defending microsoft environments at scale
play

Defending Microsoft environments at scale Vineet Bhatia - PowerPoint PPT Presentation

Mar 25, 2023 •30 likes •340 views

Defending Microsoft environments at scale Vineet Bhatia (@ThreatHunting) 15 Mar 2018 Agenda Introduction and Background Microsoft security stack in Windows 10 Defense model based on MITRE ATTACK and the Microsoft stack Event data

  1. Defending Microsoft environments at scale Vineet Bhatia (@ThreatHunting) 15 Mar 2018

  2. Agenda • Introduction and Background • Microsoft security stack in Windows 10 • Defense model based on MITRE ATTACK and the Microsoft stack • Event data collection at scale and the role of telemetry • Security stack in the cloud (Azure, Office365) • Q&A 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 2

  3. Introduction • Vineet Bhatia • Focus on Threat Detection, Prevention and Response • Pharma, Retail, Banking and Aviation industries 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 3

  4. Problem statement 1. Declutter the number of agents on endpoints. 2. Remove dependencies on point solutions. 3. Implement security outside traditional network boundaries. 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 4

  5. Microsoft security stack in Windows 10 Windows Defender SmartScreen Credential Guard Enterprise Cert. Pinning Memory Protections • Protect internal domains from chaining. • App and website reputation checks. • Virtualization of security process. • Control Flow Guard: http://bit.ly/2DnSarz • Pin X509 Cert and Public Key to the root. • Checks run when app is first run. • Protects secrets such as NTLM and KTGT . • Code Integrity Guard • Only performed on downloaded apps. • Windows 10 and Server 2016 covered. • Arbitrary Code Guard: http://bit.ly/ • E.g.: Detects crypto-currency miners: 2Gryeam http://bit.ly/2tPVeNM • Windows Defender Exploit Guard: http:// bit.ly/2p7EDjS • Previously limited to DEP/SEHOP/ASLR. Others Device Guard Windows Defender Untrusted Font Blocking • UEFI Secure Boot – Firmware tampering. • Windows Defender Application Control. • Antivirus and Antimalware protection. • Font Parsing Attacks (Elevation of Priv.) • Early Launch Anti-Malware (ELAM) – http://bit.ly/2FK5A32 • Base Product + Enhanced WDATP . • Fixed in Windows 10 Build 1703 Starts antimalware prior to the start of • Previously Code Integrity Policies. • First came out in Windows 8. (AppContainer) non-MSFT drivers. • Application whitelisting with kernel • Exploit Guard launched Dec 2017 (see • Merged with Kernel Pool Protections. • Device Health Attestation (DHA) – protection. memory protections). Posture assessment prior to connectivity. • Windows 10 and Server 2016 covered. • Application Guard: http://bit.ly/2Ir1HBW 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 5

  6. MITRE ATT&CK Framework Command and Control Privilege Escalation Credential Access Lateral Movement Collection Enter system as unpriv user Obtaining access or control of Enable access to other systems Gather sensitive files from Adversary communication on/ and exploit vulnerabilities to system, domain or service on network with/wout network prior to exfil. to target network. become SYSTEM or Admin. creds. execution of tools. Execution Exfiltration Persistence Defense Evasion Discovery Execute adversary controlled Remove files and information Maintaining access through a Avoiding detection by setting Gain knowledge of internal code on local or remote from target network. system interruption such as attributes across all other system or network. system. restart, loss of credentials, phases. etc. 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 6

  7. Framework Windows Firewall Discovery Collection C2 / Exfil Lateral Movement Device Guard Credential Guard Defense Evasion WEF Credential Single Platform Access Approach Privilege Escalation Persistence WDATP Execution ATA / Azure ATP Exploit Guard Higher efficiency controls Defender Application Smart- Guard screen 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 7

  8. Data collection and analysis at scale 25,000 PCs 6,000 Servers 50% remote users across 300 cities Multiple cloud environments 10 Terabytes of Log Data Everyday If everything seems under control, you’re not going fast enough. – Mario Andretti 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 8

