1 / 16

Determined Human Adversaries: Mitigations

Jim Payne Principal Security Relationship Manager Microsoft CSS Security. Neil Carpenter Principal Security Escalation Engineer Global Incident Response & Recovery. Determined Human Adversaries: Mitigations. Preference.

teresaa
Download Presentation

Determined Human Adversaries: Mitigations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jim Payne Principal Security Relationship Manager Microsoft CSS Security Neil Carpenter Principal Security Escalation Engineer Global Incident Response & Recovery Determined Human Adversaries: Mitigations

  2. Preference • Information is based on extensive experience by the CSS Security & Global Incident Response & Recovery teams working with customers who experienced a directed attack • In no way is this information to imply or insinuate that there is direct knowledge of what will occur, if anything.

  3. Attackers & Attacks • Cyber Crime • Ideological Movements • OrganizedCrime • NationStates • Economic Espionage • Military Espionage

  4. Cyber Security Attacks

  5. Commonly Reported • Distributed Denial of Service attack • Web Defacement • Determined Human Adversary / Directed Attack

  6. Denial of Service • Mitigate the impact (usually with hardware for example, and usually in conjunction with your Internet provider) • Use a CDN to scale out • Move key properties to a more resilient platformexample - the cloud scenario • Customers should be ready with a strategy for handling a DDoS before it happens; otherwise, it’s a lot of downtime and a lot of panic.

  7. Web Defacement • Develop secure code.  SDL, SDL, SDL. • Likely the website is already deployed, it’s quite likely that SDL was not utilized to develop secure code.  • Make sure that everything is up to date – not just the OS, but any deployed frameworks & applications.  • Compromises via 3rd party frameworks, such as ColdFusion, have been common lately. • Ensure that you are gathering the right data in case something does happen.           • IIS logs – We see far too many customers who turn off IIS logging or disable key fields to save disk space.  Disks are cheap, security compromises are not.  • If you’re using a reverse proxy, pass the real source IP addr to the IIS server and/or maintain easily accessible proxy logs with all the needed info. • Have a plan if something happens • Gather data before deleting/restoring content. • Preferably, plan to involve Microsoft CSS Sec as soon as possible

  8. Mitigations For Directed Attacks

  9. Overview of a Directed Attack • Attackers exploit a weakness to compromise a host (the initial attack vector), then: • Install malware for persistence and automate their tasks • Elevate their privileges • Mine for useful credentials • Exfiltrate or delete data

  10. Initial Attack Vector • Mitigation: • Patching critical vulnerabilities is key.  This needs to be done for all products – Microsoft infrastructure such as System Center Configuration Manager & WSUS can apply updates to Microsoft products but they do not cover 3rd party products, unless that 3rd Party has published a manifest. • User Education – Cannot place enough emphasis

  11. Install Malware • Mitigation: • Monitor your anti-virus/anti-malware solution carefully. • Ensure it is running on all machines in the environment • Signatures are kept up-to-date • Use an application whitelisting approach such as AppLocker to help prevent the introduction of unwanted software.

  12. Elevate Privileges • Mitigation: • Users should not run as local admin on workstations. • Domain admins should never logon to workstations or member servers in the domain. • Use a group policy to remove the Logon Locally rights for domain administrators from all machines except for domain controllers. • Use hardened workstation to perform necessary administrative tasks

  13. Mine for Useful Credentials • Mitigation: • Use unique passwords for the local administrator account on every host in your enterprise. • Better yet, disable this account entirely and monitor for attempted usage of it. • Limit service account privilege and monitor usage of these accounts. • Never run a service account as domain administrator or other privileged accounts. • Service accounts should have least privilege (no logon locally or logon via network, for example). • Where possible, use LocalService and NetworkService accounts instead of LocalSystem

  14. Copy or delete data • Mitigation: • Define business critical data and apply extra protections to that data in transit and in storage. • Implement a data classification scheme and introduce a policy so that all high business impact data is stored centrally and .. • Encrypt it at rest using rights management services • Segregate access to the data from domain administrators • Use IPsec to prevent network capture across the network • Back it up frequently; test restores; keep an offsite backup

  15. Defender’s Dilemma • Patching • Limited Users • Domain Admins Logon To DCs Only • Application Control • Monitor & Respond To Anti-Malware • Protect Local Admin • Limit Service Privilege • Protect Data

  16. Questions? • Defender’s Dilemma The defender must protect against everything. The attacker only has to succeed with one. • Neil Carpenter • Principal Security Escalation Engineer • neilcar@Microsoft.com • Jim Payne • Principal Security Relationship Manager • jpayne@Microsoft.com

More Related