Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
AGENDA
• Presentazione Alsid• Active Directory(in) security• Alsid per AD• Case Studies• Demo• Architettura
Break the dynamics of most
cyber attacks by preventing
lateral movementFounded by leading incident
responders, the brains behind
Bloodhound
Operations in 15 countries,
protecting 100+ customers and
4M+ accounts
© ALSID COPYRIGHT 2019
Active Directory
(in)security
1
Active Directory
• Governs authentication, holds all passwords
• Manages access rights to every vital asset
• Is a 20-year-old design that didn’t evolve much
• Is impossible to maintain in a pristine state
Clean AD implementations are a myth, and hackers
know how to exploit weaknesses
Active Directory holds
the keys to your realm
C O R P O R A T E D A T A
U S E R S &
C R E D E N T I A L S
I C S & S C A D A
E - M A I L
A P P L I C A T I O N S
C L O U D R E S O U R C E S
T H E C O R E
O F Y O U R I N F R AS T R U C T U R E
T H E R O O T C A U S E O F AL L W I D E S P R E A D C O M P R O M I S E S
N O R S K H Y D R OM a r c h 2 0 1 9
S O N Y
N o v e m b e r 2 0 1 4
T A R G E T
D e c e m b e r 2 0 1 3
C A R B A N A K
F e b r u a r y 2 0 1 5
B A L T I M O R E
J u n e 2 0 1 9
A U R O R A
J a n u a r y 2 0 1 0
U N I T E D N A T I O N SJ a n u a r y 2 0 2 0
S I N G H E A L T HO c t o b e r 2 0 1 8
© ALSID COPYRIGHT 2019
T H E CY B E R K I L LC H A I N F R A M E W O R K
Phishing
campaign on
selected targets
Initial Endpoint
compromise
Company’s
infrastructure
cartographyLocal privilege
escalation
Lateral
movement
Credentials replay
on privileged
accounts Privileges
Escalation on AD
Post exploitation
(persistence,
backdooring) Business
resources
tampering
Exfiltration using
side-channel
tunnels
Target
recognition
A security gap that has received too little attention
from our industry, and far too much from hackers
0
1
2
3
4
5
6
7
8
9
10
W I D E S P R E A D C O M P R O M I S E
• PEN-TESTING
• SIEM-BASED CORRELATION
• COMPLIANCE & AUDIT TOOLS
• AGENT-BASED BEHAVIORAL DETECTION
Alsid for AD
2
T H E C H A L L E N G E S Y O U C AN S O LV E
INVESTIGATE INCIDENTS & HUNT FOR THREATS
• Search and correlate AD changes at object and attribute levels
• Trigger response playbooks in your SOAR
UNCOVER NEW ATTACK PATHWAYS
• Continuously identify new vulnerabilities and misconfigurations
• Break attack pathways and keep your threat exposure in check
FIND AND FIX YOUR EXISTING WEAKNESSES
• Immediately discover, map, and score existing weaknesses
• Follow our step-by-step remediation tactics and prevent attacks
DETECT ONGOING ATTACKS IN REAL TIME
• Get alerts and actionable remediation plans on AD attacks
• Help your SOC team visualize notifications & alerts in your SIEM
1 2
34
NO AGENTS AD-NATIVENO PRIVILEGES NEAR-INSTANT VALUE
CLOUD & ON-PREM
AD ADMINS
BLUE TEAMS & AUDITORS
AD ADMINS
SOC ANALYSTS
INCIDENT RESPONDERS
THREAT HUNTERS
SOC ANALYSTS
THREAT HUNTERS
S I M P L E , S E AM L E S S I N T E G R AT I O N
FLEXIBLE
AND INSTANT-ON
APPLICATION
NO AGENT,
NO DEPLOYMENT,
NO WEIRD RIGHTS
STANDARD
PROTOCOLS,
NO-SURPRISE
ARCHITECTURE
AVAILABLE IN OUR
CLOUD, IN YOUR
COUNTRY
A MODERN SAAS-BASED SOLUTION
LDAP KERBEROS
SMB/CIFS DNS
NETBIOS
GLOBAL CATALOG
DSRU RPC
ALSID For AD
SELECTED
DOMAIN
CONTROLLER
S I M P L E , S E AM L E S S I N T E G R AT I O N
FLEXIBLE
AND INSTANT-ON
APPLICATION
NO AGENT,
NO DEPLOYMENT,
NO WEIRD RIGHTS
STANDARD
PROTOCOLS,
NO-SURPRISE
ARCHITECTURE
AVAILABLE IN OUR
CLOUD, IN YOUR
COUNTRY
A MODERN SAAS-BASED SOLUTION
LDAP KERBEROS
SMB/CIFS DNS
NETBIOS
GLOBAL CATALOG
DSRU RPC
ALSID For AD
SELECTED
DOMAIN
CONTROLLER
Customer cases
5
K E Y
M E T R I C S
T A C K L I N G T H E
C H A L L E N G E
R E S U L T S
25 Domains under continuous supervision 400.000 AD user accounts protected
CH
AL
LE
NG
ES
COMPLEX ENVIRONMENT
Sanofi has 87 manufacturing sites in 38 countries.