  9. What doesn’t work at scale? “Trying is the first step towards failure.” - Homer Simpson (1987) • Multiple Agents on the same host may result in duplicate or conflicting telemetry. • Collecting logs in the cloud as you would inside your datacenter. • Waiting for machines to “phone-in” to the corporate network after being on the road. 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 9

  10. A working defense model Detection Prevention Windows Event Forwarding OR Sysmon Windows Firewall OR Windows Defender ATP* Advanced Threat Analytics OR Azure Windows Defender ATP / Exploit ATP Guard / Application Guard Azure Identity P1/P2 Credential Guard SIEM of choice Device Guard * Windows 10 and Server 2016 only What will you find? What will you stop? Host Based Activity Anomalous traffic in/out of the host Network Activity To/From Hosts Exploits from running at any priv. level Anomalous use of credentials / priv. All untrusted code on your PCs Visibility into what happens on the Ability to run Mimikatz on your cloud domain (Maybe) 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 10

  11. Living off the land – For Defense https://twitter.com/ mattifestation/status/ 972654625554771969 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 11

  12. How does this come together? • Single Inventory of assets using SCCM, baselining using DHA. • Ability to collect basic forensic data rapidly using Sysmon. • Uniform logging standard across the enterprise using GPMC. • Ability to identify identity and privilege misuse using MS-ATA. • Collect telemetry from all endpoints using Windows Defender. 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 12

  13. Basic environment hygiene https://twitter.com/ ncsc/status/ 973122188344791040 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 13

  14. Windows 10 Telemetry Data • Diagnostic data sent by Windows system is configured in the GPO. • Privacy considerations should be studied before configuration. • See More on Telemetry Privacy at: http://bit.ly/2DnmzpS WD ATP on Windows 10 (1709) and later: • Perform investigations, optimize firewall and bitlocker configurations and investigate identities. • Perform automated remediation (WDATP AIRS). • Write custom Threat Hunting rules and query endpoints for matches (WDATP Advanced Hunting). 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 14

  15. Use Case: Monitoring • Option 1: Windows Event Forwarding • Option 2: Sysmon XML • Option 3: Windows Defender ATP Example: Investigating Privilege Escalation on your network https://attack.mitre.org/wiki/Privilege_Escalation Mapping MITRE ATT&CK to Windows hunting techniques: • Roberto Rodriguez Threat Hunting Playbook: https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/attack_matrix/windows 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 15

  16. 
 Example: Investigating Privilege Escalation Option 1: Using Windows Event Forwarding Privilege Scenarios Windows Event Log Sysmon See Also Escalation Event IDs SETHC.exe 
 4656 - A handle to a Registry key or Sysmon Event ID Enable registry auditing: auditpol / Accessibility UTILMAN.exe 
 Registry Value was requested. 
 12,13 and 14 - set /subcategory:”Registry” / Features OSK.exe 
 4657 - A registry value was modified. 
 Registry success:enable Magnify.exe 
 4660 - An registry key or value was deleted Modification Narrator.exe 
 or removed. 
 DisplaySwitch.exe 
 4663 - An attempt was made to access a AtBroker.exe Registry key or Registry Value 
 Look for changes to: HKEY_LOCAL_MACHINE\SOFTWARE\Microso ft\Windows NT\CurrentVersion\Image File Execution Options\{name of the executable} 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 16

  17. 
 Example: Investigating Privilege Escalation Option 1: Using Windows Event Forwarding Privilege Scenarios Windows Event Log Sysmon See Also Escalation Event IDs CreateProcess 
 4657 - A registry value was modified. 
 Sysmon Event ID https://github.com/threathunting/ AppCert CreateProcessAsUser 
 12,13 and 14 - sysmon-config/blob/master/ DLLs CreateProcessWithLoginW 
 Look for changes or any new DLL locations Registry sysmonconfig-export.xml#L400 CreateProcessWithToken being added to: Modification W 
 HKEY_LOCAL_MACHINE\System\CurrentCon WinExec trolSet\Control\Session Manager\AppCertDlls 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 17

  18. 
 
