PREVENT BREACH + ASSUME BREACH Typical Attack Timeline & Observations First Host Compromised Domain Admin Compromised Research & Preparation 24-48 Hours Attack Discovered Data Exfiltration (Attacker Undetected) 11-14 months.
Download ReportTranscript PREVENT BREACH + ASSUME BREACH Typical Attack Timeline & Observations First Host Compromised Domain Admin Compromised Research & Preparation 24-48 Hours Attack Discovered Data Exfiltration (Attacker Undetected) 11-14 months.
PREVENT BREACH + ASSUME BREACH Typical Attack Timeline & Observations First Host Compromised Domain Admin Compromised Research & Preparation 24-48 Hours Attack Discovered Data Exfiltration (Attacker Undetected) 11-14 months Modern Attack T Privilege Escalation with Credential Theft (Typical) 24-48 Hours 1. Get in with Phishing Attack (or other) 2. Steal Credentials 3. Compromise more hosts & credentials (searching for Domain Admin) 4. Get Domain Admin credentials 5. Execute Attacker Mission (steal data, destroy systems, etc.) http://www.microsoft.com/en-us/download/details.aspx?id=34793 http://www.microsoft.com/SIR www.microsoft.com/PTH Isolated User Mode (IUM) LSAIso Hypervisor High Level OS (HLOS) LSASS Isolated User Mode (IUM) LSAIso NTLM support “Clear” secrets LSASS NTLM IUM secrets “Clear” secrets Kerberos Kerberos support Boot High Level OS (HLOS) Persistent Hypervisor Note: MS-CHAPv2 and NTLMv1 are blocked Device Drivers Tier 0 1. Privilege escalation • Credential Theft • Application Agents • Service Accounts 2. Lateral traversal • Credential Theft • Application Agents • Service Accounts Tier 1 Tier 2 1. 2. 3. 4. 5. Do these NOW! • • • • • • • • www.microsoft.com/pth http://go.microsoft.com/fwlink/?linkid=518999&clcid=0x409 http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx Integrate People, Process, and Technology Administrative Forest Domain and Forest Administration Production Domain(s) Security Alerting Domain and Forest Hardened Hosts and Accounts Domain and DC Hardening OS, App, & Service Hardening Servers, Apps, and Cloud Services IT Service Management • • • • Admin Roles & Delegation Admin Forest Maintenance PAM Maintenance Lateral Traversal Mitigations (Admin Process, Technology) User, Workstations, and Devices Admin Workstations Privileged Account Management (PAM) Protected Users Auth Policies and Silos RDP w/Restricted Admin Best Better Good/Minimum • Administrative Forest (for AD admin roles in current releases) • Isolated User Mode (IUM) • Microsoft Passport and Windows Hello • • • • Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation • Separate Admin Desktops • and associated IT Admin process changes • Separate Admin Accounts • Remove accounts from Tier 0 • Service Accounts • Personnel - Only DC Maintenance, Delegation, and Forest Maintenance Best Better Good/Minimum • Isolated User Mode (IUM) • Microsoft Passport and Windows Hello • • • • Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation • Separate Admin Accounts • Separate Admin Desktops • Associated IT Admin process changes • Enforce use of RDP RestrictedAdmin Mode • Local Administrator Password Solution (LAPS) • Or alternate from PTHv1 Best Better Good/Minimum • Isolated User Mode (IUM) • Microsoft Passport and Windows Hello • • • • Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation • Separate Admin Accounts • Separate Admin Desktops • Associated IT Admin process changes • Enforce use of RDP RestrictedAdmin Mode • Local Administrator Password Solution (LAPS) • Or alternate from PTHv1 1 Implement Mitigations Now! A. B. C. 2 Revamp your culture and support processes 3 Plan to adopt Windows 10 Features 37 http://www.microsoft.com/PTH http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213 https://technet.microsoft.com/en-us/library/security/2871997.aspx http://www.microsoft.com/en-us/download/details.aspx?id=16776 http://aka.ms/cloudarchitecture Visio pdf Responsibility SaaS PaaS IaaS On-prem Data governance & rights management Client endpoints Account & access management Identity & directory infrastructure Application Network controls Cloud service provider responsibility Operating system Tenant responsibility Physical hosts Physical network Physical datacenter Microsoft Customer Microsoft Cloud Architecture Sway - http://aka.ms/cloudarchitecture Microsoft Cloud Security for Enterprise Architects - Visio, pdf Infrastructure as a Service Single Identity Federation and Synchronization On Premises Infrastructure Private Cloud Fabric Identity Remediate and harden New known good Remediate and harden New known good