Premediation The Art of Proactive Remediation Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.
Overview Case Study Remediation Overview Premediation Q&A
Introductions Matthew McWhirt Senior Manager Mandiant Security Transformation Services (STS) matthew.mcwhirt@mandiant.com linkedin.com/in/matthew-mcwhirt- 9031214/ Manfred Erjak Principal Consultant Mandiant Security Transformation Services (STS) manfred.erjak@mandiant.com linkedin.com/in/itsecuritysolutions
While Breaches are Inevitable.
.Impactful Breaches are Preventable
Case Study What Happens During a Breach Phishing Credential Compromise Backdoor Implanted on VDI (Persistence) Internal Reconnaissance Credential Dumping Webshell Placed on a DMZ Server Lateral Movement to specific systems Maintain Presence Move Laterally Initial Recon Initial Compromise Est ablish Foothold Escalat e Privileg es Internal Recon Complete Mission
Case Study Quick Eradication Blocked NBIs Removed Backdoors Removed Webshells Rebuilt VDI servers Implemented MFA for external VDI and OWA Access Targeted Password Reset Local Administrator Password Solution (LAPS)
2 Months later
Case Study Re-Compromised Access to OWA (bypassing MFA) Incomplete password reset Another wave of phishing VDI OTP sent via Email Accessed by an attacker using OWA Login to VDI (username/password/otp) Credential Dumping Lateral Movement to specific systems
Case Study Full Remediation Enterprise Password Reset Enhanced visibility and detection Endpoint Network Network architecture review and hardening Internal External
Case Study Full Remediation Privileged Account Management and Usage Tiered Architecture for Privileged Account Usage Reduction in scope of Privileged Accounts MFA Implementation Review and Redesign Full LAPS Implementation
/pre me di a tion/
Remediation Stage Posturing Visibility and Detection enhancements Asset Management Critical Data and Asset Mapping Hardening Preparation and Planning Planning for execution of next stages Strategic Enhancements Eradication Posturing Containment
Remediation Stage Containment Tactical Short-term mitigation actions Critical system and data isolation Strategic Enhancements Posturing Eradication Containment
Remediation Stage Eradication Removing the attacker from the environment Hardening the environment Preventing the attacker from regaining access Strategic Enhancements Posturing Eradication Containment
Remediation Stage Strategic Enhancements Longer-term security enhancements Additional technical and process improvements Adaptive Risk Management Strategic Enhancements Posturing Eradication Containment
Premediation General Posturing Visibility and Detection Identify Gaps Endpoint Network Crown Jewels Asset Management Critical Asset and Data Mapping Ingress / Egress Points Scanning and Enumeration
Premediation General Posturing Vulnerability Management / Patching Logging Domain Controllers / Servers End-user devices PowerShell DNS VPN Network Proxy Servers Load Balancers
Premediation Network Segmentation Segmenting the network based on the label or classification level of the information Systems containing PCI, PII, or HIPAA data Servers of different security classifications Servers and Workstations Workstations within different regions, offices, or business units Classical Segmentation VLANs, L3 ACLs, Firewalls SDN Micro-Segmentation VMWare NSX, Cisco ACI
Premediation Network Segmentation Protect critical intellectual property from unauthorized applications or users Reduce the exposure of vulnerable systems Prevent lateral movement throughout the network Attackers Automated Malware (WannaCry)
Premediation Endpoint Review and Hardening Scope of OS Endpoint Technologies Deployment of Endpoint Protection/Detection Tools System-to-System Communication Restrictions Firewalls Layer 3 ACLs RDP Restrictions MS Office Hardening Controls Macros and OLE DDE / Auto-download of content
Premediation Endpoint Review and Hardening Egress Restrictions Workstation / Laptops Servers / DCs / Critical Assets Local Administrative Permissions KB2871997 S-1-5-114: NT AUTHORITY\Local account and member of Administrators group Local Administrator Passwords Remote Access Application Whitelisting
Premediation Active Directory Review and Hardening Forest Architecture and Trusts Types of Trusts Scope of services in each domain Trust Protections RODCs vs Writable DCs RODC Password Replication Group Operational Processes and Monitoring GPOs Administration Models Remote Administration Logging / Monitoring / Alerting
Premediation Active Directory Review and Hardening Account and Credential Management Password Policies Privileged Accounts Service Accounts SPNs Delegated Accounts Kerberos Authentication Policies WDigest (KB2871997) / TokenLeakDetectDelaySecs LSA Protected Process / Credential Guard MFA / PAM KRBTGT Resets*
Premediation Privileged Account Management Tier 0 Tiered Architecture Model Forest/Domain Admins Admin Workstation Domain Controllers Same Tier Logon Jump Boxes / PAWS Tier 1 Higher Tier Logon MFA Server Admins Admin Workstation Servers Lower Tier Logon GPOs to restrict Privileged Account Usage Tier 2 Blocked Protected Users Group Workstation Admin Admin Workstation Workstations Only as required by role Restricted Admin RDP https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securingprivileged-access-reference-material Cached Credentials DSRM (Writable vs RODCs) Separate VPN Profiles for Admins
Credential Artifacts on Endpoints When are credentials stored in Memory on Destination Endpoints? Interactive Logon Remote Desktop (RDP) Logon PSExec with explicit credentials Batch logon (scheduled tasks) Running Services RunAs (New Credentials) PowerShell CredSSP Can be controlled via GPO settings
Premediation Azure / O365 Review and Hardening On-Prem / Azure Synchronization ADFS Security Configuration Privileged Management for Azure MFA Requirements Users and Administrators AZUREADSSOACC Decryption Key Change Seamless SSO Conditional Access (Users and Admins) Logging and Monitoring O365 mailbox logging
Premediation Containment and Eradication Posturing Playbooks and Tested Process to Support Common Containment and Eradication Actions Containing and Isolating key systems Blocking of network indicators IP addresses Domains Email Searching and blocking for host-based indicators EDR AV Rebuilding / Reconstituting Systems SLAs for Third Party Assistance
Premediation in Action Case Study Environment Hardening, Network Segmentation, Proactive Scanning and Enumeration, Process Review Hardened Trust Relationships, GPOs, LAPS, Credential Management, Kerberos, WDigest Tiered Architecture, Restricted Admin RDP, Protected Groups Local Admin, Logon Restrictions General Posturing Network Segmentation Active Directory Hardening Privileged Account Management Endpoint Hardening Reconnaissance Lateral Movement Webshell Placement OWA Bypass MFA / OTP Issuance Lateral Movement Endpoint Exploitation Malware Spreading Credential Dumping Lateral Movement Endpoint Exploitation Credential Dumping Lateral Movement Phishing Exploitation Credential Dumping Lateral Movement Implanted Backdoors Establish Foothold Internal Recon Initial Compromise Escalate Privileges Initial Compromise Internal Recon Move Laterally Escalate Privileges Internal Recon Establish Foothold Maintain Presence Internal Recon Move Laterally Escalate Privileges Move Laterally Internal Recon Move Laterally Maintain Presence
Premediation Continuous Process Continuous Premediation Cycle Premediation is a continuous process Integrate this methodology as part of your risk management framework Test and verify the effectiveness of the processes and controls Continue to adapt and enhance
Q&A