 
 
 Example: Investigating Privilege Escalation Option 1: Using Windows Event Forwarding Privilege Scenarios Windows Event Log Sysmon See Also Escalation Event IDs User32.dll loading 4657 - A registry value was modified. 
 Sysmon Event ID 7 - The AppInit DLL functionality is AppInit DLLs unknown third party DLL DLL (image) load by disabled in Windows 8 and later Look for changes or any new DLL locations process 
 versions when secure boot is being added to: enabled. 
 HKEY_LOCAL_MACHINE\Software\Microsoft User32.dll loading \Windows NT\CurrentVersion\Windows OR unusual DLL should https://github.com/threathunting/ HKEY_LOCAL_MACHINE\Software\Wow6432 trigger sysmon-config/blob/master/ Node\Microsoft\Windows sysmonconfig-export.xml#L260 
 NT\CurrentVersion\Windows Also consider running this on all systems and pulling data back for analysis: 
 autorunsc -a d -h -m -s -u * 15 Mar 2018 Vineet Bhatia (@ThreatHunting) 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Large-scale deployment of statistical machine translation Example Microsoft

Large-scale deployment of statistical machine translation Example Microsoft

10/26/2008 Large-scale deployment of statistical machine translation Example Microsoft Chris.Wendt@microsoft.com Microsoft Research Machine Translation Agenda Microsoft MT engine basics Architecture and design for scale

285 views • 16 slides
Defending Against the Sneakers Scenario Bryan Sullivan, Security Program Manager, Microsoft SDL

Defending Against the Sneakers Scenario Bryan Sullivan, Security Program Manager, Microsoft SDL

Defending Against the Sneakers Scenario Bryan Sullivan, Security Program Manager, Microsoft SDL Crypto systems get broken eh vxuh wr gulqn brxu rydowlqh be sure to drink your ovaltine Why assume that current algorithms really are unbreakable,

656 views • 64 slides
Deterring Cheating in Online Environments Henry Corrigan-Gibbs Nakull Gupta Curtis

Deterring Cheating in Online Environments Henry Corrigan-Gibbs Nakull Gupta Curtis

Deterring Cheating in Online Environments Henry Corrigan-Gibbs Nakull Gupta Curtis Northcutt Stanford University Microsoft Research India MIT Edward Cutrell William Thies Microsoft Research India Microsoft

1.19k views • 101 slides
Lender Liability: Evaluating, Minimizing and Defending Claims Defending Against Attacks on Loans in

Lender Liability: Evaluating, Minimizing and Defending Claims Defending Against Attacks on Loans in

Presenting a live 90 minute webinar with interactive Q&A Lender Liability: Evaluating, Minimizing and Defending Claims Defending Against Attacks on Loans in Workouts, Defaults, and Bankruptcy TUES DAY, DECEMBER 21, 2010 1pm Eastern |

1.33k views • 131 slides
Data Assimilation and Detection in Multi-Sensor & Multi-Scale Environments N. Sri

Data Assimilation and Detection in Multi-Sensor & Multi-Scale Environments N. Sri

Data Assimilation and Detection in Multi-Sensor & Multi-Scale Environments N. Sri Namchchivaya Andrea Barreiro, Shanshan Liu, Kristjan Onu, Jun Park Pete Sauer, and Richard Sowers Department of Aerospace Engineering University of Illinois

379 views • 34 slides
Latest Litigation Developments Bringing and Defending Claims and Understanding the Impact of New

Latest Litigation Developments Bringing and Defending Claims and Understanding the Impact of New

Presenting a live 90-minute webinar with interactive Q&A FDCPA Class Actions: Latest Litigation Developments Bringing and Defending Claims and Understanding the Impact of New Technologies and Large-Scale Debt Holdings THURSDAY, NOVEMBER 8,

