With cybersecurity threats changing rapidly, we definitely need a new set of tools to be able to prevent and address them more efficiently: malware is becoming more complex and harder to detect, malicious insider attacks are on the rise and zero-day exploits make their way to the public much quicker than before. Join this session to see how Windows Server 2016 and Windows 10 can help organizations deal with this ever-changing security ecosystem by providing them with ways to better secure their environment and data. We’ll touch on topics such as malware & threat resistance, identity & access control, virtualization-based security, configurable code integrity, remote attestation and a few others.
France's UEFA Euro 2024 Ambitions Amid Coman's Injury.docx
Modern cybersecurity threats, and shiny new tools to help deal with them
1. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Modern cybersecurity threats, and shiny
new tools to help deal with them
Microsoft Cloud & Datacenter Management MVP, Certified Ethical Hacker
Executive Manager at Avaelgo (IT Advisory, Managed Services, Training)
Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel
Tudor Damian
8. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• A steady increase in companies targeted by Social Engineering
attacks (60% in 2016, and growing)
• Data theft turning into data manipulation
• Attackers targeting consumer & IoT devices (e.g. Mirai botnet)
• Ransomware on the rise (e.g. WannaCry)
• Breaches getting more complicated and harder to detect
• 70% of companies will experience cyber attacks by 2018 (IDC)
• Through 2020, 99% of vulnerabilities exploited will continue to be
the ones known by IT professionals for at least one year (Gartner)
• Cyber risk insurance is more needed than ever
A changing security landscape
9. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Myspace Fling LinkedIn Sony VK.com Dropbox Tumblr Yahoo
Equation
Group
Shadow
Brokers
Punycode BadUSB Superfish Heartbleed Shellshock Karmen POODLE FREAK
GHOST DROWN Dirty COW STAGEFRIGHT QuadRooter XCodeGhost Mirai Carbanak Gemalto
SS7 Locky DMA Locker Surprise Ranscam SWIFT Weebly Sundown CrypMIC
TrickBot Angler RIG Neutrino xDedic BlackEnergy ProjectSauron Adwind Danti
SVCMONDR Lazarus FruityArmor ScarCruft Lurk Ammyy Admin Chinastrats Patchwork TeslaCrypt
2016 – the year of hacks and vulnerabilities
11. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Attack timeline
24–48 hours
More than 200 days
(varies by industry)
First host
compromised
Domain admin
compromised
Attack
discovered
Sources: HP, Ponemon Institute, Verizon
12. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
How much time does security get?
An attacker has 24x7x365 to attack you
Attacker Schedule
Time
The defender has 20 (?) man days per year to detect and defend
Who has the edge?
Scheduled
Pen-Test
Scheduled
Pen-Test
13. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• CISCO, 2014
– There are more than 1 million unfilled security jobs worldwide
• (ISC)² study, 2015
– A shortfall of 1.5 million security professionals is estimated by 2020
Lack of security professionals worldwide
Sources:
http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to-hiring-difficulties-despite-rising-salaries-increased-budgets-a.html
14. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• EU General Data Protection Regulation (GDPR)
– It will come into effect on May 25th 2018
– GDPR clarifies where responsibility for privacy protection lies with any
companies who store, collect, manage and analyze any form of Personally
Identifiable Information (PII)
– Applies to any organization (including those outside the EU) that holds or
processes data from EU residents
– Replaces Data Protection Directive (DPD) 95/46/EC to become the single, all-
encompassing privacy protection regulation in the EU
• Breaches could lead to fines:
– Major breaches - up to €20 million or 4% of global annual turnover
– Less important breaches - up to €10m or 2% of global annual turnover
GDPR is coming!
More: http://www.eugdpr.org/
15. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• Adds some more rights for EU citizens:
– Right to be forgotten (ask data controllers to erase all personal data)
– Right to data portability (move data from a service provider to another)
– Right to object to profiling (not to be subject to a decision based solely on
automated processing)
• Where do companies store PII data?
– Customer Relationship solutions (SalesForce, PeopleSoft, Dynamics)
– ERPs (SAP, Oracle, Axapta)
– Enterprise Content Management systems, File Shares
– Emails, Attachments, Office Documents, PDF files, letters, contracts
– SharePoint, Lotus Notes, Dropbox, Box, OneDrive
– Employee HR data
– etc.
More details on GDPR
More: http://www.eugdpr.org/
16. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• We have to stop focusing on preventing a data breach and start
assuming the breach has already happened
• Currently: a one-sided, purely preventative strategy
• Future: emphasis on breach detection, incident response, and
effective recovery
– Start thinking about the time when a breach will (almost inevitably) occur in
your infrastructure
– Be prepared for that!
