oft EMET - Information Systems Security...
Transcript of oft EMET - Information Systems Security...
A little about ITD…
Our Mission:
Your Safety
Your Mobility
Your Economic Opportunity
For more information: http://itd.idaho.gov
Intr
o
ITD’s Computing Environment
Approximately:
• 1600 Employees
• 2000 PCs
• Over 100 locations across Idaho
Intr
o
What is EMET?
Enhanced Mitigation Experience Toolkit
EMET anticipates the most common attack techniques attackers might use to exploit
vulnerabilities in computer systems, and helps protect by diverting, terminating, blocking, and
invalidating those actions and techniques.*
* Quoted from EMET 5.1 Users guide
Intr
o
Why did ITD start looking at EMET? 1. ITD had a very specific, high caffeine program
that was being hammered with zero day exploits that weren’t getting patched by the vendor. (Hint: an oracle couldn’t even tell us when patches were going to be released)
2. ‘Cause a few people who some might consider knowledgeable said it was a good idea for stopping exploits.
Intr
o
What is an exploit?
An exploit is a piece of code that uses software vulnerabilities to access
information on a computer or install malware. Exploits target
vulnerabilities in operating systems, web browsers, applications, or software components that are
installed on a computer. -Microsoft Security Intelligence Report, Volume 17
Exp
loit
s an
d M
itig
atio
ns
What has been done to stop exploits?
And Even Better Together! *Caveat: Unless you have peanut allergies.
Nerdy moms choose
DEP Since XP SP2
ASLR 64bits of random goodness
Since Vista SP1
Exp
loit
s an
d M
itig
atio
ns
Are exploits that big of a problem?
Microsoft Security Intelligence Report, Volume 17 (2014)
Exp
loit
s an
d M
itig
atio
ns
Are exploits that big of a problem?
Cisco 2015 Annual Security Report
Exp
loit
s an
d M
itig
atio
ns
Do existing tools offer protection?
• Network Protection (IDS/IPS, Web Filter, NGFW) – Offer some protection but may be limited by encryption – Someone has to take a hit for the team
• Endpoint Protection – Patching is most effective, but what about 0 day or patch
lag? – AV, although many AV products traditionally focus on just
detecting exploit payloads – Tools directly targeting exploit mitigation:
• App segregation/virtualization – Bromium, Invincea • Anti Exploit – Malwarebytes AntiExploit, Microsoft EMET, PaloAlto
Traps • Host Intrusion Prevention Software
*Products listed are just examples - not an endorsement or recommendation on my part
Exp
loit
s an
d M
itig
atio
ns
“With a few notable exceptions, endpoint [AV] products are not providing adequate protection from exploits.” – NSS Labs Corporate AV/EPP Comparative Analysis – Exploit Protection 2013
Exp
loit
s an
d M
itig
atio
ns
Where does EMET fit?
• EMET: – EMET uses in-memory application behavior to stop memory
based exploits BEFORE a PC is infected – is geared towards disrupting 0-day exploits in Applications – makes it easier to manage built in mitigations like DEP, ASLR,
and SEHOP – Provides new mitigations for exploits that bypass DEP/ASLR
• EMET is not : – AntiMalware/AV/HIPS – signature based – Capable of detecting pre-installed malware – a program that will prevent a local admin from installing
malware attachments in emails (.scr files anyone?)
Exp
loit
s an
d M
itig
atio
ns
How does EMET stop exploits? System Mitigations – EMET aids in configuration
Application Specific Mitigations – EMET unique protections
All Application Mitigation Settings
Data Execution Prevention DEP Stop on Exploit/Audit Only
SEHOP SEHOP Deep Hooks (ROP)
ASLR Null Page Anti Detours (ROP)
Certificate Trust (Pinning) HeapSpray Banned Functions (ROP)
EAF
EAF+
Mandatory ASLR
BottomUP ASLR
LoadLib (ROP)
MemProt (ROP)
Caller (ROP – 32 bit)
SimExecFlow (ROP – 32 bit)
StackPivot (ROP)
ASR
Exp
loit
s an
d M
itig
atio
ns
How is EMET deployed?
