers were not able to translate it correctly. But that has disappeared since generative ai.
What generative ai, what we are finding is that the actually phishing campaigns and social engineering, the translation is so good to the point where it's very difficult for humans to detect a phishing campaign because this is constructed so well and that's what artificial intelligence is doing today.
So let's get into, as you know me, I love demos, I love sharing with you. So let me go through some of the techniques that attackers use. So I talked about the ecosystem and the ecosystem. One of the initial ecosystems is what we call is access brokers.
Access brokers are a set of cybercriminals out there and all they do is basically crack hashes. So what they look for is basically existing data dumps or previous breaches that might contain hashes that may be able to, again, access to organizations. Simply what they do is they take a hash and they spend all the time cracking it. They try to understand about what types of passwords you've chosen in the past that create really intelligent word lists.
And they have basically processing power when their machines are not mining cryptocurrency, they're cracking passwords or they're doing artificial intelligence.
In this case here you can see that it's only taking a few minutes, actually even less than minutes in order to crack a password in order to get it to the clear text. The next thing the initial access brokers will do is they wanna verify that those credentials work, they wanna verify that it hasn't been changed since that hash has been obtained. So the next stage we'll do is we'll use tools at crowbar.
They'll gather all of those privacy cracked passwords, they will put them into a word list and then they will try to check all the different services on the internet out there that they assume that that user might be using. So it's only a matter of time again that we're able to determine that actually in this RDP system that the act, the password that we just correct is actually valid. They might even take it a step further.
They might actually log in.
So they might basically then go into something like a VPN or a tour exit node, they'll try accessing into the system and then they verify that now this account actually is valid. It works. And then what they do is they now put it onto the dark web and they put it up for sale using for about 10, $15 or euros depending on how much privilege this user has and what organization that it actually gains access to.
So those access brokers will now just simply sell it on and the next set of cyber criminals who might be hands on keyboard, might be a nation state, might be a financial criminal, a ransomware criminal will now go and use that to log in. So that's simply what you find is that there's a whole ecosystem out there of different types of specialty all working together in order to make, you know, basically money for themselves.
The next example here, this is coming from a ransomware case.
So, and ultimately the attackers get initial access. They went on the web, they bought a credential from an access broker. They may have spent a, you know, 10, 20 euros for it, the login. And one of the things unfortunately for users, users like to take the easy path. They store things in easy places and in this real live case, the user was storing their passwords in a clear text file and a desktop they were also storing in their browser.
But one of the biggest mistakes that this organization made, this is the, the, the biggest mistake was that when they actually attack it went and didn't net local groups. They found that this user was a local administrator account and the local administrator account. Now the attacker knows it's a few clicks away from me going from a local administrator to a full domain account.
So in this case, what they now do is they'll run a disabled script. This is the actual script the attackers used. It goes in disabled security at disabled security for about 10 minutes.
So they know that 30 minutes that there's a protective services and operating systems will kick in and try to restart 'em again. So they know they've now got a 10 minute window to do criminal activity. They might go and create a back tour by using things like sticky keys that actually script also deletes the logs during the period that they're on that system. Here you can see they're gonna enabling the registry, which basically allows now anyone who logs into the system, their password will not be stored in clear text and memory.
So with that local administrator account, they can make those configuration changes. The next stage is they download the actually malicious tools because the securities disabled, they can download tools that will not be detected.
They execute those tools such as miette and now they're able to now extract any password in clear text from users who log into that system. Now they've been able to obtain the domain administrator account password as well as the hash they could choose.
The next stage is whether they want to go and do a lateral move using pass the hash or just simply use the password and log in. In this case, after they might log into the domain controller and when they log into the domain controller, they might create another user as a backdoor just in case they might, you know, somebody might change that password or they lose access. So they want to contain and make sure that they have persistence as much as possible. So in this case the user will go the, the criminal will now go and see, okay, what users, let's go and create myself another user.
In this case they created my alias, my hacker alias, which is Rug one. So I have two, I have two hacker aliases. So if you ever see Rogue One or Wire Trap, that's my hacker aliases. So you see those in capture the FLAG events or any types of content, typically it's coming from me. You might see also there was A-A-G-M-E-R. One of the things the attackers were using, we use GMER to find root kits. What's interesting is the attackers use GMER in order to find security.
So they look using those tools that we use to find back doors, they're using it in order to find what security tools we've installed in the system so they know how to bypass and work around them. So interesting, our own tools that we use to help us are also being used against us. In this case here you'll see the attacker with even just the the, if they weren't able to get the clearex password, they can use tools like Evil Win RM in order to basically go and to log in using just the hash itself.
And now they're logged in.
You can see they're logged into the domain controller called Cyber DC and they're not logged in as the administrator. This is one of the things is the big failures here is weak passwords and having local administered accounts. Those two things are some of the most dangerous things for identities.
If we, if we give too much privilege and we choose weak passwords, which most organizations leave users to make those decisions, that's gonna be the two biggest things that attackers will use and abuse to gain access. And I hope I've, I have time for, I've got still more time for another demo, so I always like that. Let's add another demo in. So let's say in the case that you, you don't have a privileged account, you're basically just have a standard user.
