Mic

roso

ft E

MET

an

UP

DATED

view fro

m th

e trench

es Branden Carter May 14, 2015

A little about ITD…

Our Mission:

Your Safety

Your Mobility

Your Economic Opportunity

For more information: http://itd.idaho.gov

Intr

o

ITD’s Computing Environment

Approximately:

• 1600 Employees

• 2000 PCs

• Over 100 locations across Idaho

Intr

o

What is EMET?

Enhanced Mitigation Experience Toolkit

EMET anticipates the most common attack techniques attackers might use to exploit

vulnerabilities in computer systems, and helps protect by diverting, terminating, blocking, and

invalidating those actions and techniques.*

* Quoted from EMET 5.1 Users guide

Intr

o

Why did ITD start looking at EMET? 1. ITD had a very specific, high caffeine program

that was being hammered with zero day exploits that weren’t getting patched by the vendor. (Hint: an oracle couldn’t even tell us when patches were going to be released)

2. ‘Cause a few people who some might consider knowledgeable said it was a good idea for stopping exploits.

Intr

o

What is an exploit?

An exploit is a piece of code that uses software vulnerabilities to access

information on a computer or install malware. Exploits target

vulnerabilities in operating systems, web browsers, applications, or software components that are

installed on a computer. -Microsoft Security Intelligence Report, Volume 17

Exp

loit

s an

d M

itig

atio

ns

What has been done to stop exploits?

And Even Better Together! *Caveat: Unless you have peanut allergies.

Nerdy moms choose

DEP Since XP SP2

ASLR 64bits of random goodness

Since Vista SP1

Exp

loit

s an

d M

itig

atio

ns

Are exploits that big of a problem?

Microsoft Security Intelligence Report, Volume 17 (2014)

Exp

loit

s an

d M

itig

atio

ns

Are exploits that big of a problem?

Cisco 2015 Annual Security Report

Exp

loit

s an

d M

itig

atio

ns

Are exploits that big of a problem?

2014 Verizon DBIR

Exp

loit

s an

d M

itig

atio

ns

Do existing tools offer protection?

• Network Protection (IDS/IPS, Web Filter, NGFW) – Offer some protection but may be limited by encryption – Someone has to take a hit for the team

• Endpoint Protection – Patching is most effective, but what about 0 day or patch

lag? – AV, although many AV products traditionally focus on just

detecting exploit payloads – Tools directly targeting exploit mitigation:

• App segregation/virtualization – Bromium, Invincea • Anti Exploit – Malwarebytes AntiExploit, Microsoft EMET, PaloAlto

Traps • Host Intrusion Prevention Software

*Products listed are just examples - not an endorsement or recommendation on my part

Exp

loit

s an

d M

itig

atio

ns

“With a few notable exceptions, endpoint [AV] products are not providing adequate protection from exploits.” – NSS Labs Corporate AV/EPP Comparative Analysis – Exploit Protection 2013

Exp

loit

s an

d M

itig

atio

ns

Where does EMET fit?

• EMET: – EMET uses in-memory application behavior to stop memory

based exploits BEFORE a PC is infected – is geared towards disrupting 0-day exploits in Applications – makes it easier to manage built in mitigations like DEP, ASLR,

and SEHOP – Provides new mitigations for exploits that bypass DEP/ASLR

• EMET is not : – AntiMalware/AV/HIPS – signature based – Capable of detecting pre-installed malware – a program that will prevent a local admin from installing

malware attachments in emails (.scr files anyone?)

Exp

loit

s an

d M

itig

atio

ns

How does EMET stop exploits? System Mitigations – EMET aids in configuration

Application Specific Mitigations – EMET unique protections

All Application Mitigation Settings

Data Execution Prevention DEP Stop on Exploit/Audit Only

SEHOP SEHOP Deep Hooks (ROP)

ASLR Null Page Anti Detours (ROP)

Certificate Trust (Pinning) HeapSpray Banned Functions (ROP)

EAF

EAF+

Mandatory ASLR

BottomUP ASLR

LoadLib (ROP)

MemProt (ROP)

Caller (ROP – 32 bit)

SimExecFlow (ROP – 32 bit)

StackPivot (ROP)

ASR

Exp

loit

s an

d M

itig

atio

ns

How is EMET deployed?

