Ultimate Hacking and Forensics Experience with CQURE for IT Pros
Total Page:16
File Type:pdf, Size:1020Kb
Ultimate Hacking and Forensics Experience with CQURE for IT Pros Mike Jankowski - Lorek CQURE: Cloud Solutions & Security Expert CQURE Academy: Trainer [email protected] www.cqureacademy.com @paulacqure @CQUREAcademy CONSULTING What does CQURE Team do? Consulting services Trainings High quality penetration tests with useful reports Security Awareness trainings for executives Applications Websites CQURE Academy: over 40 advanced security External services (edge) trainings for IT Teams Internal services + configuration reviews Certificates and exams Incident response emergency services Delivered all around the world only by a CQURE – immediate reaction! Team: training authors Security architecture and design advisory Forensics investigation Security awareness [email protected] For management and employees Cybersecurity Reference Architecture Software as a Service Office 365 80% + of employees admit using Security Operations ASM Vulnerability Incident Investigation Internet of Things non-approved SaaS apps for Management Center (SOC) Response and Recovery work (Stratecast, December 2013) Lockbox Logs & Analytics Active Threat Detection Unmanaged & Mobile Clients Identity & Information Protection UEBA ATA Enterprise Access Managed Hunting Security Analytics Threat Cloud App Security Provider OMS Teams SIEM Detection Conditional Access Analytics & Reporting Intune MDM/MAM On Premises Datacenter(s) SIEM DLP Security Integration AAD PIM NGFW IaaS/Hoster Azure SSL Proxy Appliances Microsoft Azure Information Office 365 ATP Multi-Factor IPS Protection (AIP) • Email Gateway Azure Security Center Authentication • Classification • • Anti-malware Security Hygiene • Labelling VPN • Threat Detection Extranet Hello for • Encryption • Rights Azure Key Vault Business Management Enterprise Servers Windows Server 2016 Security Azure App Gateway MIM PAM • Document Shielded VMs Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Tracking Guard, Remote Credential Guard, Hyper-V Containers, … Azure Antimalware ATA • Reporting VMs VMs Network Security Groups Endpoint DLP Domain Controllers Admin Forest VPN Privileged Access Workstations SQL Encryption & Firewall Windows Managed Clients Certification $ Windows 10 Information Legacy Windows 10 Security Disk & Storage Encryption Authority (PKI) Sensitive Windows • Secure Boot Protection Workloads IoT WEF Mac EDR - Windows Defender ATP • Device Guard OS • Credential Guard EPP - Windows Defender • Remote Credential Guard Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft System Management + Patching - SCCM + Intune • Windows Hello Intranet 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) Security Scopes SECURED SECURED DEFENDING DEVICES IDENTITIES AGAINST MODERN SECURITY THREATS THREAT INFORMATION RESISTANCE PROTECTION The 11 key cyber security questions 1. Do we treat cyber security as a business or IT responsibility? 2. Do our security goals align with business priorities? 3. Have we identified and protected our most valuable processes and information? 4. Does our business culture support a secure cyber environment? 5. Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.) 6. Do we focus on security compliance or security capability? 7. Are we certain our third-party partners are securing our most valuable information? 8. Do we regularly evaluate the effectiveness of our security? 9. Are we vigilant and do we monitor our systems and can we prevent breaches? 10.Do we have an organized plan for responding to a security breach? 11.Are we adequately resourced and insured? Identity Pillar Identity Major Identity Challenges Embraces identity as primary security perimeter and protects • Identity system security is critical to all identity systems, admins, and credentials as top priorities security assurances • Attackers are actively targeting privileged access and identity systems • Identity attacks like credential theft are difficult to detect and investigate • Identity systems are complex and challenging to protect Securing Securing • Individual accounts have large attack Privileged Identities surface across devices and systems Access Identity Embraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities SECURE MODERN ENTERPRISE Apps and Data Aligns security investments with business priorities including identifying and securing communications, data, and applications Infrastructure Operates on modern platform and uses cloud intelligence to Identity Apps Infrastructure Devices detect and remediate both vulnerabilities and attacks