Why You Need to Detect More Than PtH

Presented at Black Hat USA 2014, Aug. 7, 2014, 3:30 p.m. (60 minutes).

Compromised credentials are a key predatory weapon in the attackers arsenal, and this isn't changing in the foreseeable future. This talk will systematically explore why they can be prevented but never cut off completely, and how to leverage this knowledge in detection. In closing, we will pick apart IoCs focused on Pass-the-Hash (PtH), while detailing more efficient detection techniques focused on misused, donated, or otherwise compromised credentials.


Presenters:

  • Matthew Hathaway - Rapid7
    Matt Hathaway is a Senior Product Manager at Rapid7, continuously speaking with security teams and leading the direction for one of the Company's new product lines. Prior to joining Rapid7, Matt was a member of the Office of the CTO (OCTO) and product management teams for RSA. He has been working in security and IT for 12 years and has experienced both sides of the fence. He has a BSc in Computer Engineering and an MBA from Northeastern University.
  • Jeff Myers - Rapid7
    Jeff is the Lead Software Engineer on UserInsight by Rapid7, a cloud-based application to monitor user activity and threats across on-premise, cloud and mobile environments. This application collects, processes and analyzes logging information from many security-related applications to correlate and draw conclusions about potential user-based security issues.

Links: