USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

Slides:

Advertisements

Similar presentations

Patch Management Patch Management in a Windows based environment

Advertisements

Incident Response Managing Security at Microsoft Published: April 2004.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

By Hiranmayi Pai Neeraj Jain

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION.

Stuart Aston Chief Security Advisor Microsoft UK

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

The State of Security Management By Jim Reavis January 2003.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Controls for Information Security

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

IT:Network:Microsoft Applications

Introduction to Network Defense

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Microsoft Internet Safety Enforcement: A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission it is to make.

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.

SEC835 Database and Web application security Information Security Architecture.

2 New Security Bulletins and AdvisoriesNew Security Bulletins and Advisories –1 New Security Advisory –1 New Critical Bulletin –1 New Moderate Bulletin.

Lessons Learned in Smart Grid Cyber Security

Information Systems Security Computer System Life Cycle Security.

Dial In Number Pin: 3959 Information About Microsoft’s January 2013 Out-of-Band Security Bulletin Jonathan Ness Security Development Manager.

Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Copyright © Microsoft Corp 2006 Pragmatic Secure Design: Attack Surface Reduction Shawn Hernan Security Program Manager Security Engineering and Communication.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Security Development Lifecycle: Changing the Software Development Process to build in Security from the start Eric Bidstrup Ellen Cram Kowalczyk Security.

Microsoft Security Development Lifecycle

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.

Randy Beavers CS 585 – Computer Security February 19, 2009.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Security Development Life Cycle Baking Security into Development September 2010.

Chapter 8 System Management Semester 2. Objectives  Evaluating an operating system  Cooperation among components  The role of memory, processor,

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

CS457 Introduction to Information Security Systems

Firmware threat Dhaval Chauhan MIS 534.

Design for Security Pepper.

Security mechanisms and vulnerabilities in .NET

Speaker’s Name, SAP Month 00, 2017

The Microsoft® Security Development Lifecycle (SDL)

Microsoft’s Security Strategy

COMPTIA CAS-003 Dumps VCE

Nessus Vulnerability Scanning

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Software Security Lesson Introduction

Severity and Exploitability Index

Microsoft Data Insights Summit

6. Application Software Security

Security in the Real World – Plenary Day One

In the attack index…what number is your Company?

Presentation transcript:

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT – MICROSOFT CORPORATION

WHO WE ARE Robert Hensing 15 year Microsoft employee TWC alum 5 year tour in MSRC Engineering – Defense team Currently Developer Consultant in National Security Group practice Michael Mattes XX year Microsoft employee Infrastructure consultant in NSG etc.

TRUSTWORTHY COMPUTING - SECURITY CENTERS Protecting Microsoft customers throughout the entire life cycle (in development, deployment and operations) Microsoft Security Engineering Center (MSEC) Security Assurance Security Science SDLSDL Microsoft Malware Protection Center (MMPC) Release Product Life Cycle Microsoft Security Response Center (MSRC) (MSRC) Ecosystem Strategy MSRC Ops MSRC Engineering Conception

Result: Attackers only have to find one vulnerability, and they get to use it for a really long time. THE SOFTWARE VULNERABILITY ASYMMETRY PROBLEM Defender must fix all vulnerabilities in all software – attacker wins by finding and exploiting just one vulnerability Threats change over time – state-of-the-art in vulnerability finding and attack techniques changes over time Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle

EXPLOIT ECONOMICS 5 Gains per use X Opportunities to use Cost to acquire vulnerability + Cost to weaponize Attacker Return - =

Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable EXPLOIT ECONOMICS We can decrease Attacker Return if we are able to… Increase attacker investment required to find usable vulnerabilities Remove entire classes of vulnerabilities where possible Focus on automation to scale human efforts Increase attacker investment required to write reliable exploits Build mitigations that add brittleness Make exploits impossible to write completely reliably Decrease attacker’s opportunity to recover their investment Shrink window of vulnerability Fewer opportunities via artificial diversity Enable rapid detection & suppression of exploit usage

INCREASE ATTACKER INVESTMENT REQUIRED TO FIND VULNERABILITIES Exploit Economics Strategy – Step 1 7

EMBEDDING SECURITY INTO SOFTWARE AND CULTURE Tactics for Vulnerability Reduction Remove entire classes of vulnerabilities Security Tooling Additional product features Remove all currently findable vulnerabilities Complete automation of tooling SDL tools, Threat Modeling tool Fuzzing toolsets + ways to streamline & improve triage Tool overlays to increase signal-to-noise and focus attention on the right code Verification & enforcement Audit individual tool usage via process tools Process tools required for SDL signoff - policy enforcement Ongoing Process Improvements

PREVENT RELIABLE EXPLOITATION OF VULNERABILITIES Exploit Economics Strategy – Step 2

EMBEDDING SECURITY INTO SOFTWARE AND CULTURE Tactics to Frustrate Exploits Reduce the surface we have to defend Attack surface reduction Design additional product mitigations Make remaining vulnerabilities difficult or impossible to exploit Build mitigations that add exploit brittleness Ongoing Process Improvements

DIGITAL COUNTERMEASURES Improve system survivability against exploitation of unknown vulnerabilities Three goals: Increase attacker requirements – e.g. must be authenticated, local subnet only Deterrent – no economically reliable exploit exists Mitigation – Break 100% reliable universal exploits Often must be combined together Even when successful, the result is still impactful to the user 11

MITIGATION APPROACHES Utilize secrets such that guessing impairs exploit reliability /GS: Protect stack buffers by checking random cookies placed between them and control structures Function Pointer Encoding 12 Utilize Knowledge Deficits Artificial Diversity Enforce Invariants ASLR: Address Space Layout Randomization Data Execute Protection (DEP) Heap & pool metadata checks SafeSEH / SEH Overwrite Protection (SEHOP)

MEMORY SAFETY MITIGATIONS ROADMAP 13 Stack Heap / Pool Executable Code /GS 1.0 /GS 1.1 Heap 1.0 DEP ASLRDEP IE /GS /NXCOMPAT Heap 2.0HeapTerm EH4SEHOP/GS 3.0 DEP+ATL Safe Unlinking 2009 DEP O SEHOP IE9

MS – INTERNET EXPLORER CVE (SAME ID) 0-day vulnerability being used in limited targeted attacks prior to bulletin release. Vulnerability about as bad as it gets! Remote Code Exec vulnerability in all versions of IE (at the time) and exploitable via a web page Fixed by MS us/security/bulletin/ms12-037http://technet.microsoft.com/en- us/security/bulletin/ms Standard mitigations in the bulletin were Don’t open Office documents Killbit the AX control in IE

EMET VS. MS CVE (SAME ID)

CALL TO ACTION Follow the Security Research and Defense blog Evaluate and Deploy EMET v3.5 or newer Protect critical applications such as Internet Explorer, Firefox, Office, Adobe Acrobat etc Monitor for EMET related events in the event log using System Center or other Enterprise monitoring software

DEPLOYMENT AND MANAGEMENT VIA GROUP POLICY