Lesson: If your conference equipment is networked and has the ability to record voice or video, make sure you disable them before conducting meetings.
APT war story No. 2: Not all APTs are as advanced as experts think
This is the story of an APT team that had taken total control of a company's network. They were actively creating connections all around the network, day or night, by the time I got called in. They were beyond caring whether they had been discovered.
APTs are almost certain to dump all password hashes and use pass the hash (PtH) tools to take over the rest of an organization's network. In this instance, the customer decided it was time to disable those weak LAN Manager (LM) password hashes that Microsoft had been recommending to disable for at least 10 years, and trying to disable by default at least since 2008. This particular APT was using the captured LM password hashes to do the dirty work.
I told the customer the proposal would not work because, by default, at least two types of Windows password hashes exist in Microsoft authentication databases: LM and NT hashes. The attackers had downloaded both types, and the PtH tool they were working with could use either. I even showed the client how the attacker's tool had the syntax built in to switch between LM and NT hashes, a very common feature of PtH attack tools. Worse, even if you disable the storing of LM hashes, they are still created in memory when someone logs on. It sounds crazy, but that's how Windows works.
The customer would not be dissuaded. Despite my protestations of wasted effort, it disabled the LM hashes and reset the passwords. Now the local and Active Directory databases contained no usable LM password hashes. You know how well that worked?
Well, it worked — because the APT team never used another password hash to perform its attack. Truth be told, they just moved on to other methods (see below), but the PtH attacks stopped. It turned out that the APT team didn't even know its own tools. You could imagine the discussion they must have had internally when all the LM hashes disappeared, including shrugged shoulders and a brainstorm of new strategies.
Lesson: "Advanced" may be included in the name of APT, but not all APT attackers are all that advanced. Plus, sometimes the expert is wrong. I wasn't wrong technically, but that didn't prevent the outcome the client was looking for to be the same. It humbled me.
APT war story No. 3: The medicine may be the poison
As a full-time Microsoft security consultant, I'm frequently asked to work on APT engagements led by other companies; I'm a resource, not the project leader. There's one security consulting company I've worked with enough to know many of its staff members and consultants informally, if not personally. We understand what our roles are — depending on who gets there first, makes friends with the CIO, and assumes leadership. Our partnerships have always been friendly, though competitive. After all, it's better to be a leader than a follower.