Ronnie Saurenmann Principal Architect Microsoft Switzerland.
Cyber Security Defenses: What Works Today Laura Robinson/Mark Simos/Roger Grimes Principal Security...
-
Upload
jessie-cooper -
Category
Documents
-
view
235 -
download
1
Transcript of Cyber Security Defenses: What Works Today Laura Robinson/Mark Simos/Roger Grimes Principal Security...
Cyber Security Defenses: What Works TodayLaura Robinson/Mark Simos/Roger GrimesPrincipal Security Architect/Senior Consultant/Principal Security ArchitectMicrosoft Corporation
SIA200
Microsoft Windows Developers Red Team Members IR for major
networks
Microsoft Network Security
Delivery Consultants Malware Analysts
Forensic Investigators & Trainers
Intelligence Officers Law Enforcement Officers
Microsoft Security Support
Corporate Compliance Managers
Internet Security Researchers
MCS Cybersecurity Team – Who We Are
DetectRecoverPro
tect
Detect
RecoverRes
pond
MSIT’s ISRM ACE Team- Who We Are
Application Security
Infrastructure Security
Customized Solutions & Training
10+ Years of Tailored Best Practices and Specialized Intellectual Property
Service Lines
Unique knowledge transfer and value-add for Microsoft and its customers, partners and
acquisitions
Microsoft Internal
MSIT
MSN
Microsoft.com
Product Groups
Microsoft External
MCS
Premier
Acquisitions
Global and Strategic Partners
Service Channels
Specialization Totals
Application Security 30
Infrastructure Security
16
Dedicated PMs 3
TOTAL 49
US- Redmond, ACE HQ
United States
Canada
Europe India
China
Australia
Functional Capacity
Global Delivery: Staffed Locations
Our Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services
Determined Adversaries and Targeted Attacks (DA/TA)
…AKA Advanced Persistent Threats (APTs)
Think “organizations stealing data with full-time employees (FTEs),” not casual hackers or “viruses”
If you are targeted, they want (and may already have)
Profiles of your people and organizationWho has access to what they wantWho are the IT adminsWho clicks on phishing emails
DA/TA Common Technical Tactics
Gain control of your identity storePublic - admin rights, interesting projects/groupsSecrets - passwords/hashes
Download terabytes of your dataLarge initial exfiltration(s) typicallyThen… target specific data (new/valuable/strategic)
Hide custom malware on multiple hosts
Access: Users and Workstations
Power: Domain Controllers
Data: Servers and Applications
Pass The Hash
1.Bad guy targets workstations en masse
2.User running as local admin compromised, Bad guy harvests credentials.3.Bad guy starts “credentials crabwalk”
4.Bad guy finds host with domain privileged credentials, steals, and elevates privileges5.Bad guy owns network, can harvest what he wants.
demo
Mark SimosSolution ArchitectMicrosoft Consulting Services
Pass the Hash with Windows Credential Editor (Security Research Tool)
Demo
Employ The SDL
Know What Matters
$
Effective Workstation and Server Defenses
Protect Key Identities/Role
s
Recommendations
Protecting the Crown Jewels
Do not try to protect all assets equally- you can’tIdentify and protect intellectual property that is valuable to the organization and to potential attackers
Foreign and domestic competitorsWould-be competitorsGovernments, etc.
“If you protect your paper clips and diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds”
-Attributed to Dean Rusk, US Secretary of State, 1961-1969
$
Protecting the Crown Jewels
Reference: http://taosecurity.blogspot.com/2011/08/taosecurity-security-effectiveness.html
What the defender
values
What the defender protects
What the attacker
wants
$
• Multi-factor authentication (smart cards, etc.)
