Transcript Apply Mitigations 1-3 Upgrade hosts and domain Build full defenses (IPDRR) • Credential theft attacks • Review previous mitigations • Strategies: Identify, Protect, Detect,

1
Apply Mitigations 1-3
2
Upgrade hosts and domain
3
Build full defenses (IPDRR)
• Credential theft attacks
• Review previous mitigations
• Strategies: Identify, Protect, Detect, Respond, Recover
• New features and platform updates
• Scenarios
4
1. http://bits.blogs.nytimes.com/2013/04/22/the-year-in-hacking-by-the-numbers
Get Credentials
• Social engineering and phishing schemes are used
to trick personnel and obtain credentials.
• Most organizations do not recognize when
attackers are already within the network and have
access to information such as emails, confidential
documents and other intellectual property.
Get Data
• The attack doesn’t stop there. Attackers look for
the next set of credentials with elevated
permissions to access servers.
• Once elevated credentials are obtained and
servers are compromised, organizations risk
losing revenue, brand reputation and business
continuity.
Get Control
• The ultimate goal of the attacker may be to gain
access to the domain controllers, the central
clearing hub for all credentials and identities.
• Once compromised, an attacker has complete
control over an entire organization. All assets,
intellectual property, physical property and
personal information are in jeopardy.
Objective
How
Outcome
This mitigation reduces
the risk of
administrators
from inadvertently
exposing privileged
credentials to higher
risk computers.
• Restrict DA/EA accounts from
authenticating to lower trust
computers
• Provide admins with accounts to
perform administrative duties
• Assign dedicated workstations for
administrative tasks.
• Mark privileged accounts as “sensitive
and cannot be delegated”
• Do not configure services or schedule
tasks to use privileged domain
accounts on lower trust computers
An attacker cannot steal
credentials for an
account if the credentials
are never used on the
compromised computer.
Addition of authentication policies
Mitigation 2 - Restrict and protect local accounts with administrative
privileges
Objective
How
Outcome
This mitigation restricts
the ability of attackers
to use local
administrator accounts
or their equivalents for
lateral movement PtH
attacks.
• Enforce the restrictions available in
Windows Vista and later versions,
preventing local accounts from being
used for remote administration.
• Explicitly deny network and Remote
Desktop logon rights for all
administrative local accounts.
• Create unique passwords for local
accounts with administrative
privileges.
An attacker who
successfully obtains local
account credentials from
a compromised
computer will not be
able to use those
credentials to perform
lateral movement on the
organization's network.
Built-in SIDs for local accounts and local administrators
Mitigation 3 - Restrict inbound traffic using the Windows Firewall
Objective
How
Outcome
This mitigation restricts
the ability of attackers
from initiating lateral
movement from a
compromised
workstation by blocking
inbound connections.
• Restrict all inbound connections to all
workstations except for those with
expected traffic originating from
trusted sources, such as helpdesk
workstations, security compliance
scanners and servers.
An attacker who
successfully obtains any
type of account
credentials will not be
able to connect to other
workstations.
No technical changes
1.
2.
3.
4.
5.
Current environment
Identify high-value assets
Consider attacker mindset
Baseline normal behavior
Against known and unknown threats
Admin
Password!
External
storage
Sign-on
Use/cache
on client
In transit
on network
Architect a complete credential theft defense
Consider usability a security feature
Authoritative
store
Production Forest
Tier 0
Create hardened and restricted
administrative hosts
Forest/Domain
Admins and
Groups
Admin
Workstations
Server Admins
and Groups
Admin
Workstations
Workstation
Admins
Admin
Workstations
Domain Controllers
Tier 1
Resources
Develop a containment
strategy
Tier 2
Workstations
Tier Logon
All Logons Blocked
Higher Tier Logon
Only as required by role
Lower Tier Logon
PtH and related attacks
Focus on
high-value
assets
Monitor
Event IDs
of interest
Collect and
correlate
events
To suspicious activity
Regularly update protection and detection mechanisms
Closely observe affected hosts
Ensure attack vectors are properly addressed
Follow up on lessons learned
Account compromise
Regain control over accounts
Change compromised account passwords or
Disable an account and remove group memberships
Considerations:
• Only effective against future authentication
• Offline attackers can still use cached logon pv
• Attacker may be able to re-obtain password
• Attacker may persist using malware in user context
Domain compromise
Tactical Recovery
Strategic Recovery
A short-term operation designed to disrupt a known
adversary operation
A long-term plan that consists of multiple operations
focused on recovering integrity at a high assurance
