Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Similar documents
Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Securing Active Directory Administration

Pass-the-Hash Attacks

Critical Hygiene for Preventing Major Breaches

Future Forests: Realistic Strategies for AD Security & Red Forest Architecture

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Pass-the-Hash Attacks. Michael Grafnetter

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Incident Scale

Remediating Targeted-threat Intrusions

Building Resilience in a Digital Enterprise

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

From Workstation to Domain. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.com

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

10 Active Directory Misconfigurations That Lead to Total Compromise Austin, TX 201 W 5th St.

Securing Active Directory Administration. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

ANATOMY OF AN ATTACK!

Tips for Passing an Audit or Assessment

the SWIFT Customer Security

Modern Realities of Securing Active Directory & the Need for AI

Securing Windows Server 2016

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

News and Updates June 1, 2017

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

One Hospital s Cybersecurity Journey

Active Directory Attacks and Detection

Back to Basics: Basic CIS Controls

Introduction. The Safe-T Solution

10 FOCUS AREAS FOR BREACH PREVENTION

"Charting the Course... MOC C: Securing Windows Server Course Summary

T22 - Industrial Control System Security

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Segmentation for Security

Windows Server Security Guide

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Juniper Vendor Security Requirements

PENETRATION TESTING EXTREME VERSION 1

Datacenter Security: Protection Beyond OS LifeCycle

[ Sean TrimarcSecurity.com ]

Course Outline 20744B

Attacking and Defending Active Directory July, 2017

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

K12 Cybersecurity Roadmap

Active Directory Security: The Journey. Sean Metcalf s e a n TrimarcSecurity.com TrimarcSecurity.

Stopping Advanced Persistent Threats In Cloud and DataCenters

CyberArk Privileged Threat Analytics

Transforming Security Part 2: From the Device to the Data Center

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

The Evolution of Data Center Security, Risk and Compliance

Hybrid Identity de paraplu in de cloud

Designing and Building a Cybersecurity Program

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

Course Outline 20742B

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

CompTIA SY CompTIA Security+

Attackers Process. Compromise the Root of the Domain Network: Active Directory

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

Electronic Access Controls June 27, Kevin B. Perry Director, Critical Infrastructure Protection

Security Readiness Assessment

CSC - DRAFT - VER6c FOR PUBLIC COMMENT ONLY

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

M20742-Identity with Windows Server 2016

Mapping BeyondTrust Solutions to

Identity with Windows Server 2016

Advanced Security Measures for Clients and Servers

Becoming the Adversary

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cyber Defense Operations Center

ACTIVE DIRECTORY DOMAIN STIG REVISION HISTORY. Version 2, Release January Developed by DISA for the DoD

Live Adversary Simulation: Red and Blue Team Tactics

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

How Breaches Really Happen

Practical Network Defense Labs

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

PrecisionAccess Trusted Access Control

20742: Identity with Windows Server 2016

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

TestBraindump. Latest test braindump, braindump actual test

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Identity with Windows Server 2016

70-742: Identity in Windows Server Course Overview

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Crash course in Azure Active Directory

Security Fundamentals for your Privileged Account Security Deployment

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Cyber Security Bryan Owen PE Principal Cyber Security Manager October 11, 2016

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Securing Office 365 & Other SaaS

Transcription:

Premediation The Art of Proactive Remediation Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Overview Case Study Remediation Overview Premediation Q&A

Introductions Matthew McWhirt Senior Manager Mandiant Security Transformation Services (STS) matthew.mcwhirt@mandiant.com linkedin.com/in/matthew-mcwhirt- 9031214/ Manfred Erjak Principal Consultant Mandiant Security Transformation Services (STS) manfred.erjak@mandiant.com linkedin.com/in/itsecuritysolutions

While Breaches are Inevitable.

.Impactful Breaches are Preventable

Case Study What Happens During a Breach Phishing Credential Compromise Backdoor Implanted on VDI (Persistence) Internal Reconnaissance Credential Dumping Webshell Placed on a DMZ Server Lateral Movement to specific systems Maintain Presence Move Laterally Initial Recon Initial Compromise Est ablish Foothold Escalat e Privileg es Internal Recon Complete Mission

Case Study Quick Eradication Blocked NBIs Removed Backdoors Removed Webshells Rebuilt VDI servers Implemented MFA for external VDI and OWA Access Targeted Password Reset Local Administrator Password Solution (LAPS)

2 Months later

Case Study Re-Compromised Access to OWA (bypassing MFA) Incomplete password reset Another wave of phishing VDI OTP sent via Email Accessed by an attacker using OWA Login to VDI (username/password/otp) Credential Dumping Lateral Movement to specific systems

Case Study Full Remediation Enterprise Password Reset Enhanced visibility and detection Endpoint Network Network architecture review and hardening Internal External

Case Study Full Remediation Privileged Account Management and Usage Tiered Architecture for Privileged Account Usage Reduction in scope of Privileged Accounts MFA Implementation Review and Redesign Full LAPS Implementation

/pre me di a tion/

Remediation Stage Posturing Visibility and Detection enhancements Asset Management Critical Data and Asset Mapping Hardening Preparation and Planning Planning for execution of next stages Strategic Enhancements Eradication Posturing Containment

