12. Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center
• Security Hygiene
• Threat Detection
System Management + Patching - SCCM + Intune
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
IaaS/Hoster
$ Windows 10
EPP - Windows Defender
Office 365 ATP
• Email Gateway
• Anti-malware
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
Windows
Information
Protection
AAD PIM
Azure Antimalware
Disk & Storage Encryption
Endpoint DLP
Shielded VMs
SQL Encryption & Firewall
Hello for
Business
Azure
Information
Protection (AIP)
• Classification
• Labelling
• Encryption
• Rights
Management
• Document
Tracking
• Reporting
Enterprise Servers
VPN
VPN
Domain Controllers
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & Analytics
Active Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for
work (Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Credential Guard
• Remote Credential Guard
• Windows Hello
Managed Clients
Legacy
Windows
Office 365
Security
Appliances
Intune MDM/MAM
Conditional Access
Cloud App Security
Information
Protection
Windows Server 2016 / 2019 Security
Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential
Guard, Remote Credential Guard, Hyper-V Containers, …
Software as a Service
Analytics
& Reporting
ATA
Privileged Access Workstations
Internet of Things
ASM
Lockbox
Admin
Forest
13. According to the industry’s statistics, by 2019 the
market will need 6 mln security professionals.
But only 4 to 5 million of them will have the
needed qualifications.
17. What is the most successful
path for the attack right now?
18. :)
THE ANATOMY OF AN ATTACK
Healthy
Computer
User Receives
Email
User Lured to
Malicious Site
Device
Infected with
Malware
19. HelpDesk Logs
into Device
Identity Stolen,
Attacker Has
Increased Privs
:)
Healthy
Computer
User Receives
Email
User Lured to
Malicious Site
Device
Infected with
Malware
20. User Lured to
Malicious Site
Device
Infected with
Malware
HelpDesk Logs
into Device
Identity Stolen,
Attacker Has
Increased Privs
ceives
il
23. User: Adm...
Hash:E1977
Fred’s Laptop
Fred’s User Session
User: Fred
Password hash: A3D7…
Sue’s Laptop
Sue’s User Session
Malware Session
User: Administrator
Password hash: E1977…
Malware User Session
User: Adm…
Hash: E1977
User: Sue
Hash: C9DF
User: Sue
Password hash: C9DF…
File Server
User: Sue
Hash:C9DF
1 3 4
1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR
2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER
3. MALWARE INFECTS SUE’S LAPTOP AS FRED
4. MALWARE INFECTS FILE SERVER AS SUE
2
26. Class names for keys from HKLMSYSTEMCCSControlLsa
HKLMSECURITYCache
HKLMSECURITYPolicySecrets
HKLMSECURITYPolicySecrets
27. Based on the following components:
Password, data blob, entropy
Is not prone to password resets!
Protects from outsiders when being in offline access
Effectively protects users data
Stores the password history
You need to be able to get access to some of your passwords
from the past
Conclusion:OS greatlyhelpsus to protectsecrets
28.
29. Before the attacks facilitated by pass-the-hash, we can
only rejoice the "salting" by the username.
There are a number pre-computed tables for users as
Administrator facilitating attacks on these hashes.
30. There is actually not much of a difference with XP /
2003!
No additional salting.
PBKDF2 introduced a new variable: the number of
iterations SHA1 with the same salt as before (username).
32. The number of iterations in PBKDF2, it is
configurable through the registry:
HKEY_LOCAL_MACHINESECURITYCache
DWORD (32) NL$IterationCount
If the number is less than 10240, it is a multiplier
by 1024 (20 therefore gives 20480 iterations)
If the number is greater than 10240, it is the
number of iterations (rounded to 1024)
38. Key learning points:
✓ gMSA can also be used for the attack
✓ Service accounts’ passwords are in the registry, available online
and offline
✓ A privileged user is someone who has administrative access to
critical systems
✓ Privileged users have sometimes more access than we think (see:
SeBackupRead privilege or SeDebugPrivilege)
✓ Privileged users have possibility to read SYSTEM and SECURITY
hives from the registry
Warning! Enabling Credential Guard blocks:
x Kerberos DES encryption support
x Kerberos unconstrained delegation
x Extracting the Kerberos TGT
x NTLMv1
39.
40. Key learning points:
✓ Set SPNs for services to avoid NTLM:
SetSPN –L <your service account for AGPM/SQL/Exch/Custom>
SetSPN –A Servicename/FQDN of hostname/FQDN of domain
domainserviceaccount
✓ Reconsider using Kerberos authentication all over
https://technet.microsoft.com/en-us/library/jj865668.aspx
✓ Require SPN target name validation
Microsoft network server: Server SPN target name validation level
✓ Reconsider turning on SMB Signing
✓ Reconsider port filtering
✓ Reconsider code execution prevention but do not forget that
this attack leverages administrative accounts
41. Setting Group Policy Setting Registry Key
Required * Digitally sign communications (always) –
Enabled
RequireSecuritySignature = 1
Not Required ** Digitally sign communications (always) –
Disabled
RequireSecuritySignature = 0
* The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”.
** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”.
Server – Required Server – Not Required
Client – Required Signed Signed
Client – Not Required Signed* Not Signed**
Effective behavior for SMB2/3:
* Default for Domain Controller SMB traffic.
** Default for all other SMB traffic.
42. Key learning points:
Common file formats containing malware are:
✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc)
✓ .dll (Dynamic Link Libraries)
✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT,
COM, CMD etc)
✓ .docm, .xlsm etc. (Office Macro files)
✓ .other (LNK, PDF, PIF, etc.)
If SafeDllSearchMode is enabled, the search order is as follows:
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current directory
6. The directories that are listed in the PATH environment
variable
43.
44.
45. Services
Store configuration in the registry
Always need some identity to run the executable!
Local Security Authority (LSA) Secrets
Must be stored locally, especially when domain credentials are used
Can be accessed when we impersonate to Local System
Their accounts should be monitored
If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)
Conclusion: Think twice before using an Administrative account, use gMSA
46.
47. In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next
Generation (CNG) providers by default:
IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider,
IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider
CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys
Worker Processes (w3wp.exe)
Their identity is defined in Application Pool settings
Are managed by Windows Process Activation Service that knows how to read secrets
Passwords for AppPool identity can be ’decrypted’ even offline
They are stored in the encrypted form in applicationHost.config
Conclusion: IIS relies it’s security on Machine Keys (Local System)
48. Key learning points:
✓ The best operators won't use a component until they
know how it breaks
✓ Almost each solution has some ‘backdoor weakness’
✓ Some antivirus solutions can be stopped by SDDL
modification for their services
✓ Configuration can be monitored by Desired State
Configuration (DSC)
✓ DSC if not configured properly will not be able to spot
internal service configuration changes
Example: how to I get to the password management
portal?
49.
50.
51.
52.
53.
54.
55. For End User
Security is a feeling
Success lies in influencing the “feeling” of security
56. Control efficiency
Risk
severity/
Attacker
Smartness/
Attack
Efficiency
Technology & Processes
Awareness & Competence
Automatic security controls – AV, Updates
Technology + Human – Firewall configuration,
Choosing a secure Wifi
Human – Recognizing a zero day attack,
Phishing mails, Not posting business
information in social media
The very smart attacker
1
2
3
4
People exaggerate risks
that are spectacular or
uncommon
57. Aircrafts have become more advanced,
but does it mean that pilot training
requirements have reduced?
Medical technology has become more
advanced, but will you choose a hospital
for it’s machines or the doctors?
58. InformationSecurityFramework
GovernanceManagement
Context and Leadership
Information Security
Charter
Culture and Awareness
Information Security
Organizational Structure
Prevention
Identity and Access
Management
Identity Security
Data Security
Hardware Asset
Management
Data Security & Privacy
Infrastructure Security
Network Security
Evaluation and Direction
Security Risk
Management
Security Strategy and
Communication
Security Policies
Endpoint Security
Malicious Code
Application Security Cloud Security
Vulnerability
Management
Cryptography
Management
Physical Security
HR Security
HR Security
Change and Support
Configuration and
Change Management
Vendor Management
Compliance, Audit, and Review
Security Compliance
Management
External Security Audit
Internal Security Audit
Management Review of
Security
Detection
Security Threat
Detection
Log and Event
Management
Measurement
Metrics Program
Continuous
Improvement
Response and Recovery
Security Incident
Management
Information Security in
BCM
Security eDiscovery and
Forensics
Backup and Recovery
59. ISO
27000
series
CIS –
Critical
Security
Controls
COBIT
5
NIST
SP800-
53
SECURITY
FRAMEWORK
Comprehensive
standard providing
best practices
associated with each
control
Provides a detailed list
of security controls
along with many
implementation best
practices intended for
US federal information
systems and
organizations
Comprised of a concise list
of 20 controls and sub-
controls for actionable
cyber defence
A process and
principle structured
security best practice
framework
Best-of-Breed Information
Security Framework
60. 1. Do we treat cyber security as a business or IT responsibility?
2. Do our security goals align with business priorities?
3. Have we identified and protected our most valuable processes and information?
4. Does our business culture support a secure cyber environment?
5. Do we have the basics right? (For example, access rights, software patching,
vulnerability management and data leakage prevention.)
6. Do we focus on security compliance or security capability?
7. Are we certain our third-party partners are securing our most valuable
information?
8. Do we regularly evaluate the effectiveness of our security?
9. Are we vigilant and do we monitor our systems and can we prevent breaches?
10. Do we have an organized plan for responding to a security breach?
11. Are we adequately resourced and insured?
61. Understanding is the key to security
Continuous vulnerability discovery
Context-Aware Analysis
Prioritization
Remediation and Tracking
Configuration reviews
Put on the Hacker’s Shoes
Prevention is the key to success