1 / 19

Using EMET to defend against targeted attacks

Using EMET to defend against targeted attacks. Presented by Robert Hensing – Senior consultant – Microsoft Corporation Michael Mattes – senior consultant – Microsoft corporation. Who we are. Robert Hensing 15 year Microsoft employee TWC alum 5 year tour in MSRC Engineering – Defense team

halle
Download Presentation

Using EMET to defend against targeted attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using EMET to defend against targeted attacks Presented by Robert Hensing – Senior consultant – Microsoft Corporation Michael Mattes – senior consultant – Microsoft corporation

  2. Who we are • Robert Hensing • 15 year Microsoft employee • TWC alum • 5 year tour in MSRC Engineering – Defense team • Currently Developer Consultant in National Security Group practice • Michael Mattes • XX year Microsoft employee • Infrastructure consultant in NSG etc.

  3. Trustworthy Computing - Security Centers Protecting Microsoft customers throughout the entire life cycle (in development, deployment and operations) Conception Conception Microsoft Security Response Center (MSRC) Microsoft Security Engineering Center (MSEC) Ecosystem Strategy Product Life Cycle Product Life Cycle MSRC Ops SDL MSRC Engineering Security Assurance Security Science Release Release Microsoft Malware Protection Center (MMPC)

  4. The software vulnerability asymmetry problem Defender must fix all vulnerabilities in all software – attacker wins by finding and exploiting just one vulnerability Threats change over time – state-of-the-art in vulnerability finding and attack techniques changes over time Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.

  5. Exploit Economics Gains per use X Opportunities to use Cost to acquire vulnerability + Cost to weaponize Attacker Return = -

  6. Exploit Economics We can decrease Attacker Return if we are able to… Increase attacker investment required to find usable vulnerabilities • Remove entire classes of vulnerabilities where possible • Focus on automation to scale human efforts Increase attacker investment required to write reliable exploits • Build mitigations that add brittleness • Make exploits impossible to write completely reliably Decrease attacker’s opportunity to recover their investment • Shrink window of vulnerability • Fewer opportunities via artificial diversity • Enable rapid detection & suppression of exploit usage Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable

  7. Exploit Economics Strategy – Step 1 Increase attacker investment required to find vulnerabilities

  8. Embedding security into software and culture • Tactics for Vulnerability Reduction • Remove entire classes of vulnerabilities • Security Tooling • Additional product features • Remove all currently findable vulnerabilities • Complete automation of tooling • SDL tools, Threat Modeling tool • Fuzzing toolsets + ways to streamline & improve triage • Tool overlays to increase signal-to-noise and focus attention on the right code • Verification & enforcement • Audit individual tool usage via process tools • Process tools required for SDL signoff - policy enforcement Ongoing Process Improvements

  9. Exploit Economics Strategy – Step 2 PREVENT RELIABLE EXPLOITATION OF vulnerabilities

  10. Embedding security into software and culture • Tactics to Frustrate Exploits • Reduce the surface we have to defend • Attack surface reduction • Design additional product mitigations • Make remaining vulnerabilities difficult or impossible to exploit • Build mitigations that add exploit brittleness Ongoing Process Improvements

  11. Digital Countermeasures • Improve system survivability against exploitation of unknown vulnerabilities • Three goals: • Increase attacker requirements – e.g. must be authenticated, local subnet only • Deterrent – no economically reliable exploit exists • Mitigation – Break 100% reliable universal exploits • Often must be combined together • Even when successful, the result is still impactful to the user

  12. Mitigation Approaches Utilize Knowledge Deficits • Utilize secrets such that guessing impairs exploit reliability • /GS: Protect stack buffers by checking random cookies placed between them and control structures • Function Pointer Encoding Artificial Diversity ASLR: Address Space Layout Randomization Enforce Invariants • Data Execute Protection (DEP) • Heap & pool metadata checks • SafeSEH / SEH Overwrite Protection (SEHOP)

  13. Memory Safety Mitigations Roadmap Stack /GS 1.0 /GS 1.1 /GS 2.0 EH4 SEHOP /GS 3.0 Heap / Pool Heap 1.0 Heap 2.0 HeapTerm Safe Unlinking Executable Code DEP /NXCOMPAT ASLR DEP+ATL DEP IE8 SEHOP IE9 DEP O14 2003 2005 2006 2007 2008 2004 2009 2010 2011

  14. Enhanced Mitigation Experience Toolkit (EMET) • Offers security mitigations for most software • Old applications • Third party software • Line of business applications • Brings newer security mitigations to older platforms • Provides exclusive security mitigations to block current exploit techniques

  15. Evolution of Emet mitigations • Mitigations in v2.0 • Mandatory ASLR • EAT Access Filtering • Heap Spray Allocation Mitigations in v1.0 • Dynamic DEP • SEHOP • NULL Page protection • Mitigations in v3.5 • Anti-ROP mitigations: • Caller Checks • Exec Flow Simulation • Stack Pivot Mitigation • Load Library Checks • Memory Protection Checks • Mitigations in v3.0 • 3 Protection Profiles • ADMX Files for Group Policy Management • EMET Notifier(alerts user when mitigations were enforced)

  16. MS12-037 – Internet explorer CVE-2012-1875 (SAME ID) • 0-day vulnerability being used in limited targeted attacks prior to bulletin release. • Vulnerability about as bad as it gets! • Remote Code Exec vulnerability in all versions of IE (at the time) and exploitable via a web page • Fixed by MS12-037 - http://technet.microsoft.com/en-us/security/bulletin/ms12-037 • Standard mitigations in the bulletin were • Don’t open Office documents • Killbit the AX control in IE

  17. EMET vs. MS12-037 - CVE-2012-1875 (SAME ID)

  18. Call to action • Follow the Security Research and Defense bloghttp://blogs.technet.com/b/srd/ • Evaluate and Deploy EMET v3.5 or newer • Protect critical applications such as Internet Explorer, Firefox, Office, Adobe Acrobat etc • Monitor for EMET related events in the event log using System Center or other Enterprise monitoring software

  19. DEPLoyment and management via group policy

More Related