Cyber Security Defenses: What Works TodayLaura Robinson/Mark Simos/Roger GrimesPrincipal Security Architect/Senior Consultant/Principal Security ArchitectMicrosoft Corporation

SIA200

Microsoft Windows Developers Red Team Members IR for major

networks

Microsoft Network Security

Delivery Consultants Malware Analysts

Forensic Investigators & Trainers

Intelligence Officers Law Enforcement Officers

Microsoft Security Support

Corporate Compliance Managers

Internet Security Researchers

MCS Cybersecurity Team – Who We Are

DetectRecoverPro

tect

Detect

RecoverRes

pond

MSIT’s ISRM ACE Team- Who We Are

Application Security

Infrastructure Security

Customized Solutions & Training

10+ Years of Tailored Best Practices and Specialized Intellectual Property

Service Lines

Unique knowledge transfer and value-add for Microsoft and its customers, partners and

acquisitions

Microsoft Internal

MSIT

MSN

Microsoft.com

Product Groups

Microsoft External

MCS

Premier

Acquisitions

Global and Strategic Partners

Service Channels

Specialization Totals

Application Security 30

Infrastructure Security

16

Dedicated PMs 3

TOTAL 49

US- Redmond, ACE HQ

United States

Canada

Europe India

China

Australia

Functional Capacity

Global Delivery: Staffed Locations

Our Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services

Today’s Threat Environment…

Determined Adversaries and Targeted Attacks (DA/TA)

…AKA Advanced Persistent Threats (APTs)

Think “organizations stealing data with full-time employees (FTEs),” not casual hackers or “viruses”

If you are targeted, they want (and may already have)

Profiles of your people and organizationWho has access to what they wantWho are the IT adminsWho clicks on phishing emails

DA/TA Common Technical Tactics

Gain control of your identity storePublic - admin rights, interesting projects/groupsSecrets - passwords/hashes

Download terabytes of your dataLarge initial exfiltration(s) typicallyThen… target specific data (new/valuable/strategic)

Hide custom malware on multiple hosts

Custom Malware

Cyber Attack Techniques

Targeting Phishing Pass the Hash

Application Exploit

Access: Users and Workstations

Power: Domain Controllers

Data: Servers and Applications

Pass The Hash

1.Bad guy targets workstations en masse

2.User running as local admin compromised, Bad guy harvests credentials.3.Bad guy starts “credentials crabwalk”

4.Bad guy finds host with domain privileged credentials, steals, and elevates privileges5.Bad guy owns network, can harvest what he wants.

demo

Mark SimosSolution ArchitectMicrosoft Consulting Services

Pass the Hash with Windows Credential Editor (Security Research Tool)

Demo

Employ The SDL

Know What Matters

$

Effective Workstation and Server Defenses

Protect Key Identities/Role

s

Recommendations

Protecting the Crown Jewels

Do not try to protect all assets equally- you can’tIdentify and protect intellectual property that is valuable to the organization and to potential attackers

Foreign and domestic competitorsWould-be competitorsGovernments, etc.

“If you protect your paper clips and diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds”

-Attributed to Dean Rusk, US Secretary of State, 1961-1969

$

Protecting the Crown Jewels

Reference: http://taosecurity.blogspot.com/2011/08/taosecurity-security-effectiveness.html

What the defender

values

What the defender protects

What the attacker

wants

$

• Multi-factor authentication (smart cards, etc.)

• Strict security requirements

• Hardened systems• Asset Isolation• Concentric rings of

security

Protecting the Crown Jewels $

Identify the most

important assets

Protect them with the strongest security

Xxx xyx

Protect Your Hosts

Effective defenses that minimize risk:Move users out of local admins groupsGet current / stay currentImplement exploit mitigationPatching, compliance, and configuration managementEnd-user educationCreative destruction

Effective Workstation and Server Defenses

Office 2010XML file formatProtected View

Windows 7Standard User

Java 6Ends side-by-side versioning

Adobe SPLC: http://blogs.msdn.com/b/sdl/archive/2009/06/17/microsoft-adobe-protecting-our-customers-together.aspx