536 views • 37 slides
Live Video Analytics at Scale with Approximation and Delay-Tolerance Haoyu Zhang, Microsoft and

Live Video Analytics at Scale with Approximation and Delay-Tolerance Haoyu Zhang, Microsoft and

Live Video Analytics at Scale with Approximation and Delay-Tolerance Haoyu Zhang, Microsoft and Princeton University; Ganesh Ananthanarayanan, Peter Bodik, Matthai Philipose, and Paramvir Bahl, Microsoft; Michael J. Freedman, Princeton University

219 views • 18 slides
MANA MANAGING HOME BIA GING HOME BIAS: : DEFENDING THE V DEFENDING THE VALUE OF LUE OF GL

MANA MANAGING HOME BIA GING HOME BIAS: : DEFENDING THE V DEFENDING THE VALUE OF LUE OF GL

MANA MANAGING HOME BIA GING HOME BIAS: : DEFENDING THE V DEFENDING THE VALUE OF LUE OF GL GLOBAL EQUITIES OBAL EQUITIES TO US PRIV US PRIVATE CLIENT E CLIENTS Jonathan F Jonathan Foster ster President & CEO Angeles Wealth

643 views • 19 slides
Pursuing or Defending Claims Assessing Claims, Proving or Defending Liability, Navigating Complex

Pursuing or Defending Claims Assessing Claims, Proving or Defending Liability, Navigating Complex

Presenting a live 90-minute webinar with interactive Q&A Wrongful Death Claims and Survival Actions: Pursuing or Defending Claims Assessing Claims, Proving or Defending Liability, Navigating Complex Valuation and Settlement Issues WEDNESDAY,

481 views • 26 slides
Software Engineering Environments Integrated environments to support large-scale software

Software Engineering Environments Integrated environments to support large-scale software

Chapter 27 Chapter 27 Software Engineering Environments Learning Objective ... define the basic support infrastructure provided for software engineering Frederick T Sheldon Assistant Professor of Computer Science Washington State University

287 views • 12 slides
Microsoft Healthcare Evangelist Facilitating Engagement: Incorporating Modern Technology in

Microsoft Healthcare Evangelist Facilitating Engagement: Incorporating Modern Technology in

Microsoft Healthcare Evangelist Facilitating Engagement: Incorporating Modern Technology in Healthcare Environments July 26, 2019 Analytics & Consumerization Reshaping Industries Microsoft Invests $5 Billion In IoT Our goal is to give

417 views • 17 slides
Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale

Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale

Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale down to small and low cost devices Leading connectivity to empower business scenarios Enterprise-grade security specifically designed for the

744 views • 40 slides
5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the Microsoft Office Suite. It is used primarily to enter, edit, format, sort, perform mathematical computations, save, retrieve and print numeric

717 views • 32 slides
TREC Deep Learning Track Nick Craswell (Microsoft), Bhaskar Mitra (Microsoft and UCL), Emine Yilmaz

TREC Deep Learning Track Nick Craswell (Microsoft), Bhaskar Mitra (Microsoft and UCL), Emine Yilmaz

TREC Deep Learning Track Nick Craswell (Microsoft), Bhaskar Mitra (Microsoft and UCL), Emine Yilmaz (UCL), Daniel Campos (Microsoft and UW) Deep Learning Track Deep models learn an intricate representation of a large-scale dataset Here:

443 views • 12 slides
SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via

SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via

SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via Social Networks via Social Networks Intel Research Pittsburgh / CMU Haifeng Yu National University of Singapore Michael Kaminsky Intel Research

501 views • 22 slides
Encryption Seny Kamara Microsoft Research Mariana Raykova IBM Research Big Data The scale

Encryption Seny Kamara Microsoft Research Mariana Raykova IBM Research Big Data The scale

Parallel Homomorphic Encryption Seny Kamara Microsoft Research Mariana Raykova IBM Research Big Data The scale of data we create is growing rapidly Walmart: 2.5 petabytes of transaction data per day Jets: 10 terabytes of sensor data per

