Download presentation
Presentation is loading. Please wait.
Published byMarjorie Barber Modified over 9 years ago
4
ASSUME BREACH PREVENT BREACH +
7
Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker Undetected) 11-14 months Attack Discovered Typical Attack Timeline & Observations
8
1.Get in with Phishing Attack (or other) 2.Steal Credentials 3.Compromise more hosts & credentials (searching for Domain Admin) 4.Get Domain Admin credentials 5.Execute Attacker Mission (steal data, destroy systems, etc.) Modern Attack Tools are Easy/etc. 24-48 Hours Privilege Escalation with Credential Theft (Typical)
13
High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS LSAIso
14
High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS NTLM Kerberos LSAIso NTLM support Kerberos support Boot Persistent Device Drivers “Clear” secrets Note: MS-CHAPv2 and NTLMv1 are blocked IUM secrets
17
1.Privilege escalation Credential Theft Application Agents Service Accounts 2.Lateral traversal Credential Theft Application Agents Service Accounts Tier 0 Tier 2 Tier 1
19
Do these NOW!
23
IT Service Management Administrative Forest Domain and Forest Administration Production Domain(s) Domain and Forest Security Alerting Servers, Apps, and Cloud Services Hardened Hosts and Accounts Privileged Account Management (PAM) Admin Roles & Delegation Admin Forest Maintenance PAM Maintenance Lateral Traversal Mitigations (Admin Process, Technology) Domain and DC Hardening OS, App, & Service Hardening User, Workstations, and Devices Integrate People, Process, and Technology RDP w/Restricted Admin Protected Users Auth Policies and Silos Admin Workstations
24
Good/Minimum Separate Admin Desktops and associated IT Admin process changes Separate Admin Accounts Remove accounts from Tier 0 Service Accounts Personnel - Only DC Maintenance, Delegation, and Forest Maintenance Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Administrative Forest (for AD admin roles in current releases) Isolated User Mode (IUM) Microsoft Passport and Windows Hello
25
Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello
26
Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello
37
37 Implement Mitigations Now! 1 Revamp your culture and support processes 2 3 Plan to adopt Windows 10 Features
41
Cloud service provider responsibility Tenant responsibility
42
Private Cloud Fabric Identity Infrastructure as a Service On Premises Infrastructure Federation and Synchronization Single Identity
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.