• Deployed like any other enterprise software
– Test first (check out my demo later for some tips!)
– Rollout is well covered - Step by Step for Microsoft SCCM and GPO deployments
– Configuration can be managed through GPO add-ons or .xml file pushes and scripts
– Strongly recommend configuring reporting services BEFORE deployment
– Plan on updating at least once a year
Man
agin
g EM
ET
What has it done at ITD? • EMET impacts approx. 10-20% of ITD PCs in a given
month. Most mitigations are not seen by end users.
• On again off again love hate with the metrics: – Indicators of malicious activity
– Indicators of user interference (false positives)
– What do the numbers mean?
05,000
10,00015,00020,00025,00030,00035,00040,00045,000
Total EMET Hits
0
200
400
600
800
1000
Unique Machines Reporting EMET Events
Man
agin
g EM
ET
Any negative experiences?
• Can crash legitimate appliations (DEP, ASR) – Testing! Testing! Testing!
• Technician acceptance
• Configuration drift
• Something happened with IE starting April 22 that SimExec doesn’t like
Man
agin
g EM
ET
• No central administration console! (rumored to change soon)
– Configuration tweaks are a challenge
– Challenges with metrics…
– …but a federal TLA has made getting them much easier! • https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_
windows_event_log_monitoring.pdf
• I can’t say enough about the value of this document – write the URL down!!!!
Any negative experiences?
Man
agin
g EM
ET
What excites me about EMET?
• Interesting opportunities for ASR customizations (Ever tried to disable Java in IE? Die old Java, DIE!)
• Cert pinning for internal servers annoys the pen testers (SSL/TLS MiTM no more workey)
• EMET can protect sever processes (IIS, SMB, RDP) from memory based exploits too
• Keeping the watcher web filter/IDS honest
Loo
kin
g Fo
rwar
d
Should I install EMET?
• Out of the box, EMET seems like a no brainer for: – Home Computers
– Smaller organizations with minimal signature based protection tools and/or budget
– Computers with old OS and/or software vulnerable to memory exploits
• With lots of testing, EMET may be good for: – Medium or large organizations with limited budget
and enough time and staff to provide care, feeding, and reporting on EMET activity
Loo
kin
g Fo
rwar
d
Final Words
• Focus on things like NIST 800-53 or SANS top 20 controls – EMET isn’t a cure all.
• That new 0 day just announced – you just might already be protected
• If you have a specific piece of old software that you think/know is vulnerable – EMET can help. Mitigations aren’t limited to defaults.
• Realize that EMET takes time and management overhead. If you don’t have lots of time, a more enterprise focused anti-exploit solution might be a better option for you.
Loo
kin
g Fo
rwar
d
Questions? Resources and Credits
-Brian Krebs EMET Overview-
http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/ -Cisco 2015 Annual Security Report-
-Microsoft EMET Mitigations and Guidelines- http://support.microsoft.com/kb/2909257
-Microsoft EMET Users Guide (Program Files Directory)- -Microsoft Security Intelligence Report, Volume 17, 2014-
-NSA on Windows Event Log Analysis and Reporting- https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf
-NSS Labs Corporate AV/EPP Comparative Analysis – Exploit Protection, 2013- -Verizon Data Breach Investigation Report, 2014-
And thanks to en.wikipedia.org and Microsoft Technet for datum on several of the specific mitigations!
Have questions for me? brandenm at gmail dot com
Ther
e ar
e 1
0 t
ype
s o
f p
eop
le in
th
is w
orl
d…
Th
ose
wh
o u
nd
erst
and
bin
ary
and
th
ose
wh
o d
o n
ot.
C
hu
ck No
rris can get m
eanin
gful d
ata from
/dev/n
ull