SlideShare a Scribd company logo

Gartner Security & Risk Management Summit 2018

Paula Januszkiewicz
Paula Januszkiewicz

Slides from Paula Januszkiewicz's session "Crouching Admin, Hidden Hacker: Techniques for Attacking and Securing Your Infrastructure"

Software
1 of 64
Download to read offline
Crouching Admin, Hidden Hacker: Techniques for Attacking and Securing Your Infrastructure @paulacqure @CQUREAcademy
● ● ● ● ● ● ● ●
I know the traffic rules…. I know the traffic rules….
Does it guarantee that I am a good driver?
We have the best security solutions…
…but the security landscape has changed.
Unmanaged & Mobile Clients Sensitive Workloads Cybersecurity Reference Architecture Intranet Extranet Azure Key Vault Azure Security Center • Security Hygiene • Threat Detection System Management + Patching - SCCM + Intune Microsoft Azure On Premises Datacenter(s) NGFW IPS DLP SSL Proxy Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) IaaS/Hoster $ Windows 10 EPP - Windows Defender Office 365 ATP • Email Gateway • Anti-malware EDR - Windows Defender ATPMac OS Multi-Factor Authentication MIM PAMAzure App Gateway Network Security Groups Windows Information Protection AAD PIM Azure Antimalware Disk & Storage Encryption Endpoint DLP Shielded VMs SQL Encryption & Firewall Hello for Business Azure Information Protection (AIP) • Classification • Labelling • Encryption • Rights Management • Document Tracking • Reporting Enterprise Servers VPN VPN Domain Controllers VMs VMs Certification Authority (PKI) Incident Response Vulnerability Management Enterprise Threat Detection Analytics Managed Security Provider OMS ATA SIEM Security Operations Center (SOC) Logs & Analytics Active Threat Detection Hunting Teams Investigation and Recovery WEF SIEM Integration IoT Identity & Access 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) UEBA Windows 10 Security • Secure Boot • Device Guard • Credential Guard • Remote Credential Guard • Windows Hello Managed Clients Legacy Windows Office 365 Security Appliances Intune MDM/MAM Conditional Access Cloud App Security Information Protection Windows Server 2016 / 2019 Security Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Guard, Remote Credential Guard, Hyper-V Containers, … Software as a Service Analytics & Reporting ATA Privileged Access Workstations Internet of Things ASM Lockbox Admin Forest
According to the industry’s statistics, by 2019 the market will need 6 mln security professionals. But only 4 to 5 million of them will have the needed qualifications.
DEFENDING AGAINST MODERN SECURITY THREATS SECURED DEVICES SECURED IDENTITIES INFORMATION PROTECTION THREAT RESISTANCE
What is the most successful path for the attack right now?
:) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
“PASS THE HASH” ATTACKS Today’s security challenge
User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
Virtual Secure Mode Virtual Secure Mode (VSM) Kernel Credential Guard Hypervisor Hardware Windows Kernel Apps VirtualTPM Hyper-Visor CodeIntegrity
Class names for keys from HKLMSYSTEMCCSControlLsa HKLMSECURITYCache HKLMSECURITYPolicySecrets HKLMSECURITYPolicySecrets
Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion:OS greatlyhelpsus to protectsecrets
Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16) Legend
The number of iterations in PBKDF2, it is configurable through the registry: HKEY_LOCAL_MACHINESECURITYCache DWORD (32) NL$IterationCount If the number is less than 10240, it is a multiplier by 1024 (20 therefore gives 20480 iterations) If the number is greater than 10240, it is the number of iterations (rounded to 1024)
LSASS.EXE MEMORY LSASRV.DLL G$BCKUPKEY_PREFERRED G$BCKUPKEY_940db612-ee8f-4a31-84b3-8f80c25be855 AD secret? HOW?! CQLsassSecretsDumper GoldenKey.pfx ? ? ? ? ? ? ?
DomainKey contains some GUID and 256-byte len secret – RSA?? Dude, look in the AD...
Legend The master password for KeePass files encrypted & stored as cipherText (80 bytes)
Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
Setting Group Policy Setting Registry Key Required * Digitally sign communications (always) – Enabled RequireSecuritySignature = 1 Not Required ** Digitally sign communications (always) – Disabled RequireSecuritySignature = 0 * The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”. ** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”. Server – Required Server – Not Required Client – Required Signed Signed Client – Not Required Signed* Not Signed** Effective behavior for SMB2/3: * Default for Domain Controller SMB traffic. ** Default for all other SMB traffic.
Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrative account, use gMSA
In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next Generation (CNG) providers by default: IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider, IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Are managed by Windows Process Activation Service that knows how to read secrets Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)
Key learning points: ✓ The best operators won't use a component until they know how it breaks ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
For End User Security is a feeling Success lies in influencing the “feeling” of security
Control efficiency Risk severity/ Attacker Smartness/ Attack Efficiency Technology & Processes Awareness & Competence Automatic security controls – AV, Updates Technology + Human – Firewall configuration, Choosing a secure Wifi Human – Recognizing a zero day attack, Phishing mails, Not posting business information in social media The very smart attacker 1 2 3 4 People exaggerate risks that are spectacular or uncommon
Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors?
InformationSecurityFramework GovernanceManagement Context and Leadership Information Security Charter Culture and Awareness Information Security Organizational Structure Prevention Identity and Access Management Identity Security Data Security Hardware Asset Management Data Security & Privacy Infrastructure Security Network Security Evaluation and Direction Security Risk Management Security Strategy and Communication Security Policies Endpoint Security Malicious Code Application Security Cloud Security Vulnerability Management Cryptography Management Physical Security HR Security HR Security Change and Support Configuration and Change Management Vendor Management Compliance, Audit, and Review Security Compliance Management External Security Audit Internal Security Audit Management Review of Security Detection Security Threat Detection Log and Event Management Measurement Metrics Program Continuous Improvement Response and Recovery Security Incident Management Information Security in BCM Security eDiscovery and Forensics Backup and Recovery
ISO 27000 series CIS – Critical Security Controls COBIT 5 NIST SP800- 53 SECURITY FRAMEWORK Comprehensive standard providing best practices associated with each control Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations Comprised of a concise list of 20 controls and sub- controls for actionable cyber defence A process and principle structured security best practice framework Best-of-Breed Information Security Framework
1. Do we treat cyber security as a business or IT responsibility? 2. Do our security goals align with business priorities? 3. Have we identified and protected our most valuable processes and information? 4. Does our business culture support a secure cyber environment? 5. Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.) 6. Do we focus on security compliance or security capability? 7. Are we certain our third-party partners are securing our most valuable information? 8. Do we regularly evaluate the effectiveness of our security? 9. Are we vigilant and do we monitor our systems and can we prevent breaches? 10. Do we have an organized plan for responding to a security breach? 11. Are we adequately resourced and insured?
Understanding is the key to security Continuous vulnerability discovery Context-Aware Analysis Prioritization Remediation and Tracking Configuration reviews Put on the Hacker’s Shoes Prevention is the key to success
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018

