Modern cybersecurity threats, and shiny new tools to help deal with them

@ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Modern cybersecurity threats, and shiny
new tools to help deal with them
Microsoft Cloud & Datacenter Management MVP, Certified Ethical Hacker
Executive Manager at Avaelgo (IT Advisory, Managed Services, Training)
Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel
Tudor Damian

Many thanks to our sponsors & partners!
GOLD
SILVER
PARTNERS
PLATINUM
POWERED BY

VIDEO – ANATOMY OF AN ATTACK
Source: CISCO

CURRENT STATE OF CYBERSECURITY

The effects of WannaCry and EternalRocks

Your systems’ security is as strong as its weakest link

• A steady increase in companies targeted by Social Engineering
attacks (60% in 2016, and growing)
• Data theft turning into data manipulation
• Attackers targeting consumer & IoT devices (e.g. Mirai botnet)
• Ransomware on the rise (e.g. WannaCry)
• Breaches getting more complicated and harder to detect
• 70% of companies will experience cyber attacks by 2018 (IDC)
• Through 2020, 99% of vulnerabilities exploited will continue to be
the ones known by IT professionals for at least one year (Gartner)
• Cyber risk insurance is more needed than ever
A changing security landscape

Myspace Fling LinkedIn Sony VK.com Dropbox Tumblr Yahoo
Equation
Group
Shadow
Brokers
Punycode BadUSB Superfish Heartbleed Shellshock Karmen POODLE FREAK
GHOST DROWN Dirty COW STAGEFRIGHT QuadRooter XCodeGhost Mirai Carbanak Gemalto
SS7 Locky DMA Locker Surprise Ranscam SWIFT Weebly Sundown CrypMIC
TrickBot Angler RIG Neutrino xDedic BlackEnergy ProjectSauron Adwind Danti
SVCMONDR Lazarus FruityArmor ScarCruft Lurk Ammyy Admin Chinastrats Patchwork TeslaCrypt
2016 – the year of hacks and vulnerabilities

Secure
CheapUsable
Choices in building a system/app - pick any two!

Attack timeline
24–48 hours
More than 200 days
(varies by industry)
First host
compromised
Domain admin
compromised
Attack
discovered
Sources: HP, Ponemon Institute, Verizon

How much time does security get?
An attacker has 24x7x365 to attack you
Attacker Schedule
Time
The defender has 20 (?) man days per year to detect and defend
Who has the edge? 
Scheduled
Pen-Test
Scheduled
Pen-Test

• CISCO, 2014
– There are more than 1 million unfilled security jobs worldwide
• (ISC)² study, 2015
– A shortfall of 1.5 million security professionals is estimated by 2020
Lack of security professionals worldwide
Sources:
http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to-hiring-difficulties-despite-rising-salaries-increased-budgets-a.html

• EU General Data Protection Regulation (GDPR)
– It will come into effect on May 25th 2018
– GDPR clarifies where responsibility for privacy protection lies with any
companies who store, collect, manage and analyze any form of Personally
Identifiable Information (PII)
– Applies to any organization (including those outside the EU) that holds or
processes data from EU residents
– Replaces Data Protection Directive (DPD) 95/46/EC to become the single, all-
encompassing privacy protection regulation in the EU
• Breaches could lead to fines:
– Major breaches - up to €20 million or 4% of global annual turnover
– Less important breaches - up to €10m or 2% of global annual turnover
GDPR is coming!
More: http://www.eugdpr.org/

• Adds some more rights for EU citizens:
– Right to be forgotten (ask data controllers to erase all personal data)
– Right to data portability (move data from a service provider to another)
– Right to object to profiling (not to be subject to a decision based solely on
automated processing)
• Where do companies store PII data?
– Customer Relationship solutions (SalesForce, PeopleSoft, Dynamics)
– ERPs (SAP, Oracle, Axapta)
– Enterprise Content Management systems, File Shares
– Emails, Attachments, Office Documents, PDF files, letters, contracts
– SharePoint, Lotus Notes, Dropbox, Box, OneDrive
– Employee HR data
– etc.
More details on GDPR
More: http://www.eugdpr.org/

• We have to stop focusing on preventing a data breach and start
assuming the breach has already happened
• Currently: a one-sided, purely preventative strategy
• Future: emphasis on breach detection, incident response, and
effective recovery
– Start thinking about the time when a breach will (almost inevitably) occur in
your infrastructure
– Be prepared for that!
Assume Breach - a change in mindset

A healthier security approach
Source: Gartner
PREDICT
• Proactive Exposure
Analysis
• Predict Attacks
• Baseline Systems
PREVENT
• Harden and Isolate
Systems
• Divert Attackers
• Prevent Incidents
DETECT
• Detect Incidents
• Confirm and Prioritize
• Contain Incidents
RESPOND
• Investigate/Forensics
• Design/Model
Change
• Remediate/Make
Change
Continuous
Monitoring
and Analytics