So you logged in, you've got a user that, a user might be an accountant, it might be simply just a administrator that's, you know, staff administrator who's basically just doing day-to-day tasks.
So in this case, we've gained access to this machine and the attacker will now go and and say, well who, who am I?
What's, what's my user? So we'll take a look and say, well okay, I'm Neo, I'm in the matrix. So and I basically don't have any privileges. The attackers, what they're really good at, sometimes even better than we are, is inventory. And they go through and they will understand and will do reconnaissance and they'll find about all the software that you're running in your environment. They will look for all the protocols and configurations. In this case they see that there's actually an application running this environment called remote mouse. With remote mouse.
What they can then do is they won't go and check what versions particularly running in this environment. So they're gonna say, well okay, which version is remote mouse running under?
It's 3.008. So with all of the information, all of that inventory they're collecting from the environment, they will then take it off into their own environment and then will start searching for all the exploits. And they might take months, this might be something they will stay stealthy for a long period of time until they find vulnerabilities.
In this case here you can see that remote mouse has a local privilege escalation path. So in the case before, if I wasn't a local minister, now I have a path to being a local administrator in the environment. So the attacker will now go and say, well how does this work? And you can see here simply with the vulnerability in search plo, I can see that here's the exact steps.
A, B, C, go to settings, go to image transfer, and basically type in the path to command that xe.
So Attacker nine knows how to go from a local standard account right up to a domain, a local account that then they can use the next technique that I showed before to go domain administrator. So simply following the steps that they got, I go to c slash windows slash system 32 command xc and from a standard user that has no privileges, now they have full control over this machine as empty authority system.
So this is what attackers are doing, they're doing inventory, they're looking for what type of users you have, what privilege they have, what configurations you've got. And they only need to find one. It's one of those paths in order to basically be able to then go to the next step and gain write up. If they get to domain administrator, I can guarantee at that point in time it's literally about four hours that you have before it's game over for your organization.
Four hours.
Once they get the main administrator, you have a four hour window in order to stop an attack from escalating either to data exfiltration, which is the most common technique 'cause many of you today have done really good data backups in the past two years and more ransomware resilient backups. So one of the techniques they're preferring to do is data exfiltration. So they're exfiltrating the data and then they'll try to do encryption or ransomware deployment. But since we've done a really good backup in the last couple of years is that data exfiltration and extortion is the preferred method.
It's one of the ones that's on the rise and it means that you've seen recent attacks, we've seen Ticketmaster recently one of those victims of data extortion. So it's gonna be commonly happening over and over time that we have to look at how do we make sure we minimize those techniques.
So what's some of my recommendations? What can we do in order to reach this risk? Well you've taken step one, you've came here and listened to me. That's the step one is learning from the techniques that they use. So education and cyber hygiene, learning some of those best practices.
I also do recommend purple teaming and identity, looking for identity high risks. So working with purple teams who go through these types of techniques and identify where those misconfigurations might be, where the identity threats might be lying, what are those misconfigurations our, and then making sure you have the right security controls in place. Practicing the principle of zero trust and least privilege.
Getting into where you don't have local administrators in the organization, you move to just in time, just enough privilege, elevation on demand that will make it as difficult as possible because attackers, they don't have unlimited time, they don't wanna be wasting their time, they wanna be driving their fancy Ferraris and going on vacations and Mediterranean and they don't wanna be spending all the time trying to elevate privileges if you're not providing, if you're not making it easy for them.
So let's make it difficult.
Privilege access management, let's move passwords into the background. Let's not have users making the choice of creating passwords put into the background. Let it be systematic, let it be difficult as possible to correct and as costly as possible to correct application control. Making sure that actually attackers can't use malicious applications in order to basically look for vulnerabilities and then a good patch and update the security hygiene, especially for our vulnerabilities. Faster patching is always a good method at that point. I'm happy to take questions.
I hope you find this educational. Do we have any questions from the audience or any questions online?
Okay, we have one minute left. Actually, I have a question, but you've answered it already. I tried to read it out. Maybe you have some addition to that. In your experience as an ethical hacker, what are the most effective way of frustrating credential based attacks?
Oh, the, the, the, well there's a couple of ways, but the most effective way is literally is multifactor authentication. That's if you put MFA in place and you, not just at the front door, but also in your internal doors. I like to think of the metaphor of think about a hotel. If your organizations like hotel, if you just give the person a key and that MFA is at the front door of the hotel, once they're in, they can move around freely. Having MFA at different interactions along the way will make it troublesome, make it waste time, resources, money, and it will frustrate attackers.
So having MFA, not just at the front door, but within your infrastructure, especially for, and if you have a flat network that you're actually mixing low risk accounts and high risk accounts together, definitely MFAE every interaction will make it as difficult as possible for attackers. It's not a hundred percent protection, but it will frustrate them and it will mean they will look for other ways or other victims and they will go to other targets and leave you alone. Thank you.
Thank you, Joe.
It was, it was really educating and it was fun. Thank you very
Much. Thank you very much.
