Enhanced Security Administrative Environment. Wally Lee Cybersecurity Architect Cybersecurity Global Practice

Similar documents
How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Pass-the-Hash. Solution Brief

Cyber attack on Twitter, 250,000 accounts hacked

Defending against modern threats Kruger National Park ICCWS 2015

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

With Great Power comes Great Responsibility: Managing Privileged Users

Active Directory was compromised, now what?

Why You Need to Detect More Than PtH. Matt Hathaway, Senior Product Manager, Rapid7 Jeff Myers, Lead Software Engineer, Rapid7

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE

Perspectives on Cybersecurity in Healthcare June 2015

Enterprise Cybersecurity: Building an Effective Defense

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Seven Strategies to Defend ICSs

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Teradata and Protegrity High-Value Protection for High-Value Data

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques. Mitigating the risk of lateral movement and privilege escalation

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Protecting Your Organisation from Targeted Cyber Intrusion

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

WRITTEN TESTIMONY OF

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

05 June 2015 A MW TLP: GREEN

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 616 Securing Windows Infrastructure. Make The Difference CAST.

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

Windows 7. Qing Liu Michael Stevens

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Can We Become Resilient to Cyber Attacks?

Computer Security: Principles and Practice

Defending Against Cyber Security Threats to the Payment and Banking Systems

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Security & privacy in the cloud; an easy road?

Multi-factor authentication

September 20, 2013 Senior IT Examiner Gene Lilienthal

Seven Things To Consider When Evaluating Privileged Account Security Solutions

ICTN Enterprise Database Security Issues and Solutions

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

5 Steps to Advanced Threat Protection

All Information is derived from Mandiant consulting in a non-classified environment.

Hunting for Indicators of Compromise

DriveLock and Windows 8

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Enterprise Cybersecurity: Building an Effective Defense

Additional Security Considerations and Controls for Virtual Private Networks

As global mobile internet penetration increases the cybercrime and cyberterrorism vector is extended

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Top 20 Critical Security Controls

Evolution Of Cyber Threats & Defense Approaches

Microsoft Services Premier Support. Security Services Catalogue

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

IT Security Risks & Trends

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

Reinventing Network Security Vectra s cyber-security thinking machine delivers a new experience in network security

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

24/7 Visibility into Advanced Malware on Networks and Endpoints

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Testimony of PETER J. BESHAR. Executive Vice President and General Counsel. Marsh & McLennan Companies

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

IT HEALTHCHECK TOP TIPS WHITEPAPER

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Persistence Mechanisms as Indicators of Compromise

How Do Threat Actors Move Deeper Into Your Network?

Valery Milman CYBERARK PRIVILEGED ACCOUNT SECURITY

How GCs And Boards Can Brace For The Cybersecurity Storm - Law360

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Information Security for the Rest of Us

IBM Security Strategy

DriveLock and Windows 7

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

PCI DSS File Integrity Monitoring

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Privilege Gone Wild: The State of Privileged Account Management in 2015

Chapter 2: The hidden flaws in Windows

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Secret Server Qualys Integration Guide

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Attackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors. Microsoft Confidential for internal use only

Leveraging SANS and NIST to Evaluate New Security Tools

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

IBM Security re-defines enterprise endpoint protection against advanced malware

Defending Against Data Beaches: Internal Controls for Cybersecurity

The Four-Step Guide to Understanding Cyber Risk

Transcription:

Enhanced Security Administrative Environment Wally Lee Cybersecurity Architect Cybersecurity Global Practice

INTERNATIONAL HEADLINES Britain targeted by 120,000 cyber attacks every DAY Anonymous intends to block Webcasts of State of the Union CNET 'Cyber-attack' strikes Japan govt again ASIA ONE Defense Secretary Panetta warns next Pearl Harbor could be cyber attack GANT DAILY Washington, DC, United States (4E) Defense Secretary Leon Panetta repeated his warning that the next Pearl Harbor could be a cyber attack after a speech at Georgetown University. Sophisticated cyberattack hits Energy Department, China possible suspect FOX NEWS The Energy Department has been hit by a major cyber-attack, which resulted in the personal information of several hundred employees being compromised and could have been aimed at obtaining. As Attacks Mount, Governments Grapple With Cyber Security Policies AP Cyber attack on Twitter, 250,000 accounts hacked AP

Threats, Attacks and Reality IT environments not designed for credential-theft class of attacks IT security resources trying to defend every system equally Reputation impact concerns hamper defender collaboration

