Research & Preparation First Host Compromised 24-48 Hours
Domain Admin Compromised Data Exfiltration (Attacker Undetected)
11-14 months Attack Discovered Typical Attack Timeline &
Observations
Slide 8
1.Get in with Phishing Attack (or other) 2.Steal Credentials
3.Compromise more hosts & credentials (searching for Domain
Admin) 4.Get Domain Admin credentials 5.Execute Attacker Mission
(steal data, destroy systems, etc.) Modern Attack Tools are
Easy/etc. 24-48 Hours Privilege Escalation with Credential Theft
(Typical)
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS
LSAIso
Slide 14
High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS
NTLM Kerberos LSAIso NTLM support Kerberos support Boot Persistent
Device Drivers Clear secrets Note: MS-CHAPv2 and NTLMv1 are blocked
IUM secrets
IT Service Management Administrative Forest Domain and Forest
Administration Production Domain(s) Domain and Forest Security
Alerting Servers, Apps, and Cloud Services Hardened Hosts and
Accounts Privileged Account Management (PAM) Admin Roles &
Delegation Admin Forest Maintenance PAM Maintenance Lateral
Traversal Mitigations (Admin Process, Technology) Domain and DC
Hardening OS, App, & Service Hardening User, Workstations, and
Devices Integrate People, Process, and Technology RDP w/Restricted
Admin Protected Users Auth Policies and Silos Admin
Workstations
Slide 24
Good/Minimum Separate Admin Desktops and associated IT Admin
process changes Separate Admin Accounts Remove accounts from Tier 0
Service Accounts Personnel - Only DC Maintenance, Delegation, and
Forest Maintenance Better Best Detection - Advanced Threat
Analytics Multi-factor Authentication (Smartcards, One Time
Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access
Management Extensive overhaul of IT Process and Privilege
Delegation Administrative Forest (for AD admin roles in current
releases) Isolated User Mode (IUM) Microsoft Passport and Windows
Hello
Slide 25
Good/Minimum Separate Admin Accounts Separate Admin Desktops
Associated IT Admin process changes Enforce use of RDP
RestrictedAdmin Mode Local Administrator Password Solution (LAPS)
Or alternate from PTHv1 Better Best Detection - Advanced Threat
Analytics Multi-factor Authentication (Smartcards, One Time
Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access
Management Extensive overhaul of IT Process and Privilege
Delegation Isolated User Mode (IUM) Microsoft Passport and Windows
Hello
Slide 26
Good/Minimum Separate Admin Accounts Separate Admin Desktops
Associated IT Admin process changes Enforce use of RDP
RestrictedAdmin Mode Local Administrator Password Solution (LAPS)
Or alternate from PTHv1 Better Best Detection - Advanced Threat
Analytics Multi-factor Authentication (Smartcards, One Time
Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access
Management Extensive overhaul of IT Process and Privilege
Delegation Isolated User Mode (IUM) Microsoft Passport and Windows
Hello
Slide 27
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Slide 34
Slide 35
Slide 36
Slide 37
37 Implement Mitigations Now! 1 Revamp your culture and support
processes 2 3 Plan to adopt Windows 10 Features
Slide 38
Slide 39
Slide 40
Slide 41
Cloud service provider responsibility Tenant
responsibility
Slide 42
Private Cloud Fabric Identity Infrastructure as a Service On
Premises Infrastructure Federation and Synchronization Single
Identity