2. What does CQURE do?
Consulting Services:
Extensive IT Security Audits and Penetration Tests of all
kinds
Configuration Audit and Architecture Design
Social Engineering Tests
Advanced Troubleshooting and Debugging
Emergency Response Services
R&D & Publications
Trainings & Seminars:
Offline (mainly in New York or via our partners worldwide)
Online (you will hear more about it in the end of this
Webinar)
4. To ensure the good quality of your experience:
1. If you have problems with viewing the Webinar try refreshing
the page first or try another browser.
2. If problems persist please let us know in the comment
section or on info@cqureacademy.com.
3. If there will be connection or software problem, please look
into your email box or fb.com/cqure for instructions.
4. We will be taking questions at the end of the Webinar during
Q and A session so write them down!
5. What can you expect today?
1. The BIG REVEAL of 12 skills that our CQURE team has
identified as crucial to keep your IT safe in 2017.
2. Live demonstrations!
3. Tips on how you learn this stuff on your own.
4. A hacking challenge with a cool prize :)
5. Live Q&A with me and the CQURE Team.
6. You will get files of all the tools we will be using here!
6. What was your score in our Windows Security QUIZ -
share in the comment section!
7. According to the industry’s statistics, by 2019 the
market will need 6 mln security professionals.
But only 4 to 5 million of them will have the needed
qualifications.
*Source: Financial Times
9. #1 Skill: Machine Learning for Threat Protection
Forexample:Whatif weuseacustomreflectivePELoadertocreateandruncustomcode?
10. #2A Skill: Incident Response Plan
Action list
In case of emergency situation: allows to act reasonably and
according to the plan
Increases chances that evidence is gathered properly
Allows to define responsibilities for recovery
Discussions provide management with understanding of security
Jump Bag: preserving evidence
Disk data: Disk2VHD, WinDD, FTK Imager
Memory dumps: DumpIT, Mdd, Mandiant tools, LiME, OSXPMem
Centralization of the event logs
Pre-incident steps: use Sysmon for better knowledge about processes
and network
12. #3 Skill: Whitelisting
Code execution prevention
It is an absolute necessity taking into consideration the current
security trends
PowerShell is a new hacking tool
Scripting languages are the biggest threat
Ransomware can be in a form of PowerShell script
Just Enough Administration: PowerShell should be blocked for
users and limited for helpdesk to use the necessary commands
It is necessary to know what executes on
your servers
Sysmon is perfect for this
AppLocker / DeviceGuard in the audit mode
13. #4 Skill: Privileged Access Management
Access Monitoring / Effective Access
We need to know about who and where has access to
Access should be role driven
15. #5 Skill: Well done PKI Implementation
Pretty much every time we do an audit we see
incorrectly implemented PKI
Certificates are or can be used in most of the
modern services
Be aware of the newest security trends in the
certificate services
Smart card logon can be bypassed
Private key that is not exportable is…
exportable
CQURE discovery: SID-protected PFX files
can be access to by unauthorized users
17. User: Adm...
Hash:E1977
Fred’s Laptop
Fred’s User Session
User: Fred
Password hash: A3D7…
Sue’s Laptop
Sue’s User Session
Pass The Hash Technique
Malware Session
User: Administrator
Password hash: E1977…
Malware User Session
User: Adm…
Hash: E1977
User: Sue
Hash: C9DF
User: Sue
Password hash: C9DF…
File Server
User: Sue
Hash:C9DF
1 3 4
1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR
2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER
3. MALWARE INFECTS SUE’S LAPTOP AS FRED
4. MALWARE INFECTS FILE SERVER AS SUE
2
18. #6 Hardware-based Credentials Protection
Virtual Secure Mode (VSM)
VSM isolates sensitive Windows processes in a hardware
based Hyper-V container
VSM protects VSM kernel and Trustlets even if Windows
Kernel is fully compromised
Requires processor virtualization extensions (e.g.: VT-X,
VT-D)
Implements Credential Guard where derived credentials
that VSM protected LSA Service gives to Windows are
non-replayable
VSM runs the Windows Kernel and a series of Trustlets
(Processes) within it
19. #7 Skill: PowerShell Level Master
PowerShell implements great automation
(and hacking tool)
Some solutions are managed by Powershell
only (Nano, IoT)
Experience shows that administrators try
to avoid it – especially these ones with
great experience
There are so many custom modules available:
PowerForensics, AccessControl etc.
You can create your own customized modules
20. #8 Skill: Learn How to Talk Security to Managers
Sad facts
Photo: the New York Times Magazine
27. #1 Skill: Machine Learning for Threat Protection Implementation of
the process execution prevention (AppLocker etc.)
#2A Skill: Incident Response Plan
#2B Skill: Malware Analysis Sandbox
#3 Skill: Whitelisting
#4 Skill: Privileged Access Management
#5 Skill: Working PKI Implementation
#6 Skill: Hardware-based Credentials Protection
1 - 6
28. #7 Skill: PowerShell Level Master
#8 Skill: Learn How to Talk Security to Managers
#9 Skill: Event Tracing For Windows
#10 Skill: Log Centralization
#11 Skill: Mastered Windows Server 2016
#12 Skill: Testing Yourself When You Can
7 - 12
29. Summary: Best Practices
Understanding is the key to security
Continuous vulnerability discovery
Context-Aware Analysis
Prioritization
Remediation and Tracking
Configuration reviews
Put on the Hacker’s Shoes
Prevention is the key to success
30. Additional Resources
Websites
Microsoft Virtual Academy
Ars Technica
The Register
The Hacker News
Dark Reading
Krebs on Security
Computer World
Threat Post
Beta News
Tech News World
Tech Crunch
ZDNetSecurity Affairs
Computer Weekly
Network World
SC Magazine
Wired
Schneier on Security
Elie Bursztein
Books
‘Windows Internals’
‘Inside Windows Debugging’
‘Advanced Debugging for Windows’
‘Practical Malware Analysis’
‘Malware Analyst's Cookbook’
31.
32.
33. Key facts about the Advanced Windows Security
Course For 2017:
1. ONCE A YEAR ONLY (each year it will be adjusted to
meet the upcoming trends).
2. 12 Live Online Sessions with Paula and other experts from
CQURE Academy (mostly Tuesday and Thursday, 7PM
CEST / 1PM EST / 10AM PST).
3. Video recordings of sessions, slides, scripts & tools
included.
4. Closed students group on Facebook (where you can
exchange ideas and network).
5. Free access to CQURE Lab (where you will practice and do
homework).
34. The course finishes with an exam.
If you pass (you get at least 70% answers correct)
you will get our CQURE Academy CERTIFICATE:
Windows Security Master 2017
37. About the application process:
1. This is for professionals who’ve passed the intermediate
level. We’ll skip the fluff and go straight to the advanced
stuff.
2. Admission is selective - to attend you need to APPLY.
3. We prioritize: your skills and professional achievements, but
also your attitude and how you can contribute to the group.
4. We’ll be taking on board 200 students only (we did soft
launch at Microsoft Ignite and only 100 are still available).
5. If you apply before Monday midnight, you will secure a lower
tuition fee of $1,900 (instead of $2850).
38.
39. The Prize For Hackers Who Won Today’s
Challenge:
A free seat at “Advanced Windows Security Course
For 2017” (worth $2,850!)