• Deployed like any other enterprise software

– Test first (check out my demo later for some tips!)

– Rollout is well covered - Step by Step for Microsoft SCCM and GPO deployments

– Configuration can be managed through GPO add-ons or .xml file pushes and scripts

– Strongly recommend configuring reporting services BEFORE deployment

– Plan on updating at least once a year

Man

agin

g EM

ET

What has it done at ITD? • EMET impacts approx. 10-20% of ITD PCs in a given

month. Most mitigations are not seen by end users.

• On again off again love hate with the metrics: – Indicators of malicious activity

– Indicators of user interference (false positives)

– What do the numbers mean?

05,000

10,00015,00020,00025,00030,00035,00040,00045,000

Total EMET Hits

0

200

400

600

800

1000

Unique Machines Reporting EMET Events

Man

agin

g EM

ET

Any negative experiences?

• Can crash legitimate appliations (DEP, ASR) – Testing! Testing! Testing!

• Technician acceptance

• Configuration drift

• Something happened with IE starting April 22 that SimExec doesn’t like

Man

agin

g EM

ET

• No central administration console! (rumored to change soon)

– Configuration tweaks are a challenge

– Challenges with metrics…

– …but a federal TLA has made getting them much easier! • https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_

windows_event_log_monitoring.pdf

• I can’t say enough about the value of this document – write the URL down!!!!

Any negative experiences?

Man

agin

g EM

ET

What excites me about EMET?

• Interesting opportunities for ASR customizations (Ever tried to disable Java in IE? Die old Java, DIE!)

• Cert pinning for internal servers annoys the pen testers (SSL/TLS MiTM no more workey)

• EMET can protect sever processes (IIS, SMB, RDP) from memory based exploits too

• Keeping the watcher web filter/IDS honest

Loo

kin

g Fo

rwar

d

Should I install EMET?

• Out of the box, EMET seems like a no brainer for: – Home Computers

– Smaller organizations with minimal signature based protection tools and/or budget

– Computers with old OS and/or software vulnerable to memory exploits

• With lots of testing, EMET may be good for: – Medium or large organizations with limited budget

and enough time and staff to provide care, feeding, and reporting on EMET activity

Loo

kin

g Fo

rwar

d

Final Words

• Focus on things like NIST 800-53 or SANS top 20 controls – EMET isn’t a cure all.

• That new 0 day just announced – you just might already be protected

• If you have a specific piece of old software that you think/know is vulnerable – EMET can help. Mitigations aren’t limited to defaults.

• Realize that EMET takes time and management overhead. If you don’t have lots of time, a more enterprise focused anti-exploit solution might be a better option for you.

Loo

kin

g Fo

rwar

d

Questions? Resources and Credits

-Brian Krebs EMET Overview-

http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/ -Cisco 2015 Annual Security Report-

-Microsoft EMET Mitigations and Guidelines- http://support.microsoft.com/kb/2909257

-Microsoft EMET Users Guide (Program Files Directory)- -Microsoft Security Intelligence Report, Volume 17, 2014-

-NSA on Windows Event Log Analysis and Reporting- https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

-NSS Labs Corporate AV/EPP Comparative Analysis – Exploit Protection, 2013- -Verizon Data Breach Investigation Report, 2014-

And thanks to en.wikipedia.org and Microsoft Technet for datum on several of the specific mitigations!

Have questions for me? brandenm at gmail dot com

Ther

e ar

e 1

0 t

ype

s o

f p

eop

le in

th

is w

orl

d…

Th

ose

wh

o u

nd

erst

and

bin

ary

and

th

ose

wh

o d

o n

ot.

C

hu

ck No

rris can get m

eanin

gful d

ata from

/dev/n

ull