Recommended

Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...Paula Januszkiewicz
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingPaula Januszkiewicz
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczZuzannaKornecka
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 

Recommended

Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...Paula Januszkiewicz
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingPaula Januszkiewicz
 
rsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczrsa_usa_2019_paula_januszkiewicz
rsa_usa_2019_paula_januszkiewiczZuzannaKornecka
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017Paula Januszkiewicz
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral MovementsDaniel López Jiménez
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 

More Related Content

What's hot

DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017Paula Januszkiewicz
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral MovementsDaniel López Jiménez
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 

What's hot (20)

DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral Movements
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 

Similar to Gartner Security & Risk Management Summit 2018

Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiNathan Winters
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalVinod Kumar
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdfInfosec Train
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 

Similar to Gartner Security & Risk Management Summit 2018 (20)

Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdf
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 

More from Paula Januszkiewicz

rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedPaula Januszkiewicz
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro Paula Januszkiewicz
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...Paula Januszkiewicz
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 

More from Paula Januszkiewicz (7)

rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hacked
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
 

Recently uploaded

Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 

Recently uploaded (20)

Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 

Gartner Security & Risk Management Summit 2018

  • 1. Crouching Admin, Hidden Hacker: Techniques for Attacking and Securing Your Infrastructure @paulacqure @CQUREAcademy
  • 2.
  • 4.
  • 5.
  • 6. I know the traffic rules…. I know the traffic rules….
  • 7. Does it guarantee that I am a good driver?
  • 8.
  • 9. We have the best security solutions…
  • 10. …but the security landscape has changed.
  • 11.
  • 12. Unmanaged & Mobile Clients Sensitive Workloads Cybersecurity Reference Architecture Intranet Extranet Azure Key Vault Azure Security Center • Security Hygiene • Threat Detection System Management + Patching - SCCM + Intune Microsoft Azure On Premises Datacenter(s) NGFW IPS DLP SSL Proxy Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) IaaS/Hoster $ Windows 10 EPP - Windows Defender Office 365 ATP • Email Gateway • Anti-malware EDR - Windows Defender ATPMac OS Multi-Factor Authentication MIM PAMAzure App Gateway Network Security Groups Windows Information Protection AAD PIM Azure Antimalware Disk & Storage Encryption Endpoint DLP Shielded VMs SQL Encryption & Firewall Hello for Business Azure Information Protection (AIP) • Classification • Labelling • Encryption • Rights Management • Document Tracking • Reporting Enterprise Servers VPN VPN Domain Controllers VMs VMs Certification Authority (PKI) Incident Response Vulnerability Management Enterprise Threat Detection Analytics Managed Security Provider OMS ATA SIEM Security Operations Center (SOC) Logs & Analytics Active Threat Detection Hunting Teams Investigation and Recovery WEF SIEM Integration IoT Identity & Access 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) UEBA Windows 10 Security • Secure Boot • Device Guard • Credential Guard • Remote Credential Guard • Windows Hello Managed Clients Legacy Windows Office 365 Security Appliances Intune MDM/MAM Conditional Access Cloud App Security Information Protection Windows Server 2016 / 2019 Security Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Guard, Remote Credential Guard, Hyper-V Containers, … Software as a Service Analytics & Reporting ATA Privileged Access Workstations Internet of Things ASM Lockbox Admin Forest
  • 13. According to the industry’s statistics, by 2019 the market will need 6 mln security professionals. But only 4 to 5 million of them will have the needed qualifications.
  • 14.
  • 16.
  • 17. What is the most successful path for the attack right now?
  • 18. :) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 19. HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 20. User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
  • 21.
  • 23. User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
  • 24. Virtual Secure Mode Virtual Secure Mode (VSM) Kernel Credential Guard Hypervisor Hardware Windows Kernel Apps VirtualTPM Hyper-Visor CodeIntegrity
  • 25.
  • 26. Class names for keys from HKLMSYSTEMCCSControlLsa HKLMSECURITYCache HKLMSECURITYPolicySecrets HKLMSECURITYPolicySecrets
