Download Determined Human Adversaries: Mitigations

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts

Data center wikipedia , lookup

Expense and cost recovery system (ECRS) wikipedia , lookup

Data analysis wikipedia , lookup

Information privacy law wikipedia , lookup

Data vault modeling wikipedia , lookup

Business intelligence wikipedia , lookup

Open data in the United Kingdom wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
Neil Carpenter
Principal Security Escalation Engineer
Global Incident Response & Recovery
Jim Payne
Principal Security Relationship Manager
Microsoft CSS Security

Information is based on extensive experience
by the CSS Security & Global Incident Response
& Recovery teams working with customers who
experienced a directed attack

In no way is this information to imply or
insinuate that there is direct knowledge of
what will occur, if anything.
Nation
States
Organized
Crime
Ideological
Movements
Cyber
Crime
Economic
Espionage
Military
Espionage

Distributed Denial of Service attack

Web Defacement

Determined Human Adversary / Directed
Attack

Mitigate the impact (usually with hardware for
example, and usually in conjunction with your
Internet provider)

Use a CDN to scale out

Move key properties to a more resilient platform
example - the cloud scenario

Customers should be ready with a strategy for
handling a DDoS before it happens; otherwise, it’s
a lot of downtime and a lot of panic.

Develop secure code. SDL, SDL, SDL.
 Likely the website is already deployed, it’s quite likely that SDL was not utilized to
develop secure code.

Make sure that everything is up to date – not just the OS, but any deployed
frameworks & applications.
 Compromises via 3rd party frameworks, such as ColdFusion, have been common
lately.

Ensure that you are gathering the right data in case something does happen.
 IIS logs – We see far too many customers who turn off IIS logging or disable key
fields to save disk space. Disks are cheap, security compromises are not.
 If you’re using a reverse proxy, pass the real source IP addr to the IIS server and/or
maintain easily accessible proxy logs with all the needed info.

Have a plan if something happens
 Gather data before deleting/restoring content.
 Preferably, plan to involve Microsoft CSS Sec as soon as possible

Attackers exploit a weakness to compromise a
host (the initial attack vector), then:
 Install malware for persistence and automate
their tasks
 Elevate their privileges
 Mine for useful credentials
 Exfiltrate or delete data

Mitigation:
 Patching critical vulnerabilities is key. This needs to
be done for all products – Microsoft infrastructure
such as System Center Configuration Manager &
WSUS can apply updates to Microsoft products but
they do not cover 3rd party products, unless that 3rd
Party has published a manifest.
 User Education – Cannot place enough emphasis

Mitigation:
 Monitor your anti-virus/anti-malware solution
carefully.
▪ Ensure it is running on all machines in the environment
▪ Signatures are kept up-to-date
 Use an application whitelisting approach such as
AppLocker to help prevent the introduction of
unwanted software.

Mitigation:
 Users should not run as local admin on
workstations.
 Domain admins should never logon to workstations
or member servers in the domain.
▪ Use a group policy to remove the Logon Locally rights for
domain administrators from all machines except for
domain controllers.
▪ Use hardened workstation to perform necessary
administrative tasks

Mitigation:
 Use unique passwords for the local administrator
account on every host in your enterprise.
▪ Better yet, disable this account entirely and monitor for
attempted usage of it.
 Limit service account privilege and monitor usage of
these accounts.
▪ Never run a service account as domain administrator or other
privileged accounts.
▪ Service accounts should have least privilege (no logon locally or
logon via network, for example).
▪ Where possible, use LocalService and NetworkService accounts
instead of LocalSystem

Mitigation:
 Define business critical data and apply extra
protections to that data in transit and in storage.
▪ Implement a data classification scheme and introduce a
policy so that all high business impact data is stored
centrally and ..
▪
▪
▪
▪
Encrypt it at rest using rights management services
Segregate access to the data from domain administrators
Use IPsec to prevent network capture across the network
Back it up frequently; test restores; keep an offsite backup








Patching
Limited Users
Domain Admins Logon To DCs Only
Application Control
Monitor & Respond To Anti-Malware
Protect Local Admin
Limit Service Privilege
Protect Data

Defender’s Dilemma
The defender must protect against everything.
The attacker only has to succeed with one.

Neil Carpenter
 Principal Security Escalation Engineer
 [email protected]

Jim Payne
 Principal Security Relationship Manager
 [email protected]
Related documents
same in MS-Word format, with link to a longer article
same in MS-Word format, with link to a longer article
Overview Making information Available to Desktop Publishing with
Overview Making information Available to Desktop Publishing with
Document
Document
Slide - Courses
Slide - Courses
JOB DESCRIPTION Version 1: March 2017
JOB DESCRIPTION Version 1: March 2017
Download-Database Assignment
Download-Database Assignment
Keynote Address - Microsoft Research Cambridge2.32 Mb
Keynote Address - Microsoft Research Cambridge2.32 Mb
here
here
sector, data, information, financial and technical services and support
sector, data, information, financial and technical services and support
Powered by SQL Data Platform
Powered by SQL Data Platform
slide 2 - Software
slide 2 - Software
Implementing Trustworthiness – Building and Delivering
Implementing Trustworthiness – Building and Delivering
Lecture 9A: Software Security Engineering
Lecture 9A: Software Security Engineering
Link to PowerPoint - Charles Sturt University
Link to PowerPoint - Charles Sturt University
Why Context is Essential to Digital Marketing
Why Context is Essential to Digital Marketing
SDL-Agile
SDL-Agile
SAMPLE QUESTION PAPER Physics HIGHER SECONDARY
SAMPLE QUESTION PAPER Physics HIGHER SECONDARY
Sentinel AC & DC Voltage Logger Models SDL V301 & SDL V401 Features
Sentinel AC & DC Voltage Logger Models SDL V301 & SDL V401 Features
Sentinel Current Logger Models SDL A301, SDL A302, SDL A303 & SDL A304
Sentinel Current Logger Models SDL A301, SDL A302, SDL A303 & SDL A304
multi-int database - Space Dynamics Laboratory
multi-int database - Space Dynamics Laboratory
Final Evaluation of SDL and Restore
Final Evaluation of SDL and Restore
SDL Documentation Center
SDL Documentation Center