PREVENT BREACH + ASSUME BREACH Typical Attack Timeline & Observations First Host Compromised Domain Admin Compromised Research & Preparation 24-48 Hours Attack Discovered Data Exfiltration (Attacker Undetected) 11-14 months.
Download
Report
Transcript PREVENT BREACH + ASSUME BREACH Typical Attack Timeline & Observations First Host Compromised Domain Admin Compromised Research & Preparation 24-48 Hours Attack Discovered Data Exfiltration (Attacker Undetected) 11-14 months.
PREVENT BREACH
+
ASSUME BREACH
Typical Attack Timeline & Observations
First Host
Compromised
Domain Admin
Compromised
Research & Preparation
24-48 Hours
Attack Discovered
Data Exfiltration (Attacker Undetected)
11-14 months
Modern Attack T
Privilege Escalation with Credential Theft (Typical)
24-48 Hours
1. Get in with Phishing Attack (or other)
2. Steal Credentials
3. Compromise more hosts & credentials
(searching for Domain Admin)
4. Get Domain Admin credentials
5. Execute Attacker Mission (steal
data, destroy systems, etc.)
http://www.microsoft.com/en-us/download/details.aspx?id=34793
http://www.microsoft.com/SIR
www.microsoft.com/PTH
Isolated User
Mode (IUM)
LSAIso
Hypervisor
High Level OS
(HLOS)
LSASS
Isolated User Mode (IUM)
LSAIso
NTLM support
“Clear”
secrets
LSASS
NTLM
IUM secrets
“Clear”
secrets
Kerberos
Kerberos support
Boot
High Level OS (HLOS)
Persistent
Hypervisor
Note: MS-CHAPv2 and NTLMv1 are blocked
Device
Drivers
Tier 0
1. Privilege escalation
• Credential Theft
• Application Agents
• Service Accounts
2. Lateral traversal
• Credential Theft
• Application Agents
• Service Accounts
Tier 1
Tier 2
1.
2.
3.
4.
5.
Do these NOW!
•
•
•
•
•
•
•
•
www.microsoft.com/pth
http://go.microsoft.com/fwlink/?linkid=518999&clcid=0x409
http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
Integrate People, Process, and Technology
Administrative Forest
Domain and Forest Administration
Production Domain(s)
Security Alerting
Domain and Forest
Hardened Hosts
and Accounts
Domain and DC Hardening
OS, App, & Service Hardening
Servers, Apps, and Cloud Services
IT Service Management
•
•
•
•
Admin Roles & Delegation
Admin Forest Maintenance
PAM Maintenance
Lateral Traversal Mitigations
(Admin Process, Technology)
User, Workstations, and Devices
Admin
Workstations
Privileged
Account
Management
(PAM)
Protected
Users
Auth Policies and Silos
RDP w/Restricted Admin
Best
Better
Good/Minimum
• Administrative Forest (for AD admin roles in current releases)
• Isolated User Mode (IUM)
• Microsoft Passport and Windows Hello
•
•
•
•
Detection - Advanced Threat Analytics
Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
Just in Time (JIT) Privileges - Privileged Access Management
Extensive overhaul of IT Process and Privilege Delegation
• Separate Admin Desktops
• and associated IT Admin process changes
• Separate Admin Accounts
• Remove accounts from Tier 0
• Service Accounts
• Personnel - Only DC Maintenance, Delegation, and Forest Maintenance
Best
Better
Good/Minimum
• Isolated User Mode (IUM)
• Microsoft Passport and Windows Hello
•
•
•
•
Detection - Advanced Threat Analytics
Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
Just in Time (JIT) Privileges - Privileged Access Management
Extensive overhaul of IT Process and Privilege Delegation
• Separate Admin Accounts
• Separate Admin Desktops
• Associated IT Admin process changes
• Enforce use of RDP RestrictedAdmin Mode
• Local Administrator Password Solution (LAPS)
• Or alternate from PTHv1
Best
Better
Good/Minimum
• Isolated User Mode (IUM)
• Microsoft Passport and Windows Hello
•
•
•
•
Detection - Advanced Threat Analytics
Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
Just in Time (JIT) Privileges - Privileged Access Management
Extensive overhaul of IT Process and Privilege Delegation
• Separate Admin Accounts
• Separate Admin Desktops
• Associated IT Admin process changes
• Enforce use of RDP RestrictedAdmin Mode
• Local Administrator Password Solution (LAPS)
• Or alternate from PTHv1
1 Implement Mitigations Now!
A.
B.
C.
2 Revamp your culture and support processes
3 Plan to adopt Windows 10 Features
37
http://www.microsoft.com/PTH
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213
https://technet.microsoft.com/en-us/library/security/2871997.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=16776
http://aka.ms/cloudarchitecture
Visio pdf
Responsibility
SaaS
PaaS
IaaS
On-prem
Data governance &
rights management
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Cloud service provider responsibility
Operating system
Tenant responsibility
Physical hosts
Physical network
Physical datacenter
Microsoft
Customer
Microsoft Cloud Architecture Sway - http://aka.ms/cloudarchitecture
Microsoft Cloud Security for Enterprise Architects - Visio, pdf
Infrastructure as a Service
Single Identity
Federation and
Synchronization
On Premises Infrastructure
Private Cloud
Fabric Identity
Remediate and harden
New known good
Remediate and harden
New known good