Change In Approach 从前 现在

Business Challenges ATTACKER Emergence of well-resourced and determined adversaries Attack tooling and automation improving drastically Specific targeting of organizations, people, data DEFENDER IT Environments not designed for credential theft class of attacks IT Security resources trying to defend every system equally Reputation impact concerns hamper defender collaboration 6

Attack Scenarios 7

Builds the software much of the info ecosystem runs on Operates one of the world s largest commercial networks and has resources like the Microsoft Security Response Center and the Microsoft Malware Protection Center Operates major online and cloud services Operates a global network of research and response labs Has unparalleled visibility into the threat environment 600 million 20 billion millions 30 million Billions We have a wide range of security services capabilities across Microsoft We are building additional local and regional security capabilities that can be deliver through MCS and Premier. Millions 100 million

Tier 0: Domain Controllers Tier 1: Servers and Applications Tier 2: Users and Workstations 1. Attacker targets workstations en masse 2. User running as local admin is compromised, attacker harvests credentials 3. Attacker uses credentials for lateral movement or privilege escalation 4. Attacker acquires domain admin credentials 5. Attacker starts exercising this full control of data and systems in the environment

Pass-The-Hash Demo Eason Lai Microsoft Services Technical Account Manager

Step 7: Prepare Take control of the forest DC01 Step 6: Pass the Hash Step 5: Obtaining the wave 2 Fishing domain administrator hash Win7 Step Step Step 1: 2: 3: Obtaining Modify Create the a new the stickykey local local administrator administrator feature account hash Step 4: Pass the hash - wave 1 Win7Hack

Access Data Workstation Administrator Thinking like an attacker Servers Patient Zero Server Administrator All Local Data User Access User Action Active User Credentials User Access Malware Install Beacon, C&C SAM: NT Hashes All AD Data (Read) All Local Data Domain Admin Server Admin SAM: NT Hashes User s Data & Keystrokes Active User Credentials User Credential Vuln & Exploit User = Admin Domain Admin Access Domain Admin All Credentials (NT Hashes) All AD Data (Full Control) All Data Domain Admin Logon Active User Credentials Domain Controllers All Local Data SAM: NT Hashes SYSTEM or Administrator All Workstation s

PtH Whitepaper

Assume Breach 15

Pass-the-Hash Mitigations

Tier 0 Forest admins: Direct or indirect administrative control of the Active Directory forest, domains, or domain controllers Architect a credential theft and reuse defense Establish a containment model for Tier 1 Server admins: Direct or indirect administrative control over a single or multiple servers account privileges Tier 2 Workstation Admins: Direct or indirect administrative control over a single or multiple devices 17

Tier 0 Tier 1 Same Tier Logon Higher Tier Logon Lower Tier Logon Tier 2 Blocked

Credential Theft Mitigation Strategy 1. Privilege elevation Credential Theft Application Agents Service Accounts 2. Lateral traversal Credential Theft Application Agents Service Accounts

Tier 0 Domain Controllers Logon Logon 1. Credential Partitioning 2. Mitigate local account traversal 3. Mitigate domain account traversal 4. Application and Service Risks Tier 1 Servers and Applications Tier 2 Users and Workstations Keep in mind that: A. Applications and service accounts may pose credential theft and re-use risks B. Bad guys can target individual computers and users, but these mitigations make it much harder to: Steal powerful credentials Do anything with stolen credentials

Enhanced Security Administrative Environment Production Admin Environment Credential Partitioning Hardened Admin Environment Known Good Media Network security Hardened Workstations Accounts and smartcards Auto-Patching Security Alerting Tamper-resistant audit Offline Administration (enforces governance) Assist with mitigating risks Services and applications Lateral traversal Power: Domain Controllers Data: Servers and Applications Access: Users and Workstations IPsec Domain Admins Management and Monitoring Red Card Admins Break Glass Account(s)

ESAE (Enhanced Security Administrator Environment) Mitigation for Pass the Hash style of attacks. Builds a separate mini AD forest which is locked down and used to administer production Active Directory forests. Uses a range of built in technology and features to enable a secure administrator environment. It is the strategic mitigation for customers with compromised AD environments. Mitigate Theft Additional Reco. Technologies PKI & Smartcards IPSec network isolation Bitlocker & Applocker SCM SCOM Limit Usefulness Automated Maintenance Makes secure practices easier and insecure harder

Session Evaluation http://aka.ms/svc233

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information