12/6/2018

The Year in Review: From the Sponsored by

Totally New Spectre &
Meltdown to Pathetically Old
Flash; There's Plenty to Learn
from 2018

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 12/6/2018

 Spectre and Meltdown

Preview of key  Flash
points  NotPetya
 Equifax Breach
 Data Gleaned from Patches

 Where do things stand?

 Patches available for both attack types
 Combination of OS/FW/Microcode
 Newer processors less impacted both in terms of security and
performance
 Some fixes are opt-in
 New variants are being discovered
Spectre and  Nothing earth shattering at this point
 These speculation vulnerabilities are tough to fix but also tough
Meltdown to exploit for real advantage – so far
 What to do
 First understand what hardware you have
 Know the configuration of your systems re: opt-in controls
 Follow best practice
 Don’t allow unauthorized applications
 Restrict website access
 Fight phishing
 Use least privilege
 Separate system roles
 Understand the risks clouds and virtualization

2
 12/6/2018

 Stats on Flash’s continuing vulnerabilities

 Every month Flash security-patched
 How much of an issue is this though?
 How many endpoints have Flash enabled on them today?
Flash  If your systems and browsers are patched and up-to-date
 Flash doesn’t automatically run except on IE

 What should you do?

 Use group policy admin templates to centrally disable Flash on
all major browsers
 Keep patching
 Will remain a problem for at least another year

 Last year malware discovered


NotPetya 
Used EternalBlue and Mimikatz
Originally thought to be resurgence of Petya ransomware
 Ransomware was just a feint
 It was destruct-o-ware targeted at Ukraine businesses

3
 12/6/2018

 What happened at Maersk

 “Odessa, a port city on Ukraine’s Black Sea coast, a finance
executive for Maersk’s Ukraine operation had asked IT
administrators to install the accounting software M.E.Doc on a
single computer. That gave NotPetya the only foothold it
needed” – Wired https://www.wired.com/story/notpetya-
cyberattack-ukraine-russia-code-crashed-the-world/
 17 of 76 global terminals
 Gates down, cranes frozen, tens of thousands of trucks turned away, no
NotPetya new business
 Massive recovery effort requiring system re-installs and restore
of backups 3-7 days prior to NotPetya
 4,000 servers and 45,000 workstations
 But no backup available for the 150 domain controllers
 “If we can’t recover our domain controllers,” a Maersk IT staffer
remembers thinking, “we can’t recover anything.” – Wired
 One DC had been offline in Ghana since before NotPetya
thanks to a blackout
 Relay-race to get server to Britain

 Learned
 Backup AD for crying out loud
 Segment your network
 Stop using Windows 2000
 Patch
NotPetya  What changed in the security world with NotPetya?
 Software supply chain
 Seconds count
 Major Ukrainian bank – 45 seconds
 Ukrainian transit company – 16 seconds
 Collateral damage by malware that gets out of control can be
devastating
 Maersk, Merck, TNT Express, Saint-Gobain, Mondelez, Reckitt Benckiser
and back to Russia’s Rosneft

4
 12/6/2018

 145,000,000 American’s PII breached

 What we’ve learned in the aftermath
 Patching
 Dependent on local admins
Equifax breach  Patch notification list out-dated
 Vulnerability scanning didn’t catch it
 Single layer monitoring
 Network
 No OS log monitoring
 No DB log monitoring
 Didn’t know when a cert expired which made traffic go black
 Segmentation

What we learn
from patch
releases

5
 12/6/2018

Exploits Being Exploited at Patch Release

What we learn 5

from patch 3

2
releases 1

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Being Exploited 2017 Being Exploited 2018