Assume Breach - a change in mindset
17. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
A healthier security approach
Source: Gartner
PREDICT
• Proactive Exposure
Analysis
• Predict Attacks
• Baseline Systems
PREVENT
• Harden and Isolate
Systems
• Divert Attackers
• Prevent Incidents
DETECT
• Detect Incidents
• Confirm and Prioritize
• Contain Incidents
RESPOND
• Investigate/Forensics
• Design/Model
Change
• Remediate/Make
Change
Continuous
Monitoring
and Analytics
19. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
The Windows 10 Defense Stack
Device Health
attestation
Device Guard
Device Control
Security policies
Built-in 2FA
Account lockdown
Credential Guard
Windows Hello ;)
Device protection
BitLocker
Enterprise Data
Protection
Conditional access
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Windows Defender
Advanced Threat
Protection (WDATP)
Microsoft Advanced
Threat Analytics
(ATA)
Device protection Information
protection
Threat resistance
Breach detection
Investigation & Response
Pre breach Post breach
Identity protection
The Windows 10 defense stack
20. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Some of the security improvements in W10 / WS2016
Windows Defender
SmartScreen
Credential Guard
Enterprise
Certificate Pinning
Just Enough
Administration
(JEA)
Just-in-time
Administration (JIT)
Device Guard
Structured
Exception Handling
Overwrite
Protection (SEHOP)
Control Flow Guard
(CFG)
Windows Hello In-box Azure MFA
Hypervisor-
protected code
integrity (HVCI)
Shielded VMs
Host Guardian
Service
Device Health
Attestation (DHA)
Network Controller
Distributed Firewall
Network Security
Groups
Virtual Appliances
Virtual Secure
Mode
Virtual TPM
More: https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10
23. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Windows Server 2016 approach
• Credential Guard
– Prevents Pass the Hash and
Pass the Ticket attacks by protecting
stored credentials through
Virtualization-based Security
• Just Enough
– Administration Limits administrative
privileges to the bare-minimum
required set of actions (limited in
space)
• Just in Time
– Administration Provide privileged
access through a workflow that is
audited and limited in time
• JEA + JIT
– Limitation in time & capability
More: https://github.com/PowerShell/JEA & https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services
24. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
In box Azure MFA
More: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication
26. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Hypervisor
Fabric
Guest VM
Protect virtual machines
• Compromised or malicious
fabric administrators can
access guest VMs
• Health of hosts not taken
into account before
running VMs
• Tenant’s VMs are exposed
to storage and network
attacks
• Virtual Machines can’t take
advantage of hardware-
rooted security capabilities
such as TPMs
Fabric
Hypervisor
Guest VM
Healthy host?
Guest VM
27. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Windows Server 2016 approach
• Shielded VMs
– Use BitLocker to encrypt the disk
and state of virtual machines
protecting secrets from
compromised admins & malware
• Host Guardian Service
– Attests to host health releasing the
keys required to boot or migrate a
Shielded VM only to healthy hosts
• Generation 2 VMs
– Supports virtualized equivalents of
hardware security technologies (e.g.,
TPMs) enabling BitLocker encryption
for Shielded VMs
More: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node
28. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Guarded hosts and Shielded VMs attestation
• Admin-trusted attestation
– Intended to support existing host hardware (no TPM
2.0 available)
– Guarded hosts that can run Shielded VMs are
approved by the Host Guardian Service based on
membership in a designated Active Directory
Domain Services (AD DS) security group
• TPM-trusted attestation
– Offers the strongest possible protections
– Requires more configuration steps
– Host hardware and firmware must include TPM 2.0
and UEFI 2.3.1 with secure boot enabled
– Guarded hosts that can run Shielded VMs are
approved based on their TPM identity, measured
boot sequence and code integrity policies
More: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node
32. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Device Guard & AppLocker
• AppLocker was introduced back in Windows 7 / WS 2008 R2
– Specifies a list of apps allowed to run on a user’s device
– Whitelist can be specific to a group or individual within AD
– Much more efficient than a blacklist
• Device Guard extends AppLocker
– Relies on digital signatures
– Requires apps to be digitally signed
– This includes internal apps
• Device Guard Requirements
– Intel VT-x or AMD-V extensions
– Second Level Address Translation (SLAT)
– Intel VT-d or AMD-IOV
– TPM (optional, required for Credential Manager)
More: https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
33. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Device Guard
• Hardware Rooted App Control (runs in VSM)
– Enables a Windows desktop to be locked down to only run trusted apps, just like
many mobile OS’s (e.g.: Windows Phone)
– Untrusted apps and executables such as malware are unable to run
– Resistant to tampering by an administrator or malware
– Requires devices specially configured by either the OEM or IT
• Getting Apps into the Circle of Trust
– Supports all apps including Universal and Desktop (Win32)
– Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft
provided signing service
– Apps must be specially signed using the Microsoft signing service. No additional
modification is required
