ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain...
-
Upload
marjorie-barber -
Category
Documents
-
view
222 -
download
4
Transcript of ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain...
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- ASSUME BREACH PREVENT BREACH +
- Slide 5
- Slide 6
- Slide 7
- Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker Undetected) 11-14 months Attack Discovered Typical Attack Timeline & Observations
- Slide 8
- 1.Get in with Phishing Attack (or other) 2.Steal Credentials 3.Compromise more hosts & credentials (searching for Domain Admin) 4.Get Domain Admin credentials 5.Execute Attacker Mission (steal data, destroy systems, etc.) Modern Attack Tools are Easy/etc. 24-48 Hours Privilege Escalation with Credential Theft (Typical)
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS LSAIso
- Slide 14
- High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS NTLM Kerberos LSAIso NTLM support Kerberos support Boot Persistent Device Drivers Clear secrets Note: MS-CHAPv2 and NTLMv1 are blocked IUM secrets
- Slide 15
- Slide 16
- Slide 17
- 1.Privilege escalation Credential Theft Application Agents Service Accounts 2.Lateral traversal Credential Theft Application Agents Service Accounts Tier 0 Tier 2 Tier 1
- Slide 18
- Slide 19
- Do these NOW!
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- IT Service Management Administrative Forest Domain and Forest Administration Production Domain(s) Domain and Forest Security Alerting Servers, Apps, and Cloud Services Hardened Hosts and Accounts Privileged Account Management (PAM) Admin Roles & Delegation Admin Forest Maintenance PAM Maintenance Lateral Traversal Mitigations (Admin Process, Technology) Domain and DC Hardening OS, App, & Service Hardening User, Workstations, and Devices Integrate People, Process, and Technology RDP w/Restricted Admin Protected Users Auth Policies and Silos Admin Workstations
- Slide 24
- Good/Minimum Separate Admin Desktops and associated IT Admin process changes Separate Admin Accounts Remove accounts from Tier 0 Service Accounts Personnel - Only DC Maintenance, Delegation, and Forest Maintenance Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Administrative Forest (for AD admin roles in current releases) Isolated User Mode (IUM) Microsoft Passport and Windows Hello
- Slide 25
- Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello
- Slide 26
- Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- 37 Implement Mitigations Now! 1 Revamp your culture and support processes 2 3 Plan to adopt Windows 10 Features
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Cloud service provider responsibility Tenant responsibility
- Slide 42
- Private Cloud Fabric Identity Infrastructure as a Service On Premises Infrastructure Federation and Synchronization Single Identity
- Slide 43