Remediation Stage Containment Tactical Short-term mitigation actions Critical system and data isolation Strategic Enhancements Posturing Eradication Containment

Remediation Stage Eradication Removing the attacker from the environment Hardening the environment Preventing the attacker from regaining access Strategic Enhancements Posturing Eradication Containment

Remediation Stage Strategic Enhancements Longer-term security enhancements Additional technical and process improvements Adaptive Risk Management Strategic Enhancements Posturing Eradication Containment

Premediation General Posturing Visibility and Detection Identify Gaps Endpoint Network Crown Jewels Asset Management Critical Asset and Data Mapping Ingress / Egress Points Scanning and Enumeration

Premediation General Posturing Vulnerability Management / Patching Logging Domain Controllers / Servers End-user devices PowerShell DNS VPN Network Proxy Servers Load Balancers

Premediation Network Segmentation Segmenting the network based on the label or classification level of the information Systems containing PCI, PII, or HIPAA data Servers of different security classifications Servers and Workstations Workstations within different regions, offices, or business units Classical Segmentation VLANs, L3 ACLs, Firewalls SDN Micro-Segmentation VMWare NSX, Cisco ACI

Premediation Network Segmentation Protect critical intellectual property from unauthorized applications or users Reduce the exposure of vulnerable systems Prevent lateral movement throughout the network Attackers Automated Malware (WannaCry)

Premediation Endpoint Review and Hardening Scope of OS Endpoint Technologies Deployment of Endpoint Protection/Detection Tools System-to-System Communication Restrictions Firewalls Layer 3 ACLs RDP Restrictions MS Office Hardening Controls Macros and OLE DDE / Auto-download of content

Premediation Endpoint Review and Hardening Egress Restrictions Workstation / Laptops Servers / DCs / Critical Assets Local Administrative Permissions KB2871997 S-1-5-114: NT AUTHORITY\Local account and member of Administrators group Local Administrator Passwords Remote Access Application Whitelisting

Premediation Active Directory Review and Hardening Forest Architecture and Trusts Types of Trusts Scope of services in each domain Trust Protections RODCs vs Writable DCs RODC Password Replication Group Operational Processes and Monitoring GPOs Administration Models Remote Administration Logging / Monitoring / Alerting

Premediation Active Directory Review and Hardening Account and Credential Management Password Policies Privileged Accounts Service Accounts SPNs Delegated Accounts Kerberos Authentication Policies WDigest (KB2871997) / TokenLeakDetectDelaySecs LSA Protected Process / Credential Guard MFA / PAM KRBTGT Resets*

Premediation Privileged Account Management Tier 0 Tiered Architecture Model Forest/Domain Admins Admin Workstation Domain Controllers Same Tier Logon Jump Boxes / PAWS Tier 1 Higher Tier Logon MFA Server Admins Admin Workstation Servers Lower Tier Logon GPOs to restrict Privileged Account Usage Tier 2 Blocked Protected Users Group Workstation Admin Admin Workstation Workstations Only as required by role Restricted Admin RDP https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securingprivileged-access-reference-material Cached Credentials DSRM (Writable vs RODCs) Separate VPN Profiles for Admins

Credential Artifacts on Endpoints When are credentials stored in Memory on Destination Endpoints? Interactive Logon Remote Desktop (RDP) Logon PSExec with explicit credentials Batch logon (scheduled tasks) Running Services RunAs (New Credentials) PowerShell CredSSP Can be controlled via GPO settings

Premediation Azure / O365 Review and Hardening On-Prem / Azure Synchronization ADFS Security Configuration Privileged Management for Azure MFA Requirements Users and Administrators AZUREADSSOACC Decryption Key Change Seamless SSO Conditional Access (Users and Admins) Logging and Monitoring O365 mailbox logging

Premediation Containment and Eradication Posturing Playbooks and Tested Process to Support Common Containment and Eradication Actions Containing and Isolating key systems Blocking of network indicators IP addresses Domains Email Searching and blocking for host-based indicators EDR AV Rebuilding / Reconstituting Systems SLAs for Third Party Assistance

Premediation in Action Case Study Environment Hardening, Network Segmentation, Proactive Scanning and Enumeration, Process Review Hardened Trust Relationships, GPOs, LAPS, Credential Management, Kerberos, WDigest Tiered Architecture, Restricted Admin RDP, Protected Groups Local Admin, Logon Restrictions General Posturing Network Segmentation Active Directory Hardening Privileged Account Management Endpoint Hardening Reconnaissance Lateral Movement Webshell Placement OWA Bypass MFA / OTP Issuance Lateral Movement Endpoint Exploitation Malware Spreading Credential Dumping Lateral Movement Endpoint Exploitation Credential Dumping Lateral Movement Phishing Exploitation Credential Dumping Lateral Movement Implanted Backdoors Establish Foothold Internal Recon Initial Compromise Escalate Privileges Initial Compromise Internal Recon Move Laterally Escalate Privileges Internal Recon Establish Foothold Maintain Presence Internal Recon Move Laterally Escalate Privileges Move Laterally Internal Recon Move Laterally Maintain Presence

Premediation Continuous Process Continuous Premediation Cycle Premediation is a continuous process Integrate this methodology as part of your risk management framework Test and verify the effectiveness of the processes and controls Continue to adapt and enhance

Q&A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback