Eric Chan System - - PowerPoint PPT Presentation

日防夜防，家賊難防

如何防止內部攻擊與資料失竊

System Consultant Hong Kong, Macau and Taiwan

Welcome

陳健亮 Eric Chan

Hybrid Active Directory Environment

• Office 365 requires an Azure

AD instance

• Azure AD provides the

Directory Service for Office 365 applications

• Azure AD integrates with On-

premise AD creating a Hybrid Directory environment

What does AD have to do with Office 365 Security?

95 Million

AD authentications are under attack daily

90%

Of companies use on- premises AD

70%

YoY growth for Office 365 adoption

1 Million

Subscribers a month moving to Office 365

700 Million

Azure AD accounts

10 Billion

On-prem AD authentications per day

1.3 Billion

MS cloud login attempts per day

75%

Of enterprises with more than 500 employees sync on

• prem. AD to Azure AD

10 Million

Daily MS Cloud logins are cyber-attacks

Active Directory Security is Critical

On-premises AD remains the core of security even in a cloud/hybrid environment On-prem is authoritative source and will replicate to Azure AD & Office 365 With security, you are only as secure as your weakest link

1 2 3

We have invested a lot on preventing attacks from

• utside, but usually the

most harmful one is from

INSIDE……

Who is Hank the Hacker?

Who is Hank?

• Organized criminal groups
• State-affiliated actors
• Disgruntled employees
• Rouge administrators
• Contractors
• Etc.

How Hank Gets In?

• Malware
• Ransomware
• Pass-the-hash
• Weak passwords
• Social engineering
• Authorization creep
• Spear Phishing
• Etc.

What will Hank do?

• Try to logon to your critical systems
• Snooping your data:
• File servers
• Databases
• PCs
• Pretend the VIP users
• Change your important AD settings:
• Elevate privileges
• Deploy malware via GPO
• Execute PowerShell attacks (e.g. Mimikatz)

How Quest Stops Hank?

Detect and Alert

Challenges – On Premises

• No comprehensive view of all changes

from all native log sources

• Very difficult to consolidate native audit

logs and avoid loss of historical data

• No protection exists to prevent

unwanted changes to the most sensitive objects, even from privileged users

• No proactive alerting on suspicious

events

Challenges – On Azure

• Alerting is not real time
• Audit data only retained for 7 days or

30 days depending on platform

• Difficult to interpret events

– Audit data is very raw (contains SIDs, GUIDs and other IDs), lacks friendly display names and format is constantly changing

Change Auditor

• Change Auditor provides complete, real-time change auditing, in-depth

forensics and comprehensive reporting on all key configuration, user and administrator changes.

Who Made the change? Where Was the change made from? What Object was changed? When Was the change made? Why Was the change made (comment)? Workstation Where the change

• riginated from

Change Auditor – Supported Platforms

• Active Directory / LDS
• Azure Active Directory
• Active Directory Queries
• Logon, Logoff, User Sessions
• Exchange
• O365 Exchange Online
• SQL Server
• SharePoint
• O365 SharePoint Online
• Skype for Business
• Windows File Servers
• EMC Celerra, Isilon
• NetApp
• Dell Fluid File System
• One Drive
• Quest Active Roles
• Quest Authentication

Services

• Quest Defender

Object protection

Hybrid Directory Management

• With Change Auditor, you can:

Consolidates event data from on premises and from cloud targets Correlates identities across on premises and cloud Searching and reporting in simple ways Proactive protect important

• bjects and settings

Easy to read, normalized 5W events

Change Auditor for Active Directory: GPO Settings

Protect Important Objects and Settings

• Protect your important AD,

Exchange and Windows File Servers objects and settings

• Prevent operation mistakes
• Last protection shield even

admin credentials have been stolen

How can you identify THREATS in millions

• f events?