  • 27. Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion:OS greatlyhelpsus to protectsecrets
  • 28.
  • 29. Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
  • 30. There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
  • 31. DK = PBKDF2(PRF, Password, Salt, c, dkLen) Microsoft’s implementation: MSDCC2= PBKDF2(HMAC-SHA1, DCC1, username, 10240, 16) Legend
  • 32. The number of iterations in PBKDF2, it is configurable through the registry: HKEY_LOCAL_MACHINESECURITYCache DWORD (32) NL$IterationCount If the number is less than 10240, it is a multiplier by 1024 (20 therefore gives 20480 iterations) If the number is greater than 10240, it is the number of iterations (rounded to 1024)
  • 33.
  • 35. DomainKey contains some GUID and 256-byte len secret – RSA?? Dude, look in the AD...
  • 36.
  • 37. Legend The master password for KeePass files encrypted & stored as cipherText (80 bytes)
  • 38. Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
  • 39.
  • 40. Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
  • 41. Setting Group Policy Setting Registry Key Required * Digitally sign communications (always) – Enabled RequireSecuritySignature = 1 Not Required ** Digitally sign communications (always) – Disabled RequireSecuritySignature = 0 * The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”. ** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”. Server – Required Server – Not Required Client – Required Signed Signed Client – Not Required Signed* Not Signed** Effective behavior for SMB2/3: * Default for Domain Controller SMB traffic. ** Default for all other SMB traffic.
  • 42. Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
  • 43.
  • 44.
  • 45. Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrative account, use gMSA
  • 46.
  • 47. In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next Generation (CNG) providers by default: IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider, IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Are managed by Windows Process Activation Service that knows how to read secrets Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)
  • 48. Key learning points: ✓ The best operators won't use a component until they know how it breaks ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55. For End User Security is a feeling Success lies in influencing the “feeling” of security
  • 56. Control efficiency Risk severity/ Attacker Smartness/ Attack Efficiency Technology & Processes Awareness & Competence Automatic security controls – AV, Updates Technology + Human – Firewall configuration, Choosing a secure Wifi Human – Recognizing a zero day attack, Phishing mails, Not posting business information in social media The very smart attacker 1 2 3 4 People exaggerate risks that are spectacular or uncommon
  • 57. Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors?
  • 58. InformationSecurityFramework GovernanceManagement Context and Leadership Information Security Charter Culture and Awareness Information Security Organizational Structure Prevention Identity and Access Management Identity Security Data Security Hardware Asset Management Data Security & Privacy Infrastructure Security Network Security Evaluation and Direction Security Risk Management Security Strategy and Communication Security Policies Endpoint Security Malicious Code Application Security Cloud Security Vulnerability Management Cryptography Management Physical Security HR Security HR Security Change and Support Configuration and Change Management Vendor Management Compliance, Audit, and Review Security Compliance Management External Security Audit Internal Security Audit Management Review of Security Detection Security Threat Detection Log and Event Management Measurement Metrics Program Continuous Improvement Response and Recovery Security Incident Management Information Security in BCM Security eDiscovery and Forensics Backup and Recovery
  • 59. ISO 27000 series CIS – Critical Security Controls COBIT 5 NIST SP800- 53 SECURITY FRAMEWORK Comprehensive standard providing best practices associated with each control Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations Comprised of a concise list of 20 controls and sub- controls for actionable cyber defence A process and principle structured security best practice framework Best-of-Breed Information Security Framework
  • 60. 1. Do we treat cyber security as a business or IT responsibility? 2. Do our security goals align with business priorities? 3. Have we identified and protected our most valuable processes and information? 4. Does our business culture support a secure cyber environment? 5. Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.) 6. Do we focus on security compliance or security capability? 7. Are we certain our third-party partners are securing our most valuable information? 8. Do we regularly evaluate the effectiveness of our security? 9. Are we vigilant and do we monitor our systems and can we prevent breaches? 10. Do we have an organized plan for responding to a security breach? 11. Are we adequately resourced and insured?
  • 61. Understanding is the key to security Continuous vulnerability discovery Context-Aware Analysis Prioritization Remediation and Tracking Configuration reviews Put on the Hacker’s Shoes Prevention is the key to success