Presented at
Black Hat Europe 2018,
Dec. 5, 2018, 11:45 a.m.
(25 minutes).
In Advanced Persistent Threat (APT) attacks, attackers tend to target the Active Directory to expand infections. Attackers try to take over Domain Administrator privilege and create a backdoor called "Golden Ticket" which can disguise themselves as arbitrary legitimate accounts, in order to obtain long-term administrator privilege. However, detecting attacks using this method is quite difficult since attackers often leverage legitimate accounts and commands, which are not identified as anomaly.<br><br>We will introduce a real-time detection method for attack activities leveraging Domain Administrator privilege including Golden Tickets by using Domain Controller Event logs. If we can detect attack activities with Domain Administrator privilege immediately, the damage can be minimized.<br><br>Our proposed method consists of the following steps to reduce false detection rate and help immediate response.<br><ul><li>Step1 (Signature based detection): Firstly, analyze Event logs focusing on the characteristics of the attack activities.</li><li>Step2 (Machine Learning): Analyze with anomaly detection using unsupervised machine learning and detect suspicious commands as outlier which attackers tend to use.</li><li>Step3 (Real-time alert): If attack activities are detected, raise real-time alert using Elastic Stack.</li></ul><br>We have developed a tool for detection and published on GitHub. We also show the specific algorithm of the proposed method and how to implement the method. The method can be easily implemented, and help immediate response to attacks.
Presenters:
-
Wataru Matsuda
- Project Researcher, The University of Tokyo
Wataru Matsuda joined NTT WEST, Ltd. in 2006. In 2015, he joined Watch and Warning Group of JPCERT/CC, where he has engaged in information gathering and early warning activities. Now as a Project Researcher of Secure Information Society Research Group, the University of Tokyo, he engages in research on cyber security, especially log analysis for detecting targeted attacks.
-
Mariko Fujimoto
- Project Researcher, The University of Tokyo
Mariko Fujimoto joined NEC Solution Innovators, Ltd. in 2004 and worked for development of software and systems for internal control. In 2015, she joined Watch and Warning Group of JPCERT/CC, where she was engaged in information gathering and early warning activities. Now as a Project Researcher of Secure Information Society Research Group, the University of Tokyo, she is engaged in research on cyber security especially log analysis for detecting targeted attacks.
-
Takuho Mitsunaga
- Project Associate Professor, The University of Tokyo
Takuho MITSUNAGA is a Project Associate Professor at the Graduate School of Interfaculty Initiative in Information Studies, The University of Tokyo. He is also a Research Fellow at Information-technology Promotion Agency in Japan. After completing his degree at Graduate School of Informatics, Kyoto University, Mr. Mitsunaga worked at the front line of incident handling and penetration testing at a security vendor. In FY 2010, he led an R&D project of the Ministry of Trade, Economy and Industry (METI) for encryption data sharing system for cloud with an efficient key managing function. He has been a member of Watch and Warning Group of JPCERT/CC since April 2011, where he is engages in cyber attack analysis including APT cases. He has also contributed in some cyber security related books as coauthor or editorial supervisor including " Information Security White Paper 2013".
Links:
Similar Presentations: