Rarely in life will software vendors let you in on some of their secret sauce. Rapid7 obviously believes in information sharing and the open source community, so in that same vein, the UserInsight team decided to write a guide to gathering the right data to fully understand how stolen passwords are being (mis)used in your organization. The result is a Technical Paper called "Why You Need to Detect More Than PtH" and it details proven methods that we have tested in the real-world. There is no trick or secret omission. With the scenarios and resulting data that we walk through, you should be able to successfully detect pass-the-hash and other more stealthy activity that attackers commonly use today. Here is the introduction:
It does not matter where or how the attack started – while many attacks start with credentials, at some point all attacks look like an insider. On this premise, we believe that reducing the effectiveness of known attack techniques is as important as ever. Practitioners need to educate users, reduce the use of administrative privileges in an organization, actively avoid RDP, and do as much as possible to eliminate NTLM authentications. In spite of the progress Microsoft has made in recent years to mitigate known attacks like Pass-the-Hash (PtH), especially in Windows 8.1, this threat has not been eliminated.
We wrote this paper with no intention of introducing new attacks or expanding on the excellent Pass-the-Hash papers over the past few years. This is a defensive guide providing a series of steps necessary to make detection achievable for the incident response team. It is wholly intended to highlight where to look and what to look for so that compromised credentials can be detected.
And one more snippet that hopefully cues you into our thought process going into it:
Taking a page from anti-fraud strategy used by the largest banks in the world, information security teams need to combine various mitigation and prevention tools to reduce the likelihood and impact of a breach with fast detection for the now-reduced level of attacks that are successful.
Jeff Myers and I are the authors, but there were important contributions from across the UserInsight, Metasploit, and Professional Services teams here at Rapid7. To download the Technical Paper, click here. If you would like to watch the on-demand webcast where Jeff and I covered these topics, it is available here.