Professional Documents
Culture Documents
+
ASSUME BREACH
Typical Attack Timeline & Observations
First Host Domain Admin Attack Discovered
Compromised Compromised
24-48 Hours
http://www.microsoft.com/en-us/download/details.aspx?id=34793
http://www.microsoft.com/SIR
www.microsoft.com/PTH
Isolated User High Level OS
Mode (IUM) (HLOS)
LSAIso LSASS
Hypervisor
LSAIso LSASS
NTLM support “Clear” NTLM “Clear”
IUM secrets
secrets secrets
Kerberos support Kerberos
Device
Boot Persistent
Drivers
Hypervisor
2. Lateral traversal
Tier 2
• Credential Theft
• Application Agents
• Service Accounts
1.
2.
3.
4.
5.
Do these NOW!
•
•
•
•
•
•
•
•
www.microsoft.com/pth
http://go.microsoft.com/fwlink/?linkid=518999&clcid=0x409
http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx
Integrate People, Process, and Technology
Administrative Forest
Domain and Forest Administration
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B213
https://technet.microsoft.com/en-us/library/security/2871997.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=16776
http://aka.ms/cloudarchitecture
Visio pdf
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Application
Network controls
Operating system
Cloud service provider responsibility
Physical hosts
Tenant responsibility
Physical network
Physical datacenter
Federation and
Synchronization
Private Cloud
On Premises Infrastructure Fabric Identity
Remediate and harden