The top 5 methods in order were:
- Weak Domain User Passwords
- Broadcast Name Resolution Poisoning (aka WPAD)
- Local Administrator Attacks (aka Pass the Hash)
- Cleartext Passwords Stored in Memory (aka Mimikatz)
- Insufficient Network Access Controls
So the bad news is that these security holes have been around for years. The good news is that these security holes have been around for years. This is good news because the ways to mitigate these issues are readily available and do not require the acquisition of some additional software or security appliance.
Weak Domain User Passwords
A lot of organizations feel safe because they have followed what has become common place in thinking what a secure password is. "Well my domain is set to require 8 characters, 1 special character, 1 capital letter, and 1 number as a password." Sadly, this does not make for a secure complex password. In order to satisfy these requirements users will commonly use passwords like P@ssword123 and Winter!2016. I don't believe that anyone would consider either of these examples of secure passwords. Organizations need move away from passwords towards passphrases. Where Winter!2016 is considered weak !LoveTheWinter!0f2016 is orders of magnitude more difficult to crack simply because of the increased number of characters used. Passphrases are easy to remember and provide enough security to thwart most attempts to crack.
Additional guidance is that when possible two factor authentication should be implemented especially for administrative and remote access. An organization with less strict password rules has a dramatic net positive impact when complimented with a second factor of authentication.
Broadcast Name Resolution Poisoning
Broadcast Name Resolution Poisoning attacks leverage how systems attempt to find other systems on the network to steal credentials. If a system looks for a system that is neither set in the local hosts file or in DNS looks to NetBIOS/LLMNR for answers. NetBIOS/LLMNR broadcasts traffic across the network to search for a system. Because this is broadcast traffic all systems see it and all systems can respond. An attacker can leverage this function to gather credentials that can either be cracked offline or replayed to other systems to increase network access.
Most organizations have no business need for NetBIOS/LLMNR. The guidance is to disable this and populate the DNS servers with entries for the enterprise systems. Web proxy auto discovery (WPAD) operates similarly to NetBIOS/LLMNR. This function should also be disabled within web browsers. An organization can also choose to forward WPAD traffic to an internal proxy that is controlled.
Pass the Hash
A lot of organizations do not know how to properly manage the local administrator password on the many client systems across a network. Often they have the same username and password across each of the systems because that makes for ease of administration. Unfortunately, if an attacker gains access to one system and is able to compromise the password hash they are then able to have administrative access to all systems that use that account without the need for cracking the hash.
To mitigate the exposure to pass the hash attacks, organizations should look to apply a defense in depth type approach. First is to restrict the ability Domain and Enterprise administrators to login workstations. This way the credentials will never be on the system to be stolen. Another technique is to remove the ability of workstations to initiate inbound connections to other workstations. In general there should be no reason for client to client communications to occur. Only trusted administrative network segments should be allowed to login remotely. Later versions of windows allow you to remove the ability of storing credentials in local databases.
Microsoft also has released the Local Administrator Password Solution (LAPS) that generates a random password for each local administrator account. That password is then stored in Active Directory with the computer object. Domain administrators can then grant permissions to certain users to read the password to perform administrative functions.
Clear text passwords stored in memory
Mimikatz is a popular attack tool used to steal cleartext passwords from the LSASS process in windows. If an attacker is able to obtain administrative or system level privileges, usernames and passwords can be pulled directly from memory.
Later versions of windows have resolved this issue by default but older versions must have been patched with KB 2871997 and have modified the registry to set HKLM\SYSTEM\CurrentControlSet\Control SecuityProviders\Wdigest UseLogonCredential REG_DWORD to 0. This should be considered a high value registry key so it should be monitored to make sure it hasn't been changed.
Insufficient Network Access Controls
This attack vector was touched on in the pass the hash mitigation strategy. Attackers often have free reign on a network once they get a foothold. They are able to touch other client systems as well as all of the critical systems due to a lack of network access controls that segregate systems. The network should be restricted in such a way that systems should only be able to talk to each other if there is a business need to do so.
Organizations often grasp the concept of having a DMZ and segmenting their network into trusted zones in regards to untrusted traffic coming in from the outside. The same logic should be applied internally. Client systems should be barely trusted because while administrators do have some control of the system, the end user may have engaged in some bad behavior that lead to the compromise of the system that has yet to be detected. The defender must think in terms of limiting the damage that system can do as much as possible while not significantly impeding the end user from completing daily tasks.
To accomplish this network administrators must work with business units to identify what are critical systems and understand what personnel should and should not have access to.