WINDOWS 10 & WINDOWS SERVER 2016

The Windows 10 Defense Stack
Device Health
attestation
Device Guard
Device Control
Security policies
Built-in 2FA
Account lockdown
Credential Guard
Windows Hello ;)
Device protection
BitLocker
Enterprise Data
Protection
Conditional access
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Windows Defender
Advanced Threat
Protection (WDATP)
Microsoft Advanced
Threat Analytics
(ATA)
Device protection Information
protection
Threat resistance
Breach detection
Investigation & Response
Pre breach Post breach
Identity protection
The Windows 10 defense stack

Some of the security improvements in W10 / WS2016
Windows Defender
SmartScreen
Credential Guard
Enterprise
Certificate Pinning
Just Enough
Administration
(JEA)
Just-in-time
Administration (JIT)
Device Guard
Structured
Exception Handling
Overwrite
Protection (SEHOP)
Control Flow Guard
(CFG)
Windows Hello In-box Azure MFA
Hypervisor-
protected code
integrity (HVCI)
Shielded VMs
Host Guardian
Service
Device Health
Attestation (DHA)
Network Controller
Distributed Firewall
Network Security
Groups
Virtual Appliances
Virtual Secure
Mode
Virtual TPM
More: https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10

JEA & JIT

Challenges in protecting credentials

Windows Server 2016 approach
• Credential Guard
– Prevents Pass the Hash and
Pass the Ticket attacks by protecting
stored credentials through
Virtualization-based Security
• Just Enough
– Administration Limits administrative
privileges to the bare-minimum
required set of actions (limited in
space)
• Just in Time
– Administration Provide privileged
access through a workflow that is
audited and limited in time
• JEA + JIT
– Limitation in time & capability
More: https://github.com/PowerShell/JEA & https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

In box Azure MFA
More: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication

PROTECTING VMS

Hypervisor
Fabric
Guest VM
Protect virtual machines
• Compromised or malicious
fabric administrators can
access guest VMs
• Health of hosts not taken
into account before
running VMs
• Tenant’s VMs are exposed
to storage and network
attacks
• Virtual Machines can’t take
advantage of hardware-
rooted security capabilities
such as TPMs
Fabric
Hypervisor
Guest VM
Healthy host?
Guest VM

Windows Server 2016 approach
• Shielded VMs
– Use BitLocker to encrypt the disk
and state of virtual machines
protecting secrets from
compromised admins & malware
• Host Guardian Service
– Attests to host health releasing the
keys required to boot or migrate a
Shielded VM only to healthy hosts
• Generation 2 VMs
– Supports virtualized equivalents of
hardware security technologies (e.g.,
TPMs) enabling BitLocker encryption
for Shielded VMs
  
 
 
 
 
  
More: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node

Guarded hosts and Shielded VMs attestation
• Admin-trusted attestation
– Intended to support existing host hardware (no TPM
2.0 available)
– Guarded hosts that can run Shielded VMs are
approved by the Host Guardian Service based on
membership in a designated Active Directory
Domain Services (AD DS) security group
• TPM-trusted attestation
– Offers the strongest possible protections
– Requires more configuration steps
– Host hardware and firmware must include TPM 2.0
and UEFI 2.3.1 with secure boot enabled
– Guarded hosts that can run Shielded VMs are
approved based on their TPM identity, measured
boot sequence and code integrity policies
More: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node

VIRTUAL SECURE MODE

Virtual Secure Mode Overview

DEVICE GUARD &
CREDENTIAL GUARD

Device Guard & AppLocker
• AppLocker was introduced back in Windows 7 / WS 2008 R2
– Specifies a list of apps allowed to run on a user’s device
– Whitelist can be specific to a group or individual within AD
– Much more efficient than a blacklist
• Device Guard extends AppLocker
– Relies on digital signatures
– Requires apps to be digitally signed
– This includes internal apps
• Device Guard Requirements
– Intel VT-x or AMD-V extensions
– Second Level Address Translation (SLAT)
– Intel VT-d or AMD-IOV
– TPM (optional, required for Credential Manager)
More: https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide

Device Guard
• Hardware Rooted App Control (runs in VSM)
– Enables a Windows desktop to be locked down to only run trusted apps, just like
many mobile OS’s (e.g.: Windows Phone)
– Untrusted apps and executables such as malware are unable to run
– Resistant to tampering by an administrator or malware
– Requires devices specially configured by either the OEM or IT
• Getting Apps into the Circle of Trust
– Supports all apps including Universal and Desktop (Win32)
– Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft
provided signing service
– Apps must be specially signed using the Microsoft signing service. No additional
modification is required
– Signing service made available to OEM’s, IHV, ISV’s, and Enterprises
More: https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide

Credential Guard
• Uses virtualization-based security to protect
Kerberos, NTLM, and Credential Manager secrets
More: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works

