Presentation is loading. Please wait.

Presentation is loading. Please wait.

Determined Human Adversaries: Mitigations

Published byImogen Lang Modified over 5 years ago

Similar presentations

Presentation on theme: "Determined Human Adversaries: Mitigations"— Presentation transcript:

1 Determined Human Adversaries: Mitigations
Neil Carpenter Principal Security Escalation Engineer Global Incident Response & Recovery Jim Payne Principal Security Relationship Manager Microsoft CSS Security

2 Preference Information is based on extensive experience by the CSS Security & Global Incident Response & Recovery teams working with customers who experienced a directed attack In no way is this information to imply or insinuate that there is direct knowledge of what will occur, if anything.

3 Ideological Movements
Attackers & Attacks Economic Espionage Military Espionage Cyber Crime Ideological Movements Organized Crime Nation States

4 Cyber Security Attacks

5 Commonly Reported Distributed Denial of Service attack Web Defacement
Determined Human Adversary / Directed Attack

6 Denial of Service Mitigate the impact (usually with hardware for example, and usually in conjunction with your Internet provider) Use a CDN to scale out Move key properties to a more resilient platform example - the cloud scenario Customers should be ready with a strategy for handling a DDoS before it happens; otherwise, it’s a lot of downtime and a lot of panic.

7 Web Defacement Develop secure code. SDL, SDL, SDL.
Likely the website is already deployed, it’s quite likely that SDL was not utilized to develop secure code.  Make sure that everything is up to date – not just the OS, but any deployed frameworks & applications.  Compromises via 3rd party frameworks, such as ColdFusion, have been common lately. Ensure that you are gathering the right data in case something does happen.           IIS logs – We see far too many customers who turn off IIS logging or disable key fields to save disk space.  Disks are cheap, security compromises are not.  If you’re using a reverse proxy, pass the real source IP addr to the IIS server and/or maintain easily accessible proxy logs with all the needed info. Have a plan if something happens Gather data before deleting/restoring content. Preferably, plan to involve Microsoft CSS Sec as soon as possible

8 Mitigations For Directed Attacks

9 Overview of a Directed Attack
Attackers exploit a weakness to compromise a host (the initial attack vector), then: Install malware for persistence and automate their tasks Elevate their privileges Mine for useful credentials Exfiltrate or delete data

10 Initial Attack Vector Mitigation:
Patching critical vulnerabilities is key.  This needs to be done for all products – Microsoft infrastructure such as System Center Configuration Manager & WSUS can apply updates to Microsoft products but they do not cover 3rd party products, unless that 3rd Party has published a manifest. User Education – Cannot place enough emphasis

11 Install Malware Mitigation:
Monitor your anti-virus/anti-malware solution carefully. Ensure it is running on all machines in the environment Signatures are kept up-to-date Use an application whitelisting approach such as AppLocker to help prevent the introduction of unwanted software.

12 Elevate Privileges Mitigation:
Users should not run as local admin on workstations.  Domain admins should never logon to workstations or member servers in the domain. Use a group policy to remove the Logon Locally rights for domain administrators from all machines except for domain controllers. Use hardened workstation to perform necessary administrative tasks

13 Mine for Useful Credentials
Mitigation: Use unique passwords for the local administrator account on every host in your enterprise. Better yet, disable this account entirely and monitor for attempted usage of it. Limit service account privilege and monitor usage of these accounts. Never run a service account as domain administrator or other privileged accounts. Service accounts should have least privilege (no logon locally or logon via network, for example). Where possible, use LocalService and NetworkService accounts instead of LocalSystem

14 Copy or delete data Mitigation:
Define business critical data and apply extra protections to that data in transit and in storage. Implement a data classification scheme and introduce a policy so that all high business impact data is stored centrally and .. Encrypt it at rest using rights management services Segregate access to the data from domain administrators Use IPsec to prevent network capture across the network Back it up frequently; test restores; keep an offsite backup

15 Defender’s Dilemma Patching Limited Users
Domain Admins Logon To DCs Only Application Control Monitor & Respond To Anti-Malware Protect Local Admin Limit Service Privilege Protect Data

16 Questions? Defender’s Dilemma
The defender must protect against everything. The attacker only has to succeed with one. Neil Carpenter Principal Security Escalation Engineer Jim Payne Principal Security Relationship Manager

Download ppt "Determined Human Adversaries: Mitigations"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Tim Vander Kooi Systems

Tim Vander Kooi Systems
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Troubleshooting Windows Vista Security Chapter 4.

Troubleshooting Windows Vista Security Chapter 4.
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.

Similar presentations

Ads by Google