All of them are integrated in the global AD, with dozens
of forests and domains and 400 DC.
LEGAL REGULATIONS
To ensure its clients’ safety, the pharmaceutical sector is
heavily regulated. For example, the composition of each
drug must be guaranteed along the whole production chain.
SO
LU
TIO
N
SHEDDING LIGHT ON THE AD RISK LEVEL
Alsid allowed the global CISO office to have an up-to-
date view of the security risks on the infrastructure,
presented in clear and actionable dashboards.
DESIGNING A GLOBAL SECURITY ROADMAP
Alsid offered a prioritized security roadmap with quick-win
actions. Every action’s technical cost is evaluated, and
executives can follow the security plan execution.
Worldwide AD infrastructure coverage
Continuous
monitoringof highly critical assets
Board-level
dashboards presented to executives
K E Y
M E T R I C S
T A C K L I N G T H E
C H A L L E N G E
R E S U L T S
34 Companies acquired by
Vinci Energies in 2017 85.000 AD user accounts protected
CH
AL
LE
NG
ES
MAINTAINING SECURITY BOUNDARIES
Vinci Energies previously established robust security
boundaries on its HQ infrastructure. Maintaining them
throughout all its acquisitions is no easy challenge.
INTEGRATING NEW COMPANIES
Once a new company is bought, business pressures IT
to integrate infrastructures quickly, sometimes at the
expense of cybersecurity.
SO
LU
TIO
N
CONSOLIDATED DASHBOARD
All of Vinci Energies subsidiaries’ security levels are
presented in a global dashboard so that security gaps
are discovered quickly.
INSTANT & CONTINUOUS ASSESSMENT
Before integrating a newly acquired company, Vinci
Energies security team performs an initial assessment
and sets security goals. They follow the implementation of a minimal acceptable level before integration.
Flawless & quick
integration of new companies
Up-to-date security checks
Leverage AD
security in the due-diligence process
Demonstration
3
A L S I D F O R A D I N R E AL L I F E
A L S I D F O R A D I N R E AL L I F E
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
EXECUTIVE SUMMARY IMPACTED DOMAINS
DOCUMENTS
ATTACKER KNOWN TOOLS
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
EXECUTIVE SUMMARY IMPACTED DOMAINS
DOCUMENTS
ATTACKER KNOWN TOOLS
VULNERABILITY DETAILS
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
VULNERABILITY DETAILSVULNERABILITY DETAILSDEVIANT ELEMENTS
No
ExportOKAction
1
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
VULNERABILITY DETAILSVULNERABILITY DETAILSDEVIANT ELEMENTS
No
ExportOKAction
1
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
VULNERABILITY DETAILSVULNERABILITY DETAILSDEVIANT ELEMENTS
No
ExportOKAction
1
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
VULNERABILITY DETAILSVULNERABILITY DETAILSDEVIANT ELEMENTS
No
ExportOK
1
Action
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
VULNERABILITY DETAILSVULNERABILITY DETAILSDEVIANT ELEMENTS
No
ExportOK
1
VULNERABILITY DETAILSVULNERABILITY DETAILSDEVIANT ELEMENTS
No
ExportOK
1
Action
IGNORE DEVIANT ELEMENTS
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
NoYes
ExportOK
1
Action
DEVIANT ELEMENTS
ExportOK
1
Action
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
Yes
DEVIANT ELEMENTS
ExportOK
1
Action
EXECUTIVE SUMMARY
DETAILS
DEACTIVATE OR DELETE THE ILLEGITIMATE DOMAIN CONTROLLERS
SECURITY ANALYTICS
MANAGEMENT
No
Yes
DEVIANT ELEMENTS
ExportOK
1
Action
EXECUTIVE SUMMARY
DETAILS
DEACTIVATE OR DELETE THE ILLEGITIMATE DOMAIN CONTROLLERS
INVESTIGATE THE ROOT CAUSES OF THE INCIDENT
for99+
?
SECURITY ANALYTICS
MANAGEMENT
No
Yes
DEVIANT ELEMENTS
ExportOK
1
Action
EXECUTIVE SUMMARY
DETAILS
DEACTIVATE OR DELETE THE ILLEGITIMATE DOMAIN CONTROLLERS
INVESTIGATE THE ROOT CAUSES OF THE INCIDENT
for99+
?