and Data Devices Accesses assets from trusted devices with hardware security Secure Platform (secure by design) assurances, great user experience, and advanced threat detection Windows Authentication Issues & Solutions On premise Cloud only Hybrid Windows Authentication Issues & Solutions: On premise Windows Hello – secure? Pass the hash SMB Relay Kerberos 2-stage authentication The Modern Enterprise Azure Active Directory Rights Management Services Key Management PaaS IaaS Services 3rd Party IaaS Office 365 Microsoft Azure Admin Environment 3rd Party SaaS High Value Assets On-Premises Customer and Datacenters Branch Office Intranet and Remote PCs Mobile Devices Partner Access Identity is the new security “perimeter” Active Directory and Administrators control all the assets Identity is the new security “perimeter” under attack Active Directory and Administrators control all the assets Attackers Can • Steal any data • Encrypt any data • Modify documents One small mistake can • Impersonate lead to attacker control users • Disrupt business operations Phase 1 Critical Mitigations: Typical Attack Chain Compromises privileged access 24-48 Hours Tier 0 Domain & 1. Beachhead (Phishing Attack, etc.) Enterprise 2. Lateral Movement Admins a. Steal Credentials b. Compromise more hosts & credentials 3. Privilege Escalation Tier 1 a. Get Domain Admin credentials Server 4. Execute Attacker Mission Admins a. Steal data, destroy systems, etc. b. Persist Presence Tier 2 Workstation & Device Admins Phase 1 Critical Mitigations: Credential Theft Demonstration Domain.Local DC Attack Operator DomainAdmin Client http://aka.ms/credtheftdemo Making and Measuring Progress against Risk Attack Defense Prevent Escalation Securing Privileged Access Three Stage Roadmap Credential Prevent Lateral Theft & Abuse Traversal Increase Privilege Usage Visibility 2-4 weeks 1-3 months 6+ months Harden Domain Configuration Controller (DC) Host Attacks Reduce Agent Attack Surface http://aka.ms/privsec Assign Least AD Attacks Privilege Attacker Stealth Detect Attacks Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months First response to the most frequently used attack techniques 3. Unique Local Admin Passwords 4. Unique Local Admin for Workstations Passwords for Servers http://Aka.ms/LAPS http://Aka.ms/LAPS 1. Separate Admin 2. Privileged Access Workstations (PAWs) account for admin tasks Phase 1 - Active Directory admins http://Aka.ms/CyberPAW First response to the most frequently used attack techniques Attack Defense 2-4 weeks 1-3 months 6+ months Prevent Escalation Top Priority Mitigations Credential Prevent Lateral Theft & Abuse Traversal Increase Privilege Usage Visibility Harden DC DC Host configuration Attacks Reduce DC Agent attack surface Assign Least AD Attacks Privilege Attacker Stealth Detect Attacks Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 6. Attack Detection http://aka.ms/ata 2. Time-bound privileges (no permanent admins) http://aka.ms/PAM http://aka.ms/AzurePIM 3. Multi-factor for elevation 987252 1 1. Privileged Access Workstations (PAWs) 4. Just Enough Admin 5. Lower attack surface Phases 2 and 3 –All Admins and additional hardening (JEA) for DC Maintenance of Domain and DCs (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/JEA http://aka.ms/HardenAD http://aka.ms/CyberPAW Build visibility and control of admin activity Attack Defense 2-4 weeks 1-3 months 6+ months Prevent Escalation Protecting Active Directory and Admin privileges 2-4 weeks 1-3 months 6+ months 5. Shielded VMs for Move to proactive security posture virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms 1. Modernize Roles and Delegation Model 2. Smartcard or Passport 3. Admin Forest for Active 4. Code Integrity Authentication for all Directory administrators Policy for DCs admins http://aka.ms/ESAE (Server 2016) http://aka.ms/Passport Move to proactive security posture Attack Defense 2-4 weeks 1-3 months 6+ months Prevent Escalation Prevent Lateral Traversal Windows Hello: Attack vectors Credentials not sent to cloud only stored locally Every machine must be registered Active Directory password is not shared What is the most successful path for the attack right now? THE ANATOMY OF AN ATTACK :) Healthy User Receives User Lured to Device Computer Email Malicious Site Infected with Malware :) Healthy User Receives HelpDeskUser Lured Logs to IdentityDevice Stolen, Computer Email Maliciousinto Device Site AttackerInfected Haswith IncreasedMalware Privs User Receives User Lured to Device HelpDesk Logs Identity Stolen, Email Malicious Site Infected with into Device Attacker Has Malware Increased Privs