– Signing service made available to OEM’s, IHV, ISV’s, and Enterprises
More: https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
34. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Credential Guard
• Uses virtualization-based security to protect
Kerberos, NTLM, and Credential Manager secrets
More: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works
35. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Credential Guard Details
• Minimum Requirements
– Windows 10 v1511 or Windows Server 2016
– x64 architecture
– UEFI firmware 2.3.1 or higher and Secure Boot enabled
– TPM version 2.0
• Considerations
– 3rd party Security Support Providers (SSP) secrets are not protected
– NTLM v1 is not supported (considered to be unsecure)
– Kerberos unconstrained delegation & DES encryption aren’t supported
– Digest Auth, Credential delegation and MS-CHAPv2 will prompt for (and
potentially expose) credentials
• MS-CHAPv2 should be phased out (i.e. upgrade your Wi-Fi and/or VPN)
More: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works
38. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Windows Hello
• Replaces/extends Windows passwords with
– Fingerprint, iris scan & facial recognition
– MFA via companion devices like phones, wearables,
USBs, smartcards (formerly Microsoft Passport)
Hello ITCamp
******
username
More: https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport
40. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Group Managed Service Accounts
• The feature builds on Standalone Managed Service accounts
– Introduced in Windows 2008 R2 and Windows 7
– Managed domain accounts
– Automated password management
– Simplified SPN (Service Principal Name) management, including
delegation of management to other Administrator
• Group Managed Service Accounts
– Provides same functionality within the domain but also extends that
functionality over multiple servers
– Leverages the Microsoft Key Distribution Service within the AD domain
– e.g. it can be used when connected to a service hosted on a server farm,
such as a Network Load Balancer – ensures that all instances use the same
principal
More: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
42. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Today, device health is assumed
• Clients are usually granted full access to resources
• Any clients which become “unhealthy” can
proliferate malware
1
Important resources
2
43. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
Device Health Attestation (DHA)
• On-premise or cloud-based service
– Provides remote health attestation for devices
– Can issue health state “claims”
• Blocks unhealthy devices to protect
resources and prevent proliferation
• Intune MDM can provide conditional
access based on device health state claims
• Hardware Requirements
– UEFI 2.3.1 with Secure Boot
– VT-x, AMD-V & SLAT
– x64 processor
– IOMMU (Intel VT-d or AMD-Vi)
– TPM 1.2 or 2.0
More: https://docs.microsoft.com/en-us/windows-server/security/device-health-attestation
45. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• Allows companies to transparently keep corporate data secure and
personal data private, while providing data leakage control
• Key features:
– Automatically tag personal and corporate data
– Protect data while it’s at rest on local or removable storage
– Control which apps can access corporate data
– Control which apps can access a virtual private network (VPN) connection
– Prevent users from copying corporate data to public locations
– Help ensure business data is inaccessible when the device is in a locked state
– Ability to wipe corporate data from devices while leaving personal data alone
– Usage of audit reports for tracking issue and remedial actions
Windows Information Protection
More: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip
47. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• SMB hardening for SYSVOL and NETLOGON shares
– Client connections to the ADDS default SYSVOL and NETLOGON shares now require SMB signing and
mutual authentication (such as Kerberos)
• Protected Processes
– Help prevent one process from tampering with another (specially signed) process
• Universal Windows apps protections
– Apps are carefully screened before being made available
– They run in an AppContainer sandbox with limited privileges
• Heap protections
– Improvements in the use of internal data structures which help protect against corruption of memory
used by the heap
• Control Flow Guard (CFG)
– Helps mitigate exploits that are based on flow between code locations in memory
• Structured Exception Handling Overwrite Protection (SEHOP)
– Complements DEP and ASLR
• Kernel pool protections
– Help prevent exploitation of pool memory used by the kernel
Windows 10 mitigations against memory exploits
More: https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10
48. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
• Windows Defender SmartScreen
– Checks the reputation of all downloaded apps
• Code Integrity
– Ensure that only permitted binaries can be executed from the moment the OS is booted
• Enterprise Certificate Pinning
– Protect internal domain names from chaining to fraudulent certificates
• Early Launch Anti Malware (ELAM)
– Blocks driver-based rootkits
• Guarded Fabric
– Shielded VMs, VSM, Hypervisor Code Integrity (HVCI)
• Windows Defender Advanced Threat Protection (WDATP)
• Advanced Threat Analytics (ATA)
Several other improvements
More: https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10
49. @ITCAMPRO #ITCAMP17Community Conference for IT Professionals
You might also want to take a look at…
…my ITCamp session from last year
Talking about Guarded Fabric, Microsoft ATA, WDATP & more