User Threat Detection for your Windows environment

Behavior Analysis

• Unsupervised machine learning models individual user behavior on

multiple vectors:

– Time based modeling (e.g. logon at an abnormal time for that user) – Categorical modeling (e.g. accessed a machine they don’t typically access) – Continuous modeling (e.g. accessed an abnormal number of files)

• Multivariate risk scoring ensures that only a suspicious combination
• f activities raises an alert
• Comparison with global activity reduces false positives on new

events

quest.com | confidential 22

A pattern of suspicious activity leads to higher user risk scores

Confidential 24

User Threat Detection Alerts

387 Million Raw events 1,153* Threat indicators

(from 109,600 raw events)

304 SMART alerts 180 Risky users 80,600 users Analysis over 60 days

*Tens of thousands of additional indicators were discarded as they were not scored high or correlated with related suspicious behavior

That’s 5 alerts a day!

Change Auditor Threat Detection

• Identifies real-time risk level
• f user activity
• Drastically consolidates

potential incidents

• Automates alert

prioritization

• Reduces false positives
• Highlights actionable alerts

in context for accelerated investigation

Why Change Auditor Threat Detection?

• Optimized for Change Auditor modules out-of-the-box

– Plug-and-play AD and Windows security solution for AD admins

• Does not rely on native Windows logs

– No gaps in critical AD changes and file activity

• Reduces the sea of noise from false positive alerts

– By using dynamically adapting unsupervised machine learning

• No configuration required

– Administrator input, alert definition and model tuning is unnecessary

• Minimal infrastructure for existing Change Auditor customers

– Existing customers only require a single, additional server

quest.com | confidential 26

Use Cases

Use Cases

quest.com | confidential 28

Brute force attack Data exfiltration Snooping user Abnormal AD activity Malware Scripted account use Privilege elevation Lateral movement Abnormal system access

Abnormal AD activity

quest.com | confidential 29

Use Case

• Attempting to exploit compromised

credentials

• Compromised account is being used to

corrupt or destroy critical directory data

• Interactive privileged account being used to

run scripts

Indicators

• Spike in the volume of changes to AD
• User performing actions that are not part of

their standard routine

• Users making membership changes to

privileged AD groups

• Abnormal number of failed AD changes

Abnormal activity in Active Directory puts your entire forest at risk. First-level helpdesk representative normally is only responsible for unlocking disabled user accounts and resetting their passwords but who has suddenly begun creating new user accounts in AD

CATD License

Abnormal AD Activity

• Abnormal AD activity

Snooping User

quest.com | confidential 31

Use Case

• A user accessing resources and files

that aren’t appropriate for their role, even though permissions aren’t necessarily locked down

• Could be a user that is not actively

malicious but inappropriately curious

Indicators

• A high number of file access

attempts in a short period of time

• A high number of failed file access

events

• Attempts to access file servers and

folders the user has never, or rarely, accessed in the past

An internal user who is inappropriately curious might attempt to browse servers and folders that they shouldn’t be accessing, such as salary information or reorg plans. Change Auditor Threat Detection alerts you to users attempting to access data they shouldn’t access.

CATD License

Snooping User

Data exfiltration or destruction

quest.com | confidential 33

Use Case

• Unauthorized copying or transfer of

data from a computer using any of multiple techniques

• User is attempting the malicious

destruction of data

Indicators

• An excessive number of file access
• r file move events
• An excessive number of file delete

events

Could be perpetrated by cybercriminals or rogue employees Change Auditor Threat Detection identifies users who might be attempting to steal or destroy your data.

CATD License

Data exfiltration or destruction

• Data exfiltration

Brute-force attack

quest.com | confidential 35

Use Case

• Attackers repeatedly try to guess a

user’s password

• Worms or other malware designed to

identify user accounts and attempt to crack their passwords using password dictionaries

Indicators

• Abnormal failed authentication

attempts

By correlating failed logons with other user actions, Change Auditor Threat Detection can alert you to true brute-force attacks without drowning you in false positives. Traditionally, 44% of alerts go unexplored

Too many alerts

CATD License

Brute-force attack

• Brute force authentication

Malware example from Quest

Malware example from Quest

Malware example from Quest

Malware example from Quest

Malware example from Quest

Abnormal system access

quest.com | confidential 42

Use case

• If a user account accesses your network from an atypical geographical location or

an abnormal workstation, it could be a sign that an external attacker has been able to compromise the account

• However, most of the time, it is not an attack at all, so raising an alarm on all

abnormal access events would quickly drown you in a sea of dead-end alerts Indicators

• Authenticated users accessing servers they rarely or never accessed before
• Users accessing an excessive number of servers within the environment

User logon to abnormal host

quest.com | confidential 43

Use Cases

quest.com | confidential 44

File Activity

quest.com | confidential

Privilege elevation

• Attempted/successful changes to

privileged groups

Abnormal AD activity

• A high number of failed AD changes

Lateral movement

• Suspicious creation of user accounts
• Attempted addition of users to

privileged groups

Scripted use of privileged acct

• Excessive number of

changes/attempted changes to groups

• High number of file accesses, moves
• r deletes

Active Directory Brute-force attempt

• Multiple failed logons followed by a

successful one

Suspicious access

• User logon during non-standard hours

Abnormal system access

• User logon from an atypical

workstation

• Authenticated user accessing a server

they’ve never accessed

Lateral movement

• Multiple logon attempts to different

servers

Potential malware

• Logon attempts to different user

accounts from same server

Snooping user

• User accessing files that are not part
• f their regular responsibilities

Data exfiltration

• Large number of files being accessed

in a short period of time

Data destruction

• Sudden, significant spike in deleted

files

Potential malware

• High number of files being renamed

Logon Activity

Do you audit PowerShell usage

• n servers and

endpoints?

How to protect against security threats?

Keeping track of user and privileged account activity, especially on workstations, is at the heart of keeping your environment secure.

InTrust refresher

An elegant and efficient event log framework for all log data

• Easy deployment
• Massive scalability
• Best compression

in the business

• High-speed searches
• Nationalization

& normalization

Does anyone know what this is?

Invoke-Mimikatz

There was a report that just came out that highlighted five publicly available tools frequently observed in cyber attacks this year. Mimikatz was one of the 5. It’s essentially a PowerShell tool that can be used to steal credentials. In 2017, this tool was used in combination with the NotPetya malware to cause

• ne of the most devastating cyberattacks in history. When the “Invoke-Mimikatz”

script is used, its activity is difficult to isolate and identify and that’s what makes it so dangerous That’s just one example ….

Automated responses to PowerShell attacks

We want to set up alerts and emergency response actions for whenever someone uses fishy PowerShell commands. But the lack of real-time alerting and visibility puts us in a reactive state

InTrust Value

• Watch for suspicious PowerShell

activity

• Trigger alerts & automate response

actions

• Disabling offending user
• Reversing the change
• Enabling emergency auditing

Protect your AD

Do you backup your AD?

Imagine……

• You delete a VIP account

accidentally

• Hank changes your GPO settings
• Your contractor mistakenly screw

your vCenter and the whole AD forest gone

• An application changes some

attributes in your AD or Azure AD

What…

Active Directory incidents and disasters: more common than you might think

Active Directory is a mature product and pretty stable, right?

Recovery challenges organizations face today

Native tools do not offer granular recovery Objects get modified or deleted, attributes get

• verwritten by faulty scripts – need to recover quickly

Compliance regulations require proof of disaster recovery and backup plans T esting disaster recovery plans is resource-intensive Native recovery tools are manual, time-intensive (in the case of AD often require that AD be taken offline) Not knowing which object or attributes have been changed or deleted Can’t delegate restore functions to non- administrators to lighten the load of my more experienced admins Need to document details of how the disaster recovery plan/process will work including timeframes

Cost when AD goes down……

What’s the financial hit if Active Directory went down – any idea?

• Many apps authenticate with

AD to provide single sign-

• n (SSO)
• When AD goes down, most
• f the business will be

disrupted

• The downtime is

EXPENSIVE!