level
• Useful intelligence on the adversary presence
• Stealth operation that the adversary is unaware of
• Properly scoped defender operation
•
•
•
Risk of migration
Risk of coexistence
Planned end state
Consider professional incident response services
Core platform changes (automatically on)
Features
Description
Remove LAN
Manager (LM)
hashes and
plaintext
credentials from
LSASS
LAN Manager legacy hashes and (reversibly
encrypted) plaintext passwords are no longer
stored in LSASS
Enforce credential
removal after logoff
New mechanisms have been implemented to
eliminate session leaks in LSASS, thereby preventing
credentials from remaining in memory
Logon restrictions
with new wellknown security
identifiers (SIDs)
Use the new SIDs to block network logon for local
users and groups by account type, regardless of what
the local accounts
are named
AVAILABLE ON
Windows 7 /
Windows Server
2008 R2
AVAILABLE ON
Windows 8 /
Windows Server
2012
AVAILABLE ON
Windows 8.1 /
Server 2012 R2
REQUIRES DOMAIN
UPGRADE
Windows Server 2012 R2
Domain Functional Level
Configurable Features
Features
Description
Restricted
Admin mode for
Remote Desktop
Connection
The Remote Desktop application and service have been
updated to support authentication without providing
credentials to the remote host
Protected Users
security group
The new Protected Users security group enables
administrators to restrict authentication to the Kerberos
protocol only for group members within a domain
Authentication
Policy and
Authentication
Policy Silos
New Authentication policies provide the ability to restrict
account authentication to specific hosts
and resources
AVAILABLE ON
Windows 7 /
Windows Server
2008 R2
AVAILABLE ON
Windows 8 /
Windows Server
2012
AVAILABLE ON
Windows 8.1 /
Server 2012 R2
REQUIRES DOMAIN
UPGRADE
Windows Server 2012 R2
Domain Functional Level
~ Only if installed
** Off by default on Windows 8.1
and
Windows Server
2012 R2
* Off by default
Adapted from: Benjamin Delpy LSASS security improvements #windows8.1
https://twitter.com/gentilkiwi/status/352557093640892416/photo/1
Helpdesk
Domain administration
Operations and service management
Service accounts
Business group isolation
Bring your own device (BYOD)
Recommendations
• Separate administrative accounts from user accounts
• Use hardened and restricted hosts
• Limit exposure of administrative credentials
• RDP /RestrictedAdmin
• Tools that only use network logon (Type 3)
• Add accounts to Protected Users security group
(if Kerberos only is feasible)
• Create authentication policies and silos
(if protected users is feasible)
Helpdesk
Domain administration
Operations and service management
Service accounts
Business group isolation
Bring your own device (BYOD)
Recommendations
• Reduce privileges and privilege use
• Only use DA/EA for DC Maintenance and Delegation
• Separate administrative accounts from user accounts
• Use hardened and restricted hosts
• Strengthen authentication assurance
• Implement security monitoring
• Add accounts to Protected Users security group
(if Kerberos only is feasible)
• Create authentication policies and silos
(if protected users is feasible)
Helpdesk
Domain administration
Operations and service management
Recommendations
Service accounts
Business group isolation
Bring your own device (BYOD)
• Grant the least privilege
• Never add to Domain Admins or Enterprise Admins
• Use managed service accounts
• Change passwords regularly
• Strengthen authentication assurance
• Monitor service account activity
• Contain credential exposure
Considerations
Helpdesk
Domain administration
Operations and service management
Service accounts
Business group isolation
Bring your own device (BYOD)
•
•
•
•
•
•
Define Use Cases
Use hardened and restricted hosts
Restrict account logons
Consider blocking Internet access
Do not share accounts or passwords
Ensure unique local administrative passwords on
workstations and servers
Helpdesk
Domain administration
Operations and service management
Service accounts
Business group isolation
Bring your own device (BYOD)
Considerations
•
•
•
•
•
•
•
•
•
Define use cases and policies
Ensure risks are understood and accepted
Do not use BYOD devices for administration
Ensure that high business impact (HBI) data is not being
stored on these devices
No shared password for corporate and personal accounts
No use of privileged service accounts on BYOD devices
Deploy available security policies
Isolate network access
Create response/recovery strategies
1 Implement strategies
2 Apply scenario guidance
3 Identify and implement quick wins
1)
2)
3)
26
http://www.microsoft.com/PtH
27
http://www.microsoft.com/PTH
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213
https://technet.microsoft.com/en-us/library/security/2871997.aspx
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://developer.microsoft.com
http://technet.microsoft.com/library/dn765472.aspx
http://technet.microsoft.com/en-us/library/hh546785.aspx
http://www.microsoft.com/en-us/server-cloud/products/
windows-azure-pack
http://azure.microsoft.com/en-us/