0-30 days Only deviant events
Pause the Trail Flow
SECURITY ANALYTICS
MANAGEMENT
for99+
?
0-30 days Only deviant events
Pause the Trail Flow
ATTRIBUTES IMPACTED DOMAINS
INDICATORS
SECURITY ANALYTICS
MANAGEMENT
for99+
?
0-30 days Only deviant events
Pause the Trail Flow
ATTRIBUTES IMPACTED DOMAINS
INDICATORS
SECURITY ANALYTICS
MANAGEMENT
for99+
?
0-30 days Only deviant events
Pause the Trail Flow
ATTRIBUTES IMPACTED DOMAINS
INDICATORS
No
EXECUTIVE SUMMARY
DOCUMENTS
ATTACKER KNOWN TOOLS
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
EXECUTIVE SUMMARY
DOCUMENTS
ATTACKER KNOWN TOOLS
ALERTS
Select current page
OKActionNo
SECURITY ANALYTICS
MANAGEMENT
for99+
?
No
EXECUTIVE SUMMARY
DOCUMENTS
ATTACKER KNOWN TOOLS
ALERTS
Select current page
OKActionNo
SECURITY ANALYTICS
MANAGEMENT
for99+
?
0-30 days Only deviant events
Pause the Trail Flow
ATTRIBUTES IMPACTED DOMAINS
INDICATORS
A S N E A K P E A K I N TO O U R I N D I C ATO R - O F - E X P O S U R E S
© ALSID COPYRIGHT 2019
S E C U R I T Y M O D E L
R E L A T E D I O E
KDC password
last change
Protected
users
Privileged account
with SPN
Last logon date
for admin accounts
SD Propagator
consistency
Replication
policy
Objects
access control
Unconstrained
delegation
Bitlocker
key access control
Don’t expire
accounts
Protected
users
Administration
attribute
Privileged groups
membership
Reversible
password storage
Disabled accounts in priv. groups
Anonymous
users behavior
Kerberos user
accounts config
Fine-grained
password policy
Trusts
attributes
Directory
configuration
Blocking OU
Managed
service accounts
Obsolete
systems
Trusted certificate
authorities
Schema security
descriptor
DSRM account
Advanced
audit policy
RODC
KDC account
RODC
management account
Control caching
policy on RODC
RODC filtered
attributes
RODC global
revealed group
Sensitive
GPO link
Lateral
move restriction
Enforced
GPO
Disabled
or unlinked GPO
A C C O U N T S
R E L A T E D I O E
C O N F I G U R A T I O N
R E L A T E D I O E
R E A D - O N L Y D C
R E L A T E D I O E
S1S1
S2S2
S3S3
S4S4
S5S5
S6S6
S7S7
S8S8
S9S9
A1A1
A2A2
A3A3
A4A4
A5A5
A6A6
A7A7
A8A8
A9A9
C1C1
C2C2
C3C3
C4C4
C5C5
C6C6
C7C7
C8C8
C9C9
R1R1
R2R2
R3R3
R4R4
R5R5
R6R6
R7R7
R8R8
R9R9
Architecture
4
S I M P L E , S E AM L E S S I N T E G R AT I O N
FLEXIBLE
AND INSTANT-ON
APPLICATION
NO AGENT,
NO DEPLOYMENT,
NO WEIRD RIGHTS
STANDARD
PROTOCOLS,
NO-SURPRISE
ARCHITECTURE
AVAILABLE IN OUR
CLOUD, IN YOUR
COUNTRY
A MODERN SAAS-BASED SOLUTION
Corporate VPN
infrastructure
Monitored domainsYour dedicated
Alsid Cloud instance
CLIENT’S INFRASTRUCTURE
S I M P L E , S E AM L E S S I N T E G R AT I O N
FLEXIBLE
AND INSTANT-ON
APPLICATION
NO AGENT,
NO DEPLOYMENT,
NO WEIRD RIGHTS
STANDARD
PROTOCOLS,
NO-SURPRISE
ARCHITECTURE
AVAILABLE IN OUR
CLOUD, IN YOUR
COUNTRY
A MODERN SAAS-BASED SOLUTION
LDAP KERBEROS
SMB/CIFS DNS
NETBIOS
GLOBAL CATALOG
DSRU RPC
ALSID For AD
SELECTED
DOMAIN
CONTROLLER
QUESTION
Mauro Suardi
Business Development Director
Mobile: +39 348 8373147
Piero Provenza
Systems Engineer
Mobile: +39 347 08.27.973
DL: +39 011 2747.607
T H A N K Y O U !
@AlsidOfficialwww.alsid.com [email protected] AlsidOfficial