TWC | Detecting the Undetectable

advertisement
Service Channels
Service Lines
Application Security
Infrastructure Security
Customized
Solutions &
Training
10+ Years of Tailored Best Practices and
Specialized Intellectual Property
Unique knowledge transfer and value-add for
Microsoft and its customers, partners and acquisitions
Functional Capacity
Specialization
Totals
Application Security
30
Infrastructure Security
16
Dedicated PMs
3
Total
49
Canada
Global Delivery
India
US- Redmond, ACE
HQ
United
States
Australia
Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services
Cybersecurity- Who We Are
Microsoft Windows
Developers
DoD Red Teams
IR for major DoD,
commercial networks
Microsoft Network
Security
Security Clearances
Malware Analysts
Forensic Investigators
& Trainers
Intelligence Officers
Law Enforcement
Officers
Microsoft Security
Support
Corporate Compliance
Managers
Internet Security
Researchers
• Why Are Some Attackers So Hard To Detect?
• A Risk-Based Structured Approach
• Detecting the Undetectable
Framework for Improving Critical Infrastructure Cybersecurity
Identify
Recover
Respond
Protect
Detect
http://www.nist.gov/cyberframework/
• It is very difficult to impossible to stop all hackers
and malware (i.e. “assume breach”)
• If you can’t stop them, then the next best thing is
early detection
• …Unfortunately, we aren’t doing a good job at
that…
Verizon Data Breach Report 2014 “85% of breaches were spotted by an EXTERNAL party, and
“In 82 percent of cases...the victim
possessed the ability to discover the
breach had they had they been more
diligent in monitoring and analyzing
event-related information available to
them at the time of the incident.”
2008 Verizon Data Breach Investigations Report
• Initial compromise often begins at badly monitored
or unmonitored client workstation or computer
• Then, hackers use legitimate user credentials
to do rest of damage
• Access data the compromised user would
normally access
• Use same portals end-users would use
(e.g. OWA, etc.)
Hackers:
• Use same remote access methods (e.g. RDP, etc.)
as legitimate admins
• Use legitimate tools (e.g. sysinternals utiltities,
built-in tools, etc.)
•
(AV doesn’t alert)
• Don’t leave easy to notice markers
Traditional event monitoring has a hard time
detecting:
•
•
•
•
•
Data Copying
Buffer overflows
Password hash dumps
Zero days
Normal behavior occurring anomalously (e.g. time, source,
frequency, etc.)
The Anatomy
Of The Attack
Power:
Domain
Controllers
1. Bad guy targets workstations en masse
2. User running as local admin compromised, Bad
guy harvests credentials.
3. Bad guy starts “credentials crabwalk”
Data:
Servers and
Applications
Access:
Users and
Workstations
4. Bad guy finds host with domain privileged
credentials, steals, and elevates privileges
5. Bad guy owns network, can harvest what he
wants.
• http://www.microsoft.com/security/sir/default.aspx
• http://www.microsoft.com/enus/download/details.aspx?id=36036
• V1
• V2
• http://www.nist.gov/cyberframework/
• http://www.verizonenterprise.com/resources/reports/es
_data-breach-investigations-report-2013_en_xg.pdf
•
•
•
•
•
•
•
Implement a Structured, Risk-Based, Aligned Defense Plan
Baseline
Use Built-In Windows Tools
Use Free Downloadable Tools
Network Traffic Analysis
A Better Strategy for Logging and Alerting
Get Creative
A Structured Approach…
Most organizations do not right-align their defenses to the
threats they are actually incurring:
• They can’t name the #1 way they are exploited
• They focus on too many “fires” and too many long term
projects
• They don’t do the simple things that would give them great
bang for the buck
• They don’t really know or understand their computers and
their network
• How can anyone readily detect the right things given
these conditions?
1.
•
2.
3.
•
4.
5.
6.
1.
2.
3.
4.
•
1.
2.
3.
4.
5.
6.
7.
•
•
•
•
•
•
•
•
•
•
New Strategy
• Identify what absolutely indicates badness
• Turn on monitoring on high value assets first
• Forward only events that absolutely indicate badness
to central collection point
• Alert
• Always investigate alerts
New Strategy – 3 Classes of Monitoring
• Single Events, Which By Themselves,
Indicate Badness
• Aggregate Events On a Single Subject
Which Indicate Badness
• Aggregate Events Across Enterprise or
Business Unit Which Indicate Badness
Object
Access
Auditing
• Windows 8 and Windows 7 provide much
more granular auditing of object access
and changes.
• For example, EventID 4657 (Registry Value
Changed)
o
o
o
o
o
31
Object
Access
Auditing
(continued)
32
Special Logon Groups
Event 4964 – Special groups have been assigned to a
new logon
• Event created when a user belonging to a “special
group” logs on
• Indicate what groups are “special” by listing them in a
custom registry key as a string value, using group SID
HKLM\System\CurrentControlSet\Control\Lsa\Audit
\SpecialGroups
• Separate groups by semi-colon (;)
Special Logon Groups
Event 4908 – Special Groups Logon Table Modified
• Indicates when the list of special groups has been modified
• You indicate what groups are “special” by listing them in a
special string value, using their SID
HKLM\System\CurrentControlSet\Control\Lsa\Audit
\SpecialGroups
• Separate group SIDs in the registry key by semi-colons. No
limit to the number of groups
• Application Control/Auditing Program
• Great for Stopping Unknown Executables and Scripts
from executing
• Collect Baselines
• Try Enabling in Audit-Only Mode
• Report/Investigate Future Exceptions
Caveats
• Only on Windows 7/Windows 2008 R2 and later
• Doesn’t Catch Everything
• Use along with Process Tracking
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
vents it generates using Windows Event
Collection or SIEM agents and subsequently analyzing them,
you can identify malicious or anomalous activity and understan
•
us/sysinternals/dn798348.aspx
Sysmon.exe -i [-h [sha1|md5|sha256]] [-n]
Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--]
Sysmon.exe -u
•
•
•
• -c
•
•
•
•
•
http://technet.microsoft.com/en-
-h
-i
-m
-n
-u
•
•
•
• Long-time Microsoft/Sysinternals Utility
• Can now check all running executables against 50+ AV
engines in a few seconds
• Checks Against VirusTotal.com
• Caution: Won’t Detect Everything
•
•
•
•
•
•
Honeytokens, Red Herrings, and Canary Values
• Digital data which is created and monitored solely as an
indicator of digital theft
• They can be real data with a “marker” contained within
or fake data that simply doesn’t exist in the real world,
or at least within a given enterprise
• If you detect its use or attempted use, send an alert
• Discover the Traits That Make Some Malicious
Hackers Difficult to Detect
• Create a Structured, Risk-Based Approach
• Learn Ways To Detect Malicious Hackers
• Understand Which Microsoft Technologies
Can Best Help You
microsoft.com/sqlserver and Amazon Kindle Store
microsoftvirtualacademy.com
Azure Machine Learning, DocumentDB, and Stream Analytics
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://developer.microsoft.com
Download