MCS Cybersecurity Team – Who We Are Microsoft Windows Developers Red Team Members IR for major networks Microsoft Network Security Delivery Consultants Malware Analysts Forensic Investigators & Trainers Intelligence Officers Law Enforcement Officers Microsoft.
Download ReportTranscript MCS Cybersecurity Team – Who We Are Microsoft Windows Developers Red Team Members IR for major networks Microsoft Network Security Delivery Consultants Malware Analysts Forensic Investigators & Trainers Intelligence Officers Law Enforcement Officers Microsoft.
MCS Cybersecurity Team – Who We Are Microsoft Windows Developers Red Team Members IR for major networks Microsoft Network Security Delivery Consultants Malware Analysts Forensic Investigators & Trainers Intelligence Officers Law Enforcement Officers Microsoft Security Support Corporate Compliance Managers Internet Security Researchers Service Channels Service Lines Application Security Customized Solutions & Training Infrastructure Security 10+ Years of Tailored Best Practices and Specialized Intellectual Property Unique knowledge transfer and value-add for Microsoft and its customers, partners and acquisitions Global Delivery: Staffed Locations Functional Capacity Specialization Canada Europe India Totals Application Security 30 Infrastructure Security 16 Dedicated PMs 3 TOTAL 49 US- Redmond, ACE HQ China United States Australia Our Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services Targeting Phishing Pass the Hash Custom Malware Application Exploit Power: Domain Controllers 1. Bad guy targets workstations en masse 2. User running as local admin compromised, Bad guy harvests credentials. 3. Bad guy starts “credentials crabwalk” Data: Servers and Applications Access: Users and Workstations 4. Bad guy finds host with domain privileged credentials, steals, and elevates privileges 5. Bad guy owns network, can harvest what he wants. $ Know What Matters Effective Workstation and Server Defenses Protect Key Identities/Roles Employ The SDL $ “If you protect your paper clips and diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds” -Attributed to Dean Rusk, US Secretary of State, 1961-1969 $ What the defender values What the defender protects What the attacker wants http://taosecurity.blogspot.com/2011/08/taosecurity-security-effectiveness.html $ Effective Workstation and Server Defenses Windows 7 Standard User Adobe Flash Player 11 SSL Support Random Number Generator Java 6 Ends side-by-side versioning Office 2010 XML file format Protected View Adobe Acrobat Reader X Applied Microsoft SDL Protected Mode Internet Explorer 9 SmartScreen Filter Protected Mode Adobe SPLC: http://blogs.msdn.com/b/sdl/archive/2009/06/17/microsoft-adobe-protecting-our-customers-together.aspx Protect Active Directory and Key Identities Domain Admin logs on to internet connected workstation = Security of entire domain entrusted that workstation Production Domain Admins Leverage easy mechanisms Use the privileged account to create additional accounts Not just privileged, but VIP “mimicking” accounts Accounts with backdoors into other accounts Place malware and other binaries on DCs and member servers Leverage existing management tools Disable SID quarantining and/or selective authentication Modify GPOs Install backdoors in approved images/packages Or slightly harder mechanisms sIDHistory manipulation Migration APIs Debugger attacks Disk editors Mechanisms by which accounts are granted temporary rights and privileges required to perform build or break-fix functions • Powerful proxy accounts • Not preferable • Can potentially secure using a subset of the Administrator account recommendations • Defined roles with assigned rights and permissions • Better approach • Combinations of both • Powerful proxy accounts • Not preferable • Temporary membership in privileged groups • Password vaults • APIs to replace hard-coded passwords • Session management tools • Local and service account management tools For Day-to-Day Functions: • Define roles • Roles may have broad privilege (e.g., reset passwords across broad swaths of accounts) or deep privilege (e.g., can activate privileged accounts), but not both In Build & Break-Fix Scenarios: • Temporarily populate privileged groups in some cases (e.g., fixing a member server, might grant support staff temporary local Administrators membership) • Temporarily use built-in privileged accounts • Consider broad vs. deep If role privileges are functional equivalents of built-in privileged groups, use timebound population of groups rather than creating permanent roles with high privilege. $ Security Program Comprehensive Approach Security Architect Led & Program Manager Supported Infrastructure Security Application Security http://northamerica.msteched.com www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn