Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

Published byMarjorie Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker."— Presentation transcript:

1

2

3

4 ASSUME BREACH PREVENT BREACH +

5

6

7 Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker Undetected) 11-14 months Attack Discovered Typical Attack Timeline & Observations

8 1.Get in with Phishing Attack (or other) 2.Steal Credentials 3.Compromise more hosts & credentials (searching for Domain Admin) 4.Get Domain Admin credentials 5.Execute Attacker Mission (steal data, destroy systems, etc.) Modern Attack Tools are Easy/etc. 24-48 Hours Privilege Escalation with Credential Theft (Typical)

9

10

11

12

13 High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS LSAIso

14 High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS NTLM Kerberos LSAIso NTLM support Kerberos support Boot Persistent Device Drivers “Clear” secrets Note: MS-CHAPv2 and NTLMv1 are blocked IUM secrets

15

16

17 1.Privilege escalation Credential Theft Application Agents Service Accounts 2.Lateral traversal Credential Theft Application Agents Service Accounts Tier 0 Tier 2 Tier 1

18

19 Do these NOW!

20

21

22

23 IT Service Management Administrative Forest Domain and Forest Administration Production Domain(s) Domain and Forest Security Alerting Servers, Apps, and Cloud Services Hardened Hosts and Accounts Privileged Account Management (PAM) Admin Roles & Delegation Admin Forest Maintenance PAM Maintenance Lateral Traversal Mitigations (Admin Process, Technology) Domain and DC Hardening OS, App, & Service Hardening User, Workstations, and Devices Integrate People, Process, and Technology RDP w/Restricted Admin Protected Users Auth Policies and Silos Admin Workstations

24 Good/Minimum Separate Admin Desktops and associated IT Admin process changes Separate Admin Accounts Remove accounts from Tier 0 Service Accounts Personnel - Only DC Maintenance, Delegation, and Forest Maintenance Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Administrative Forest (for AD admin roles in current releases) Isolated User Mode (IUM) Microsoft Passport and Windows Hello

25 Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello

26 Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello

27

28

29

30

31

32

33

34

35

36

37 37 Implement Mitigations Now! 1 Revamp your culture and support processes 2 3 Plan to adopt Windows 10 Features

38

39

40

41 Cloud service provider responsibility Tenant responsibility

42 Private Cloud Fabric Identity Infrastructure as a Service On Premises Infrastructure Federation and Synchronization Single Identity

43

Download ppt "ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker."

Similar presentations

Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2.

Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2.
Identity Manager vNext

Identity Manager vNext
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Continually improving products and services to protect against cyber-attacks targeting administration First in Windows Server, and Active Directory......Next.

Continually improving products and services to protect against cyber-attacks targeting administration First in Windows Server, and Active Directory......Next.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.

Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
PCIT304. 1. numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&

PCIT numbers/?_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_php=true&_type=blogs&_r=5&
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?

Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
Free, online, technical courses Take a free online course. Microsoft Virtual Academy.

Free, online, technical courses Take a free online course. Microsoft Virtual Academy.

Similar presentations

Ads by Google