Embed Size (px)
Citation preview
How to be prepared for the next generation of malwareMartin Zich, CISSPHPE Pointnext
24th Sep, MS Ignite 2018
MalwareA threat which is here to stay
Ransomware
Cryptoware/coin miners – cryptojacking
Adware
Banking trojan
Other malware to steal credentials, PII, and much more.
2
What we keep finding at our clients
Many disconnected detection controls.
Alerts missing a context.
Inability to detect/react to unknown and take immediate action.
Missing or wrongly trained machine learning.
Lots of unwatched and unpatched current and legacy systems.
Lots of correct „paperwork“ which differs from what is deployed.
Lots of victims of social engineering.
Findings from the „field“ - highlights
User education and training showing dubious
outcomes.
Completely paralyzed environments.Lack of visibility.
Malware
5
We found completely paralyzed companies
The were looking for doubtful symptoms like:
Cryptojacking:
CPU/power consumption rise Overheating Periodical unknown traffic etc.
Ransomware:
Usually there was no need to watch for symptoms ... it was too late...
We found many victims of social engineering
Defense-in-depth.Security in multiple layers.
6
Administrative Technical Physical
HW
Platforms
Applications
7
1. Secure hardware base.
Next-generation malware defenseSecure hardware base
Silicon root of trust with HPE Gen10 – Secure start base
8
Next-generation malware defenseSecure hardware base for Azure Stack
HPE ProLiant Gen10 for Azure Stack Silicon root of trust
9HPE ProLiant Gen10
Next-generation malware defense
2. Locked-down OS platform
Defending against known „by design“ Secure configuration (hardening) – CIS benchmarks, STIGs, etc.
10
Next-generation malware defense
2. Locked-down OS platform
Defending against known „by design“ Secure configuration (hardening) – CIS benchmarks, STIGs, etc.
11
Microsoft Credential Guard
Windows Defender Application Control (WDAC)
Microsoft Device Guard
Microsoft Edge AppGuard
Windows S
Example by:
Next-generation malware defense
3. Blocking the known and blocking the most frequent threat vectors
At best, right away = without any need for a long analysis Defending against specific threat vectors instead of specific threats Previously unknown threats included (zero-day)
12
Next-generation malware defense
3. Blocking the known and blocking the most frequent threat vectors
At best, right away = without any need for a long analysis Defending against specific threat vectors instead of specific threats Previously unknown threats included (zero-day)
13
Microsoft Exploit Guard
Attack Surface Reduction – Office rules, Script rules, Email rule
Controlled Folder Access
Network protection
Exploit Protection
Example by:
Next-generation malware defense
4. Defending legacy and embedded
Turning on backported features Secure configuration – hardening Applications whitelisting Network/physical isolation – e.g. separated VLAN for legacy, air-gaped embedded
14
Next-generation malware defense
4. Defending legacy and embedded
Turning on backported features Secure configuration – hardening Applications whitelisting Network/physical isolation – e.g. separated VLAN for legacy, air-gaped embedded
15
Microsoft env., for example:
W8 Restricted Admin mode, backported to Windows 7 (extended support till January 14, 2020).
Group policies for SLA on e.g.SAM-R (net user, net group, etc.)
Disabling low-level encryption types (RC4 with NTLM, SSLv1,2, etc.)
Disabling SMBv1
Next-generation malware defense
5. Detection and stopping the unknown
Detect and block all of the unknown threat vectors (zero-day) Train well the „machine learning“ Maintaining visibility and taking actions over the whole environment
16
Next-generation malware defense
5. Detection and stopping the unknown
Detect and block all of the unknown threat vectors (zero-day) Train well the „machine learning“ Maintaining visibility and taking actions over the whole environment
17
MS Intelligent Security Graph + various associated solutions Example by:
18
Intelligent Security Graph
19
Microsoft feeds it‘s security solutions with information stored and processed in ISG
Windows Defedender AV – local ML portion + from-cloud delivered protection
Windows Defender Advanced Threat Protection
Office 365 Advanced Threat Protection
Azure Advanced Threat Protection
API – getting your own context information, security profiles, taking active actions through the API
Intelligent Security Graph – Windows Defender AV
20
Intelligent Security Graph – API
21
Intelligent Security Graph – API
22
![AMVG: Adaptive Malware Variant Generation Framework ......perturbation applications similarly as in [6]. C. Genetic algorithm for malware variant generations GA has been used widely](https://img.pdfslide.us/doc/110x75/600c68fbf68b6b152e285354/amvg-adaptive-malware-variant-generation-framework-perturbation-applications.jpg)