Get Current/Stay Current

Internet Explorer 9SmartScreen FilterProtected Mode

Adobe Acrobat Reader XApplied Microsoft SDLProtected Mode

Adobe Flash Player 11SSL SupportRandom Number Generator

Better Patching

Not just OS patchesBut Java, Adobe Reader, Flash, plug-ins, appsFirmware

Appliances are often running publicly known vulnerable versions of software

Make sure the devices and appliances that protect your network aren’t gateways into your networkPrinters

Enhanced Mitigation Experience Toolkit (EMET)

No application re-compile requiredMitigations apply to opted-in application and its plug-insRecommend

Opt-in apps that process internet/untrusted contentTest for application compatibility

Effective End-User Education

Do your end-users know that the most likely way they can be exploited is visiting the web site they trust the most?

Or reading a PDF file?Does your current end-user education teach end-users what their antivirus software looks like?Does your current end-user education contain these points?

If not, they shouldPhish-me type tests

Asset Isolation

Firewalls are old newsDo traffic analysis, who needs to talk to what?Should server A speak to server B?Should workstation A be able to connect to all servers?If not, isolate!Use any method you like (e.g., routers, firewalls, IPsec, etc.)A great way to notice DA/TAs

Creative DestructionGartner term for a method of decommissioning legacy applications and

systems

Catalogue

Application portfolio

Application functionali

ty

Identify redundancies

Create new

specs

Identify Cloud provider

Create application(s) with desired functionality

Pipe application data to Cloud

Decommission legacy

applications and systems

Protect your AD and Key Identities

Practice credential hygiene

Implement multi-factor authentication

Reduce broad and deep privilegesProtect Active Directory and Key Identities

Credential Hygiene

Privileged accounts log onto sufficiently secured hostsSeparate internet risk from privileged credentials

Can require detailed design/re-design of privileges, host security, and logon rights GPOsRule of Thumb: Protect admin workstations at same level of the servers/apps administered by accounts using them

Domain Admin logs on to internet connected workstation

= Security of entire domain entrusted that workstation

Production Domain Admins

Workstation Admins

Server Admins

High Business Impact (HBI) Server Admins

Secure Maintenance

SQL Admins

Exchange Admins

SharePoint

Admins

… Server Admins

Compartmentalization

Multi-factor Authentication

What you know (password, PIN, etc.)

What you have (smart card, token, cell phone, etc.)

Biometric measurement (fingerprint, retina, etc.)

Ensure remote attackers can’t use identity over Internet

Physical attacks are more expensive and difficult

Smart cards are natively supported by Windows

Privilege ReductionGoals

Eliminate accounts that have both broad and deep privilege

Have no permanent• Enterprise Admins• Domain Admins• Administrators• Accounts with

equivalent privilege

Leverage easy mechanismsUse the privileged account to create additional accounts

Not just privileged, but VIP “mimicking” accountsAccounts with backdoors into other accounts

Place malware and other binaries on DCs and member serversLeverage existing management tools

Disable SID quarantining and/or selective authenticationModify GPOsInstall backdoors in approved images/packages

Or slightly harder mechanismssIDHistory manipulationMigration APIsDebugger attacksDisk editors

Why? Because it only takes one privileged account to:

Role-Based Access Controls (RBAC) for ITLeast-privilege model for IT operations

• IT staff given multiple accounts• Staff with limited

responsibilities typically have 2• Regular user account • Support account that has

been granted roles based on day-to-day work characteristics

• Possible additional accounts (usually more with higher support tiers)

• NOT member of EA/DA/Administrators

• No equivalent privileges

• Multi-factor authentication required

• Accounts denied workstation logon• Defined “allowed to authenticate”

systems• RDP to secure “jump

servers”/”bastion hosts” for management• Can leverage virtualization• Secure per-person jump servers

that are restricted to each unique user and restarted after each use. Jane Doe

Secure Maintenance

Jane DoeHelp desk

Privileged Identity Management

Mechanisms by which accounts are granted temporary rights and privileges required to perform build or break-fix functions