• Strict security requirements
• Hardened systems• Asset Isolation• Concentric rings of
security
Protecting the Crown Jewels $
Identify the most
important assets
Protect them with the strongest security
Xxx xyx
Protect Your Hosts
Effective defenses that minimize risk:Move users out of local admins groupsGet current / stay currentImplement exploit mitigationPatching, compliance, and configuration managementEnd-user educationCreative destruction
Effective Workstation and Server Defenses
Office 2010XML file formatProtected View
Windows 7Standard User
Java 6Ends side-by-side versioning
Adobe SPLC: http://blogs.msdn.com/b/sdl/archive/2009/06/17/microsoft-adobe-protecting-our-customers-together.aspx
Get Current/Stay Current
Internet Explorer 9SmartScreen FilterProtected Mode
Adobe Acrobat Reader XApplied Microsoft SDLProtected Mode
Adobe Flash Player 11SSL SupportRandom Number Generator
Better Patching
Not just OS patchesBut Java, Adobe Reader, Flash, plug-ins, appsFirmware
Appliances are often running publicly known vulnerable versions of software
Make sure the devices and appliances that protect your network aren’t gateways into your networkPrinters
Enhanced Mitigation Experience Toolkit (EMET)
No application re-compile requiredMitigations apply to opted-in application and its plug-insRecommend
Opt-in apps that process internet/untrusted contentTest for application compatibility
Effective End-User Education
Do your end-users know that the most likely way they can be exploited is visiting the web site they trust the most?
Or reading a PDF file?Does your current end-user education teach end-users what their antivirus software looks like?Does your current end-user education contain these points?
If not, they shouldPhish-me type tests
Asset Isolation
Firewalls are old newsDo traffic analysis, who needs to talk to what?Should server A speak to server B?Should workstation A be able to connect to all servers?If not, isolate!Use any method you like (e.g., routers, firewalls, IPsec, etc.)A great way to notice DA/TAs
Creative DestructionGartner term for a method of decommissioning legacy applications and
systems
Catalogue
Application portfolio
Application functionali
ty
Identify redundancies
Create new
specs
Identify Cloud provider
Create application(s) with desired functionality
Pipe application data to Cloud
Decommission legacy
applications and systems
Protect your AD and Key Identities
Practice credential hygiene
Implement multi-factor authentication
Reduce broad and deep privilegesProtect Active Directory and Key Identities
Credential Hygiene
Privileged accounts log onto sufficiently secured hostsSeparate internet risk from privileged credentials
Can require detailed design/re-design of privileges, host security, and logon rights GPOsRule of Thumb: Protect admin workstations at same level of the servers/apps administered by accounts using them
Domain Admin logs on to internet connected workstation
= Security of entire domain entrusted that workstation
Production Domain Admins
Workstation Admins
Server Admins
High Business Impact (HBI) Server Admins
Secure Maintenance
SQL Admins
Exchange Admins
SharePoint
Admins
… Server Admins
Compartmentalization
Multi-factor Authentication
What you know (password, PIN, etc.)
What you have (smart card, token, cell phone, etc.)
Biometric measurement (fingerprint, retina, etc.)
Ensure remote attackers can’t use identity over Internet
Physical attacks are more expensive and difficult
Smart cards are natively supported by Windows
Privilege ReductionGoals
Eliminate accounts that have both broad and deep privilege
Have no permanent• Enterprise Admins• Domain Admins• Administrators• Accounts with
equivalent privilege
Leverage easy mechanismsUse the privileged account to create additional accounts
Not just privileged, but VIP “mimicking” accountsAccounts with backdoors into other accounts
Place malware and other binaries on DCs and member serversLeverage existing management tools
Disable SID quarantining and/or selective authenticationModify GPOsInstall backdoors in approved images/packages
Or slightly harder mechanismssIDHistory manipulationMigration APIsDebugger attacksDisk editors
Why? Because it only takes one privileged account to:
Role-Based Access Controls (RBAC) for ITLeast-privilege model for IT operations
• IT staff given multiple accounts• Staff with limited
responsibilities typically have 2• Regular user account • Support account that has
been granted roles based on day-to-day work characteristics
• Possible additional accounts (usually more with higher support tiers)
• NOT member of EA/DA/Administrators
• No equivalent privileges
• Multi-factor authentication required
• Accounts denied workstation logon• Defined “allowed to authenticate”