Vulnerabilty Types by Year

Cross Site Request Forgery
Tampering

What we learn Spoofing

Information Disclosure
Security Feature Bypass

from patch Remote Code Execution

Cross Site Scripting

releases Denial of Service

Arbitrary Code Execution
Elevation of Privilege

0 20 40 60 80 100 120

Vulnerability Type 2018 Vulnerability Type 2017

6
 12/6/2018

2017
Elevation of
Tampering Privilege
Spoofing
Arbitrary Code
Execution
Information
Disclosure
Denial of
Service
Cross Site
Security
What we learn Feature
Bypass
Remote Code
Execution

from patch
releases
Arbitrary
Cross Site
2018
Arbitrary
Take Folder
Information
Request
over
Session
Defense in ofFileElevation of
Overwrite
Creation
Modification
Forgery
Java
Hijacking
Depth
File Deletion
Tampering SE Privilege
Spoofing
Arbitrary
Code
Execution
Information
Disclosure Denial of
Service
Cross Site
Security Scripting
Feature Remote Code
Bypass Execution

 Keep up with new developments

 But don’t let every new vulnerability and attack technique rock your
world
 Keep the security of your infrastructure solid and clean
 Accept that incidents will happen – how long will it take you to
recover?
 That often defines the extent and cost of the disaster – not the
disaster itself
Bottom line  The most critical infrastructure component at organizations is Active
Directory
 Quest is uniquely positioned to help you

• Secure and monitor Active

• Clean and maintain
• Recover Directory

© 2018 Monterey Technology Group Inc.

7
 12/6/2018

Quest Security and

Compliance Solutions

Bryan Patton
Strategic Systems Consultant, Quest

What do you do in a doomsday

scenario like NotPetya!

8
 12/6/2018

Steps in restoring System State from Backup

 Disable Windows Update
 Find and copy backup to DC
 Disable BitLocker
 Reboot to DSRM
 Isolate DCs from the network
 Disable Custom password filters
 Restore from Backup
 Restart into Normal Mode
 Select Preferred DNS server
 Remove Global Catalog
 Raise the RID Pool by 100k
 Invalidate any published RIDs
 Seize FSMO Roles
 Clean up Metadata of removed DCs
 Reset Krbtgt password (Twice)
 Reset Computer Account Passwords (Twice)
 Enable Custom Password Filters
 Ensure Sysvol is available
 Restart DC into Normal Mode
 Reset Trust Passwords (Twice)
 Disable DC Isolation
 Clean up metadata of unrecovered DCs
 Change GC occupancy level
 Enable GC
 Wait for GC to become available
 Restore GC occupancy level
 Enable GC for User Authentication
 Enable Bitlocker
 Enable Windows Update
 Force/Wait for/Troubleshoot Replication

Recovery Manager for AD Forest Edition

A Complete Solution

• Granular, online
recovery

• Full-forest disaster
recovery from central
console

• Create virtual lab from

production AD

• Quick restore during

migration projects

18 Confidential

9
 12/6/2018

Hybrid/Cloud compounds the risk

Your reliance on Azure AD is increasing

More cloud-only objects than you think –

Azure B2B/B2C users, MFA attributes,
O365 groups

On-prem recovery won’t cover cloud

Quest On-Prem and Hybrid Security Suite

IT Security Search, Recovery Enterprise Reporter Suite
Manager & On Demand Recovery
• Who has access to what sensitive data
• Investigate AD security Incidents in AD
• Continuously test your AD business • Who has elevated privileged
continuity plan permissions in AD, servers
• Recover from a security incident • What systems are vulnerable to
security threats
• Improve your RTO following a disaster
Investigate Continually
• Secure access to AD DC data and recover assess
Active Roles & GPOADmin Remediate Detect Change Auditor & InTrust
• Enforce permission and mitigate and alert • Detect suspicious privileged AD
blacklisting/whitelisting in AD activities
• Implement AD least-privilege access • Alert on potential AD insider
model threats
• Reduce surface attack area in AD • Notify in real time of unauthorized
intrusions against AD
• Prevent unauthorized access to
sensitive resources • Detect and alert on brute-force
attacks
• Remediate unauthorized activities

10
 12/6/2018

Live Demo

Summary: Quest is your go-to security and

compliance experts

 Respond rapidly before  Right size your permissions

damage spreads

 Watch the watchers with  Sound the alarm faster with

automated access control real-time monitoring

22 quest.com | confidential

11
 12/6/2018

Learn more
www.quest.com/StopHank to learn www.quest.com/ThreatDetection for
more about AD security info on new Change Auditor module

23 quest.com | confidential

Questions?

12