Enhanced Security Administrative Environment. Wally Lee Cybersecurity Architect Cybersecurity Global Practice

Transcription

1

2 Enhanced Security Administrative Environment Wally Lee Cybersecurity Architect Cybersecurity Global Practice

3 INTERNATIONAL HEADLINES Britain targeted by 120,000 cyber attacks every DAY Anonymous intends to block Webcasts of State of the Union CNET 'Cyber-attack' strikes Japan govt again ASIA ONE Defense Secretary Panetta warns next Pearl Harbor could be cyber attack GANT DAILY Washington, DC, United States (4E) Defense Secretary Leon Panetta repeated his warning that the next Pearl Harbor could be a cyber attack after a speech at Georgetown University. Sophisticated cyberattack hits Energy Department, China possible suspect FOX NEWS The Energy Department has been hit by a major cyber-attack, which resulted in the personal information of several hundred employees being compromised and could have been aimed at obtaining. As Attacks Mount, Governments Grapple With Cyber Security Policies AP Cyber attack on Twitter, 250,000 accounts hacked AP

4 Threats, Attacks and Reality IT environments not designed for credential-theft class of attacks IT security resources trying to defend every system equally Reputation impact concerns hamper defender collaboration

5 Change In Approach 从前 现在

6 Business Challenges ATTACKER Emergence of well-resourced and determined adversaries Attack tooling and automation improving drastically Specific targeting of organizations, people, data DEFENDER IT Environments not designed for credential theft class of attacks IT Security resources trying to defend every system equally Reputation impact concerns hamper defender collaboration 6

7 Attack Scenarios 7

8

9 Builds the software much of the info ecosystem runs on Operates one of the world s largest commercial networks and has resources like the Microsoft Security Response Center and the Microsoft Malware Protection Center Operates major online and cloud services Operates a global network of research and response labs Has unparalleled visibility into the threat environment 600 million 20 billion millions 30 million Billions We have a wide range of security services capabilities across Microsoft We are building additional local and regional security capabilities that can be deliver through MCS and Premier. Millions 100 million

10 Tier 0: Domain Controllers Tier 1: Servers and Applications Tier 2: Users and Workstations 1. Attacker targets workstations en masse 2. User running as local admin is compromised, attacker harvests credentials 3. Attacker uses credentials for lateral movement or privilege escalation 4. Attacker acquires domain admin credentials 5. Attacker starts exercising this full control of data and systems in the environment

11 Pass-The-Hash Demo Eason Lai Microsoft Services Technical Account Manager

12 Step 7: Prepare Take control of the forest DC01 Step 6: Pass the Hash Step 5: Obtaining the wave 2 Fishing domain administrator hash Win7 Step Step Step 1: 2: 3: Obtaining Modify Create the a new the stickykey local local administrator administrator feature account hash Step 4: Pass the hash - wave 1 Win7Hack

13 Access Data Workstation Administrator Thinking like an attacker Servers Patient Zero Server Administrator All Local Data User Access User Action Active User Credentials User Access Malware Install Beacon, C&C SAM: NT Hashes All AD Data (Read) All Local Data Domain Admin Server Admin SAM: NT Hashes User s Data & Keystrokes Active User Credentials User Credential Vuln & Exploit User = Admin Domain Admin Access Domain Admin All Credentials (NT Hashes) All AD Data (Full Control) All Data Domain Admin Logon Active User Credentials Domain Controllers All Local Data SAM: NT Hashes SYSTEM or Administrator All Workstation s

14 PtH Whitepaper

15 Assume Breach 15

16 Pass-the-Hash Mitigations

17 Tier 0 Forest admins: Direct or indirect administrative control of the Active Directory forest, domains, or domain controllers Architect a credential theft and reuse defense Establish a containment model for Tier 1 Server admins: Direct or indirect administrative control over a single or multiple servers account privileges Tier 2 Workstation Admins: Direct or indirect administrative control over a single or multiple devices 17

18 Tier 0 Tier 1 Same Tier Logon Higher Tier Logon Lower Tier Logon Tier 2 Blocked

19 Credential Theft Mitigation Strategy 1. Privilege elevation Credential Theft Application Agents Service Accounts 2. Lateral traversal Credential Theft Application Agents Service Accounts

20 Tier 0 Domain Controllers Logon Logon 1. Credential Partitioning 2. Mitigate local account traversal 3. Mitigate domain account traversal 4. Application and Service Risks Tier 1 Servers and Applications Tier 2 Users and Workstations Keep in mind that: A. Applications and service accounts may pose credential theft and re-use risks B. Bad guys can target individual computers and users, but these mitigations make it much harder to: Steal powerful credentials Do anything with stolen credentials

21 Enhanced Security Administrative Environment Production Admin Environment Credential Partitioning Hardened Admin Environment Known Good Media Network security Hardened Workstations Accounts and smartcards Auto-Patching Security Alerting Tamper-resistant audit Offline Administration (enforces governance) Assist with mitigating risks Services and applications Lateral traversal Power: Domain Controllers Data: Servers and Applications Access: Users and Workstations IPsec Domain Admins Management and Monitoring Red Card Admins Break Glass Account(s)

22 ESAE (Enhanced Security Administrator Environment) Mitigation for Pass the Hash style of attacks. Builds a separate mini AD forest which is locked down and used to administer production Active Directory forests. Uses a range of built in technology and features to enable a secure administrator environment. It is the strategic mitigation for customers with compromised AD environments. Mitigate Theft Additional Reco. Technologies PKI & Smartcards IPSec network isolation Bitlocker & Applocker SCM SCOM Limit Usefulness Automated Maintenance Makes secure practices easier and insecure harder

23 Session Evaluation

24