systems• RDP to secure “jump
servers”/”bastion hosts” for management• Can leverage virtualization• Secure per-person jump servers
that are restricted to each unique user and restarted after each use. Jane Doe
Secure Maintenance
Jane DoeHelp desk
Privileged Identity Management
Mechanisms by which accounts are granted temporary rights and privileges required to perform build or break-fix functions
Time-bound
Workflow generated, monitored and reported
May be given temporary username + passwordMay be temporarily placed in privileged groups
May operate through recorded portalsProgrammatic
Privileged credentials are not permitted to stagnate or to be permanently available
Reduced attack surfaceChecks and balances
Audit trails
Mechanics of RBAC (IT) and PIM
Multiple Approaches
For RBAC (IT) For PIM
• Powerful proxy accounts• Not preferable
• Can potentially secure using a subset of the Administrator account recommendations
• Defined roles with assigned rights and permissions• Better approach
• Combinations of both
• Powerful proxy accounts• Not preferable
• Temporary membership in privileged groups
• Password vaults• APIs to replace hard-coded
passwords• Session management tools• Local and service account
management tools
Basic Principles: Roles vs. Temporary Privilege
Caveat
For Day-to-Day Functions:• Define roles• Roles may have broad
privilege (e.g., reset passwords across broad swaths of accounts) or deep privilege (e.g., can activate privileged accounts), but not both
In Build & Break-Fix Scenarios:• Temporarily populate privileged
groups in some cases (e.g., fixing a member server, might grant support staff temporary local Administrators membership)
• Temporarily use built-in privileged accounts
• Consider broad vs. deep
If role privileges are functional equivalents of built-in privileged groups, use time-bound population of groups rather than creating permanent roles with high privilege.
Sample Approach to Securing Built-In Administrator Accounts
In each domain
• Set Administrator account flags• Account is disabled• Smart card is required for interactive logon• Account is sensitive and cannot be delegated
• Audit and alert on any changes to account• Create/modify domain-level GPO
• “Deny access to this computer from the network”• Does not prevent interactive logon in case of
emergency
On member servers and workstations
• Create/modify GPO• Disable Administrator account• Audit and alert on changes to account
Takeaways1. Identify and protect important systems/data
first
2. Implement effective host defensesRun standard users without local administrative accessUse multi-factor authenticationAnywhere Internet access and content is processed:
Deploy and configure EMETPatch all OSes/applications
Start a creative destruction program3. Protect important credentials and accounts
Isolate from risks of Internet and lower trust hosts.Implement least-privilege approaches
$
Cyber Security Capabilities
Detecting ThreatsAdvanced tools to find new attacksDeep expertise hunting for the DHA
Innovative Mitigations
Make the most of your existing assetsNew approaches to counter threats
Custom SolutionsSpecialized development teamApplying SDL to your development
Recovery & Mitigations
Sensors & Intelligence
Response & Investigation
Architecture & Advisory Workshops
Advanced Programs
ACE OfferingsC
om
pre
hensi
ve A
ppro
ach
Security Program
Security Architect Led & Program Manager Supported
Infrastructure Security Application Security
Active Directory Security Assessment (ADSA)
Application Penetration Testing
ISO Security Assessment Service (ISAS)
Infrastructure Security Design Review
Public Key Infrastructure Security Assessment (PKISA)
Enterprise PKI Framework
Enterprise Host Security Assessment (EHSA)
Dogfood Security Review
Azure Application Security Assessment
Application Security Program Development
Application Security Training
Application Security Assessment
Application Security Architecture Assessment
Application Privacy Assessment
Vendor Maturity Assessment (VMA)
Custom Infrastructure Design
Custom Assessments
Mobile Application Security Assessment
Venture Integration (VI) Security Assessments
Credential Protection Training and Design
Custom Application Security Programs
Related Content
SIA300- Ten Deadly Sins of Administrators about Windows Security
SIA301- Crouching Admin, Hidden Hacker: Techniques for Hiding and Detecting Traces
SIA324- Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You
SIA308- Antimalware Smackdown
SIA309- Windows 8: Malware Resistant by Design
Track Resources
www.microsoft.com/twc
www.microsoft.com/security
www.microsoft.com/privacy
www.microsoft.com/reliability
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.