558 views • 23 slides
Instantiation-based Methods and Equality Instantiation-based methods Decision procedure for

Instantiation-based Methods and Equality Instantiation-based methods Decision procedure for

ormal ethods roup iProver-Eq: An Instantiation-based Theorem Prover with Equality Konstantin Korovin and Christoph Sticksel (joint work with Renate Schmidt) The University of Manchester 17th July 2010 1 Konstantin Korovin and

318 views • 18 slides
The Petri Net Model of the Sucrose- to- Starch Breakdown in the potato tuber Ina Koch

The Petri Net Model of the Sucrose- to- Starch Breakdown in the potato tuber Ina Koch

The Petri Net Model of the Sucrose- to- Starch Breakdown in the potato tuber Ina Koch Technical University of Applied Sciences Berlin ina.koch@tfh-berlin.de Monika Heiner Brandenburg University of Technology at Cottbus

631 views • 41 slides
Implementing ATP Systems Unit 10: Testing and Problem Libraries Jens Otten University of Potsdam

Implementing ATP Systems Unit 10: Testing and Problem Libraries Jens Otten University of Potsdam

Problem Libraries Standardized Syntax TPTP Library ILTP Library Other Libraries and CASC Implementing ATP Systems Unit 10: Testing and Problem Libraries Jens Otten University of Potsdam Jens Otten (University of Potsdam) Implementing ATP

156 views • 14 slides
on FPGA using Low-Complexity NTT/INTT Neng Zhang , Bohan Yang, Chen Chen, Shouyi Yin, Shaojun Wei

on FPGA using Low-Complexity NTT/INTT Neng Zhang , Bohan Yang, Chen Chen, Shouyi Yin, Shaojun Wei

CHES 2020 Highly Efficient Architecture of NewHope-NIST on FPGA using Low-Complexity NTT/INTT Neng Zhang , Bohan Yang, Chen Chen, Shouyi Yin, Shaojun Wei and Leibo Liu Institute of Microelectronics, Tsinghua University, Beijing, China Institute

570 views • 25 slides
Indirect Access SCANNING 2 Switch Step Scanning (get/select, move/scan)

Indirect Access SCANNING 2 Switch Step Scanning (get/select, move/scan)

3/12/20 Cases & Straps Mounts, stands, clamps. Types of Scanning 1 Switch Automatic Step/Dwell Indirect Access SCANNING 2 Switch Step Scanning (get/select, move/scan) Switches SG SGD Sc Scan an

270 views • 4 slides
An Introduction to Satisfjability Modulo Theories Philipp Rmmer Uppsala University

An Introduction to Satisfjability Modulo Theories Philipp Rmmer Uppsala University

An Introduction to Satisfjability Modulo Theories Philipp Rmmer Uppsala University Philipp.Ruemmer@it.uu.se February 11, 2020 1/41 Outline From theory ... From DPLL to DPLL(T) Slides courtesy of Alberto Griggio,

420 views • 41 slides
EPC: Extended Path Coverage for Measurement-based Probabilistic Timing Analysis M. Ziccardi ,

EPC: Extended Path Coverage for Measurement-based Probabilistic Timing Analysis M. Ziccardi ,

EPC: Extended Path Coverage for Measurement-based Probabilistic Timing Analysis M. Ziccardi , E. Mezzetti and T. Vardanega J. Abella and F.J. Cazorla University of Padua BSC Spanish National Research Council

707 views • 28 slides
Thinking Like a Geologist About Nuclear Change III UNIT 7 DAY 3 What are we going to learn

Thinking Like a Geologist About Nuclear Change III UNIT 7 DAY 3 What are we going to learn

Thinking Like a Geologist About Nuclear Change III UNIT 7 DAY 3 What are we going to learn today? Quantify Nuclear Decay Rate of Change Radioactive Decay just happens REVIEW BAND OF STABILITY

512 views • 18 slides

More recommend