Determined Human Adversaries: Mitigations Neil Carpenter Principal Security Escalation Engineer Global Incident Response & Recovery Jim Payne Principal Security Relationship Manager Microsoft CSS Security

Preference Information is based on extensive experience by the CSS Security & Global Incident Response & Recovery teams working with customers who experienced a directed attack In no way is this information to imply or insinuate that there is direct knowledge of what will occur, if anything.

Ideological Movements Attackers & Attacks Economic Espionage Military Espionage Cyber Crime Ideological Movements Organized Crime Nation States

Cyber Security Attacks

Commonly Reported Distributed Denial of Service attack Web Defacement Determined Human Adversary / Directed Attack

Denial of Service Mitigate the impact (usually with hardware for example, and usually in conjunction with your Internet provider) Use a CDN to scale out Move key properties to a more resilient platform example - the cloud scenario Customers should be ready with a strategy for handling a DDoS before it happens; otherwise, it’s a lot of downtime and a lot of panic.

Web Defacement Develop secure code. SDL, SDL, SDL. Likely the website is already deployed, it’s quite likely that SDL was not utilized to develop secure code.  Make sure that everything is up to date – not just the OS, but any deployed frameworks & applications.  Compromises via 3rd party frameworks, such as ColdFusion, have been common lately. Ensure that you are gathering the right data in case something does happen.           IIS logs – We see far too many customers who turn off IIS logging or disable key fields to save disk space.  Disks are cheap, security compromises are not.  If you’re using a reverse proxy, pass the real source IP addr to the IIS server and/or maintain easily accessible proxy logs with all the needed info. Have a plan if something happens Gather data before deleting/restoring content. Preferably, plan to involve Microsoft CSS Sec as soon as possible

Mitigations For Directed Attacks

Overview of a Directed Attack Attackers exploit a weakness to compromise a host (the initial attack vector), then: Install malware for persistence and automate their tasks Elevate their privileges Mine for useful credentials Exfiltrate or delete data

Initial Attack Vector Mitigation: Patching critical vulnerabilities is key.  This needs to be done for all products – Microsoft infrastructure such as System Center Configuration Manager & WSUS can apply updates to Microsoft products but they do not cover 3rd party products, unless that 3rd Party has published a manifest. User Education – Cannot place enough emphasis

Install Malware Mitigation: Monitor your anti-virus/anti-malware solution carefully. Ensure it is running on all machines in the environment Signatures are kept up-to-date Use an application whitelisting approach such as AppLocker to help prevent the introduction of unwanted software.

Elevate Privileges Mitigation: Users should not run as local admin on workstations.  Domain admins should never logon to workstations or member servers in the domain. Use a group policy to remove the Logon Locally rights for domain administrators from all machines except for domain controllers. Use hardened workstation to perform necessary administrative tasks

Mine for Useful Credentials Mitigation: Use unique passwords for the local administrator account on every host in your enterprise. Better yet, disable this account entirely and monitor for attempted usage of it. Limit service account privilege and monitor usage of these accounts. Never run a service account as domain administrator or other privileged accounts. Service accounts should have least privilege (no logon locally or logon via network, for example). Where possible, use LocalService and NetworkService accounts instead of LocalSystem

Copy or delete data Mitigation: Define business critical data and apply extra protections to that data in transit and in storage. Implement a data classification scheme and introduce a policy so that all high business impact data is stored centrally and .. Encrypt it at rest using rights management services Segregate access to the data from domain administrators Use IPsec to prevent network capture across the network Back it up frequently; test restores; keep an offsite backup

Defender’s Dilemma Patching Limited Users Domain Admins Logon To DCs Only Application Control Monitor & Respond To Anti-Malware Protect Local Admin Limit Service Privilege Protect Data

Questions? Defender’s Dilemma The defender must protect against everything. The attacker only has to succeed with one. Neil Carpenter Principal Security Escalation Engineer neilcar@Microsoft.com Jim Payne Principal Security Relationship Manager jpayne@Microsoft.com