Presentation is loading. Please wait.

Presentation is loading. Please wait.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

Published byMichael Cressey Modified over 9 years ago

Similar presentations

Presentation on theme: "USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT."— Presentation transcript:

1 USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT – MICROSOFT CORPORATION

2 WHO WE ARE Robert Hensing 15 year Microsoft employee TWC alum 5 year tour in MSRC Engineering – Defense team Currently Developer Consultant in National Security Group practice Michael Mattes XX year Microsoft employee Infrastructure consultant in NSG etc.

3 TRUSTWORTHY COMPUTING - SECURITY CENTERS Protecting Microsoft customers throughout the entire life cycle (in development, deployment and operations) Microsoft Security Engineering Center (MSEC) Security Assurance Security Science SDLSDL Microsoft Malware Protection Center (MMPC) Release Product Life Cycle Microsoft Security Response Center (MSRC) (MSRC) Ecosystem Strategy MSRC Ops MSRC Engineering Conception

4 Result: Attackers only have to find one vulnerability, and they get to use it for a really long time. THE SOFTWARE VULNERABILITY ASYMMETRY PROBLEM Defender must fix all vulnerabilities in all software – attacker wins by finding and exploiting just one vulnerability Threats change over time – state-of-the-art in vulnerability finding and attack techniques changes over time Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle

5 EXPLOIT ECONOMICS 5 Gains per use X Opportunities to use Cost to acquire vulnerability + Cost to weaponize Attacker Return - =

6 Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable EXPLOIT ECONOMICS We can decrease Attacker Return if we are able to… Increase attacker investment required to find usable vulnerabilities Remove entire classes of vulnerabilities where possible Focus on automation to scale human efforts Increase attacker investment required to write reliable exploits Build mitigations that add brittleness Make exploits impossible to write completely reliably Decrease attacker’s opportunity to recover their investment Shrink window of vulnerability Fewer opportunities via artificial diversity Enable rapid detection & suppression of exploit usage

7 INCREASE ATTACKER INVESTMENT REQUIRED TO FIND VULNERABILITIES Exploit Economics Strategy – Step 1 7

8 EMBEDDING SECURITY INTO SOFTWARE AND CULTURE Tactics for Vulnerability Reduction Remove entire classes of vulnerabilities Security Tooling Additional product features Remove all currently findable vulnerabilities Complete automation of tooling SDL tools, Threat Modeling tool Fuzzing toolsets + ways to streamline & improve triage Tool overlays to increase signal-to-noise and focus attention on the right code Verification & enforcement Audit individual tool usage via process tools Process tools required for SDL signoff - policy enforcement Ongoing Process Improvements

9 PREVENT RELIABLE EXPLOITATION OF VULNERABILITIES Exploit Economics Strategy – Step 2

10 EMBEDDING SECURITY INTO SOFTWARE AND CULTURE Tactics to Frustrate Exploits Reduce the surface we have to defend Attack surface reduction Design additional product mitigations Make remaining vulnerabilities difficult or impossible to exploit Build mitigations that add exploit brittleness Ongoing Process Improvements

11 DIGITAL COUNTERMEASURES Improve system survivability against exploitation of unknown vulnerabilities Three goals: Increase attacker requirements – e.g. must be authenticated, local subnet only Deterrent – no economically reliable exploit exists Mitigation – Break 100% reliable universal exploits Often must be combined together Even when successful, the result is still impactful to the user 11

12 MITIGATION APPROACHES Utilize secrets such that guessing impairs exploit reliability /GS: Protect stack buffers by checking random cookies placed between them and control structures Function Pointer Encoding 12 Utilize Knowledge Deficits Artificial Diversity Enforce Invariants ASLR: Address Space Layout Randomization Data Execute Protection (DEP) Heap & pool metadata checks SafeSEH / SEH Overwrite Protection (SEHOP)

13 MEMORY SAFETY MITIGATIONS ROADMAP 13 Stack Heap / Pool Executable Code /GS 1.0 /GS 1.1 Heap 1.0 DEP ASLRDEP IE8 20072006200520042003 /GS 2.0 2008 /NXCOMPAT Heap 2.0HeapTerm EH4SEHOP/GS 3.0 DEP+ATL Safe Unlinking 2009 DEP O14 20102011 SEHOP IE9

14

15

16 MS12-037 – INTERNET EXPLORER CVE-2012-1875 (SAME ID) 0-day vulnerability being used in limited targeted attacks prior to bulletin release. Vulnerability about as bad as it gets! Remote Code Exec vulnerability in all versions of IE (at the time) and exploitable via a web page Fixed by MS12-037 - http://technet.microsoft.com/en- us/security/bulletin/ms12-037http://technet.microsoft.com/en- us/security/bulletin/ms12-037 Standard mitigations in the bulletin were Don’t open Office documents Killbit the AX control in IE

17 EMET VS. MS12-037 - CVE-2012-1875 (SAME ID)

18 CALL TO ACTION Follow the Security Research and Defense blog http://blogs.technet.com/b/srd/ http://blogs.technet.com/b/srd/ Evaluate and Deploy EMET v3.5 or newer Protect critical applications such as Internet Explorer, Firefox, Office, Adobe Acrobat etc Monitor for EMET related events in the event log using System Center or other Enterprise monitoring software

19 DEPLOYMENT AND MANAGEMENT VIA GROUP POLICY

Download ppt "USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT."

Similar presentations

Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION.
Stuart Aston Chief Security Advisor Microsoft UK

Stuart Aston Chief Security Advisor Microsoft UK
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Controls for Information Security

Controls for Information Security
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Introduction to Network Defense

Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google