Recovery Manager for Active Directory

Recovery Manager for Active Directory + On Demand Recovery for Azure AD

Recovery Manager for Active Directory Forest Edition + On Demand Recovery for Azure AD

Comparing Quest with AD Recycle Bin

Recovery Manager for Active Directory Recycle Bin Bulk restore of multiple attributes Restore modified user attributes Restore Group Policies Comparison reporting Compare and restore group membership Restore delegation (non-Admin role)

Limited Access

Management concerns with Active Directory

• Overcoming inadequacies of native

tools

• Cannot separate duties or territories
• Improving the efficiency of time-

consuming and error prone user and group creation and modification

• Reducing operational costs
• Improving reporting capabilities

Without Active Roles

• Security suffers because admins have excessive permissions
• User account and group creation is time consuming and error prone
• Using native tools is slow and error prone
• Synchronizing on premise AD accounts to off-premise AD and/or cloud-based

services

Access

AD Architect

• Sr. Admin

Exchange Admin OU Admin/ Help Desk Application/ Data Owners

applications databases directories distributions lists network resources groups files shares

Solution: “least privilege” delegation

• Users will be delegated to

certain roles

• You can limit the user to view

specific OUs only

• You can also delegate

functionalities to the user granularly, e.g. only allow to create/edit user objects but not delete

Domain Admin View Regional Admin View

Reduce most of the Domain Admins

Besides Windows?

The Problems with Unix/Linux Security

• Box-by-box identity management
• Lack Consistent Password Policies
• NIS is not secure
• Duplicate LDAP infrastructure
• No delegation or control of “root” and critical application accounts.
• Native Access and Privilege reporting is manual and error prone.
• No controls or visibility when powerful privileged commands are run.

Privileged Access Suite for Unix

• Consolidates identities
• Extends the security of Active Directory to Unix-based systems and

applications

• Audit trail for individual accountability
• Enables least-privileged access for “root” or application accounts
• Centralized and single source access control reporting

Management Console for Unix AD Bridge Unix Delegation Replace Sudo Enhance Sudo

Privileged Access Suite for Unix Components

AD Bridge

Authentication Services

• Authenticate Unix users with AD Kerberos
• Consolidate identities & directories into one AD
• Grant Access to Unix Systems by AD Group

Membership

• Enhance password security

– Extend AD password policies – Eliminate redundant, inconsistent, and non-secure passwords – Extend AD-based self-service password reset capabilities – Unix access is locked with AD account

Manage Unix users and access from AD

Enhance Sudo

• Centralized sudo delegation
• Assign sudo permissions with AD

accounts

• Keystroke recording and playback

Playback Keystroke

We stop Hank by:

• Real-time Detect and Alert
• Analyze Spacious Behaviors
• Protect AD regularly
• Limit Access to AD
• Extend AD security to Unix/Linux

Why Quest?

Go-to experience you can rely on

DOUBLE

# of mailboxes migrated to Exchange over competition

95M

AD accounts migrated

Or more than 10X the number of people living in NYC!

166M

If 1 user = 1 mile, then that’s 347 trips to the moon…and back! user accounts audited

5X

More Exchange mailboxes managed than folks visiting the Eiffel T

• wer annually!

99PB

Of SharePoint data supported Or more than 7x the number

• f mates living in Australia!

Active Directory accounts managed

184M

Wait, did you say Petabytes?!!

Change Auditor

• People’s Choice STEVIE Award – Best

Software Winner

• New Product of the Year STEVIE –

Silver

• Info Security Compliance Award –

Bronze

• SIIA CODiE Award for Best GRC

Solution

Enterprise Reporter Suite

• People’s Choice STEVIE Award - Best

Governance/Risk/Compliance Solution

• New Product of the Year STEVIE –

Bronze

IT Security Search

• New Product of the Year STEVIE –

Silver

On Demand Migration for Email

• New Product of the Year STEVIE for

Migration as a Service– Gold

Metalogix Migration solutions

• Named Charter Member of the Microsoft

Content Services Partner Program

• Microsoft Preferred Partner for Content

Services

Quest On Demand

• People’s Choice STEVIE Award – Best

Cloud Applications/Services

• New Product of the Year STEVIE for -

Cloud Application/Service – Bronze

Quest On Demand Recovery

• New Product of the Year STEVIE for

Cloud Storage & Backup Solution – Silver

ZeroIMPACT Migration solutions

• Microsoft Partner of the Year Finalist –

Messaging

Go-to, award-winning products

Go-to products – the full list!

Thank you!