Scribd Logo
Upload

Welcome to Scribd!

  • BRK2334 MSC

    Uploaded by

    ricardo
    5 views43 pages

    Original Title

    BRK2334_msc.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views43 pages

    BRK2334 MSC

    Uploaded by

    ricardo

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 43

    PREVENT BREACH

    +
    ASSUME BREACH
    Typical Attack Timeline & Observations
    First Host Domain Admin Attack Discovered
    Compromised Compromised

    Research & Preparation Data Exfiltration (Attacker Undetected)


    24-48 Hours 11-14 months
    Privilege Escalation with Credential Theft (Typical)
    Modern Attack T

    24-48 Hours

    1. Get in with Phishing Attack (or other)


    2. Steal Credentials
    3. Compromise more hosts & credentials
    (searching for Domain Admin)
    4. Get Domain Admin credentials
    5. Execute Attacker Mission (steal
    data, destroy systems, etc.)

    http://www.microsoft.com/en-us/download/details.aspx?id=34793


    http://www.microsoft.com/SIR


     www.microsoft.com/PTH










     Isolated User High Level OS
     Mode (IUM) (HLOS)
     LSAIso LSASS

    Hypervisor

    Isolated User Mode (IUM) High Level OS (HLOS)

    LSAIso LSASS
    NTLM support “Clear” NTLM “Clear”
    IUM secrets
    secrets secrets
    Kerberos support Kerberos

    Device
    Boot Persistent
    Drivers

    Hypervisor

    Note: MS-CHAPv2 and NTLMv1 are blocked


    Tier 0

    1. Privilege escalation Tier 1


    • Credential Theft
    • Application Agents
    • Service Accounts

    2. Lateral traversal
    Tier 2
    • Credential Theft
    • Application Agents
    • Service Accounts
    1.
    2.
    3.
    4.
    5.
    Do these NOW!






    www.microsoft.com/pth
    http://go.microsoft.com/fwlink/?linkid=518999&clcid=0x409
    http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
    Integrate People, Process, and Technology
    Administrative Forest
    Domain and Forest Administration

    Production Domain(s) Security Alerting


    Domain and Forest
    Hardened Hosts
    Domain and DC Hardening and Accounts
    OS, App, & Service Hardening
    Servers, Apps, and Cloud Services
    IT Service Management Privileged
    Account
    Management
    (PAM)
    Admin
    Workstations
    • Admin Roles & Delegation User, Workstations, and Devices
    Protected
    • Admin Forest Maintenance Users
    • PAM Maintenance
    • Lateral Traversal Mitigations Auth Policies and Silos
    (Admin Process, Technology) RDP w/Restricted Admin
    • Administrative Forest (for AD admin roles in current releases)
    • Isolated User Mode (IUM)
    Best • Microsoft Passport and Windows Hello

    • Detection - Advanced Threat Analytics


    • Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
    • Just in Time (JIT) Privileges - Privileged Access Management
    Better • Extensive overhaul of IT Process and Privilege Delegation

    • Separate Admin Desktops


    • and associated IT Admin process changes
    • Separate Admin Accounts
    • Remove accounts from Tier 0
    • Service Accounts
    Good/Minimum • Personnel - Only DC Maintenance, Delegation, and Forest Maintenance
    • Isolated User Mode (IUM)
    • Microsoft Passport and Windows Hello
    Best
    • Detection - Advanced Threat Analytics
    • Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
    • Just in Time (JIT) Privileges - Privileged Access Management
    Better • Extensive overhaul of IT Process and Privilege Delegation

    • Separate Admin Accounts


    • Separate Admin Desktops
    • Associated IT Admin process changes
    • Enforce use of RDP RestrictedAdmin Mode
    • Local Administrator Password Solution (LAPS)
    Good/Minimum • Or alternate from PTHv1
    • Isolated User Mode (IUM)
    • Microsoft Passport and Windows Hello
    Best
    • Detection - Advanced Threat Analytics
    • Multi-factor Authentication (Smartcards, One Time Passwords, etc.)
    • Just in Time (JIT) Privileges - Privileged Access Management
    Better • Extensive overhaul of IT Process and Privilege Delegation

    • Separate Admin Accounts


    • Separate Admin Desktops
    • Associated IT Admin process changes
    • Enforce use of RDP RestrictedAdmin Mode
    • Local Administrator Password Solution (LAPS)
    Good/Minimum • Or alternate from PTHv1
    1 Implement Mitigations Now!
    A.
    B.
    C.

    2 Revamp your culture and support processes


    3 Plan to adopt Windows 10 Features




    37
    http://www.microsoft.com/PTH

    http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

    http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213

    https://technet.microsoft.com/en-us/library/security/2871997.aspx

     http://www.microsoft.com/en-us/download/details.aspx?id=16776



     http://aka.ms/cloudarchitecture


     Visio pdf
    Responsibility SaaS PaaS IaaS On-prem

    Data governance &


    rights management

    Client endpoints

    Account & access


    management
    Identity & directory
    infrastructure

    Application

    Network controls

    Operating system
    Cloud service provider responsibility
    Physical hosts
    Tenant responsibility
    Physical network

    Physical datacenter

    Microsoft Customer Microsoft Cloud Architecture Sway - http://aka.ms/cloudarchitecture


    Microsoft Cloud Security for Enterprise Architects - Visio, pdf
    Single Identity
    Infrastructure as a Service

    Federation and
    Synchronization

    Private Cloud
    On Premises Infrastructure Fabric Identity
    Remediate and harden

    New known good


    Remediate and harden

    New known good

    You might also like