Time-bound

Workflow generated, monitored and reported

May be given temporary username + passwordMay be temporarily placed in privileged groups

May operate through recorded portalsProgrammatic

Privileged credentials are not permitted to stagnate or to be permanently available

Reduced attack surfaceChecks and balances

Audit trails

Mechanics of RBAC (IT) and PIM

Multiple Approaches

For RBAC (IT) For PIM

• Powerful proxy accounts• Not preferable

• Can potentially secure using a subset of the Administrator account recommendations

• Defined roles with assigned rights and permissions• Better approach

• Combinations of both

• Powerful proxy accounts• Not preferable

• Temporary membership in privileged groups

• Password vaults• APIs to replace hard-coded

passwords• Session management tools• Local and service account

management tools

Basic Principles: Roles vs. Temporary Privilege

Caveat

For Day-to-Day Functions:• Define roles• Roles may have broad

privilege (e.g., reset passwords across broad swaths of accounts) or deep privilege (e.g., can activate privileged accounts), but not both

In Build & Break-Fix Scenarios:• Temporarily populate privileged

groups in some cases (e.g., fixing a member server, might grant support staff temporary local Administrators membership)

• Temporarily use built-in privileged accounts

• Consider broad vs. deep

If role privileges are functional equivalents of built-in privileged groups, use time-bound population of groups rather than creating permanent roles with high privilege.

Sample Approach to Securing Built-In Administrator Accounts

In each domain

• Set Administrator account flags• Account is disabled• Smart card is required for interactive logon• Account is sensitive and cannot be delegated

• Audit and alert on any changes to account• Create/modify domain-level GPO

• “Deny access to this computer from the network”• Does not prevent interactive logon in case of

emergency

On member servers and workstations

• Create/modify GPO• Disable Administrator account• Audit and alert on changes to account

Takeaways1. Identify and protect important systems/data

first

2. Implement effective host defensesRun standard users without local administrative accessUse multi-factor authenticationAnywhere Internet access and content is processed:

Deploy and configure EMETPatch all OSes/applications

Start a creative destruction program3. Protect important credentials and accounts

Isolate from risks of Internet and lower trust hosts.Implement least-privilege approaches

$

Cyber Security Capabilities

Detecting ThreatsAdvanced tools to find new attacksDeep expertise hunting for the DHA

Innovative Mitigations

Make the most of your existing assetsNew approaches to counter threats

Custom SolutionsSpecialized development teamApplying SDL to your development

Recovery & Mitigations

Sensors & Intelligence

Response & Investigation

Architecture & Advisory Workshops

Advanced Programs

ACE OfferingsC

om

pre

hensi

ve A

ppro

ach

Security Program

Security Architect Led & Program Manager Supported

Infrastructure Security Application Security

Active Directory Security Assessment (ADSA)

Application Penetration Testing

ISO Security Assessment Service (ISAS)

Infrastructure Security Design Review

Public Key Infrastructure Security Assessment (PKISA)

Enterprise PKI Framework

Enterprise Host Security Assessment (EHSA)

Dogfood Security Review

Azure Application Security Assessment

Application Security Program Development

Application Security Training

Application Security Assessment

Application Security Architecture Assessment

Application Privacy Assessment

Vendor Maturity Assessment (VMA)

Custom Infrastructure Design

Custom Assessments

Mobile Application Security Assessment

Venture Integration (VI) Security Assessments

Credential Protection Training and Design

Custom Application Security Programs

Related Content

SIA300- Ten Deadly Sins of Administrators about Windows Security

SIA301- Crouching Admin, Hidden Hacker: Techniques for Hiding and Detecting Traces

SIA324- Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You

SIA308- Antimalware Smackdown

SIA309- Windows 8: Malware Resistant by Design

Track Resources

www.microsoft.com/twc

www.microsoft.com/security

www.microsoft.com/privacy

www.microsoft.com/reliability

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.