Credential Guard Details
• Minimum Requirements
– Windows 10 v1511 or Windows Server 2016
– x64 architecture
– UEFI firmware 2.3.1 or higher and Secure Boot enabled
– TPM version 2.0
• Considerations
– 3rd party Security Support Providers (SSP) secrets are not protected
– NTLM v1 is not supported (considered to be unsecure)
– Kerberos unconstrained delegation & DES encryption aren’t supported
– Digest Auth, Credential delegation and MS-CHAPv2 will prompt for (and
potentially expose) credentials
• MS-CHAPv2 should be phased out (i.e. upgrade your Wi-Fi and/or VPN)
More: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works

WINDOWS HELLO

Windows Hello
• Replaces/extends Windows passwords with
– Fingerprint, iris scan & facial recognition
– MFA via companion devices like phones, wearables,
USBs, smartcards (formerly Microsoft Passport)
Hello ITCamp
******
username
More: https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport

GROUP MANAGED SERVICE ACCOUNTS

Group Managed Service Accounts
• The feature builds on Standalone Managed Service accounts
– Introduced in Windows 2008 R2 and Windows 7
– Managed domain accounts
– Automated password management
– Simplified SPN (Service Principal Name) management, including
delegation of management to other Administrator
• Group Managed Service Accounts
– Provides same functionality within the domain but also extends that
functionality over multiple servers
– Leverages the Microsoft Key Distribution Service within the AD domain
– e.g. it can be used when connected to a service hosted on a server farm,
such as a Network Load Balancer – ensures that all instances use the same
principal
More: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

DEVICE HEALTH ATTESTATION (DHA)

Today, device health is assumed
• Clients are usually granted full access to resources
• Any clients which become “unhealthy” can
proliferate malware
1
Important resources
2

Device Health Attestation (DHA)
• On-premise or cloud-based service
– Provides remote health attestation for devices
– Can issue health state “claims”
• Blocks unhealthy devices to protect
resources and prevent proliferation
• Intune MDM can provide conditional
access based on device health state claims
• Hardware Requirements
– UEFI 2.3.1 with Secure Boot
– VT-x, AMD-V & SLAT
– x64 processor
– IOMMU (Intel VT-d or AMD-Vi)
– TPM 1.2 or 2.0
More: https://docs.microsoft.com/en-us/windows-server/security/device-health-attestation

WINDOWS INFORMATION PROTECTION

• Allows companies to transparently keep corporate data secure and
personal data private, while providing data leakage control
• Key features:
– Automatically tag personal and corporate data
– Protect data while it’s at rest on local or removable storage
– Control which apps can access corporate data
– Control which apps can access a virtual private network (VPN) connection
– Prevent users from copying corporate data to public locations
– Help ensure business data is inaccessible when the device is in a locked state
– Ability to wipe corporate data from devices while leaving personal data alone
– Usage of audit reports for tracking issue and remedial actions
Windows Information Protection
More: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip

…AND A FEW OTHERS

• SMB hardening for SYSVOL and NETLOGON shares
– Client connections to the ADDS default SYSVOL and NETLOGON shares now require SMB signing and
mutual authentication (such as Kerberos)
• Protected Processes
– Help prevent one process from tampering with another (specially signed) process
• Universal Windows apps protections
– Apps are carefully screened before being made available
– They run in an AppContainer sandbox with limited privileges
• Heap protections
– Improvements in the use of internal data structures which help protect against corruption of memory
used by the heap
• Control Flow Guard (CFG)
– Helps mitigate exploits that are based on flow between code locations in memory
• Structured Exception Handling Overwrite Protection (SEHOP)
– Complements DEP and ASLR
• Kernel pool protections
– Help prevent exploitation of pool memory used by the kernel
Windows 10 mitigations against memory exploits

• Windows Defender SmartScreen
– Checks the reputation of all downloaded apps
• Code Integrity
– Ensure that only permitted binaries can be executed from the moment the OS is booted
• Enterprise Certificate Pinning
– Protect internal domain names from chaining to fraudulent certificates
• Early Launch Anti Malware (ELAM)
– Blocks driver-based rootkits
• Guarded Fabric
– Shielded VMs, VSM, Hypervisor Code Integrity (HVCI)
• Windows Defender Advanced Threat Protection (WDATP)
• Advanced Threat Analytics (ATA)
Several other improvements

You might also want to take a look at…
…my ITCamp session from last year 
Talking about Guarded Fabric, Microsoft ATA, WDATP & more

Q & A

Modern cybersecurity threats, and shiny new tools to help deal with them

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Modern cybersecurity threats, and shiny new tools to help deal with them

Similaire à Modern cybersecurity threats, and shiny new tools to help deal with them (20)

Plus de Tudor Damian

Plus de Tudor Damian (20)

Dernier

Dernier (16)

Modern cybersecurity threats, and shiny new tools to help deal with them