Slide 1

Slide 2

Slide 3

Slide 4

ASSUME BREACH PREVENT BREACH +

Slide 5

Slide 6

Slide 7

Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker Undetected) 11-14 months Attack Discovered Typical Attack Timeline & Observations

Slide 8

1.Get in with Phishing Attack (or other) 2.Steal Credentials 3.Compromise more hosts & credentials (searching for Domain Admin) 4.Get Domain Admin credentials 5.Execute Attacker Mission (steal data, destroy systems, etc.) Modern Attack Tools are Easy/etc. 24-48 Hours Privilege Escalation with Credential Theft (Typical)

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS LSAIso

Slide 14

High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS NTLM Kerberos LSAIso NTLM support Kerberos support Boot Persistent Device Drivers Clear secrets Note: MS-CHAPv2 and NTLMv1 are blocked IUM secrets

Slide 15

Slide 16

Slide 17

1.Privilege escalation Credential Theft Application Agents Service Accounts 2.Lateral traversal Credential Theft Application Agents Service Accounts Tier 0 Tier 2 Tier 1

Slide 18

Slide 19

Do these NOW!

Slide 20

Slide 21

Slide 22

Slide 23

IT Service Management Administrative Forest Domain and Forest Administration Production Domain(s) Domain and Forest Security Alerting Servers, Apps, and Cloud Services Hardened Hosts and Accounts Privileged Account Management (PAM) Admin Roles & Delegation Admin Forest Maintenance PAM Maintenance Lateral Traversal Mitigations (Admin Process, Technology) Domain and DC Hardening OS, App, & Service Hardening User, Workstations, and Devices Integrate People, Process, and Technology RDP w/Restricted Admin Protected Users Auth Policies and Silos Admin Workstations

Slide 24

Good/Minimum Separate Admin Desktops and associated IT Admin process changes Separate Admin Accounts Remove accounts from Tier 0 Service Accounts Personnel - Only DC Maintenance, Delegation, and Forest Maintenance Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Administrative Forest (for AD admin roles in current releases) Isolated User Mode (IUM) Microsoft Passport and Windows Hello

Slide 25

Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello

Slide 26

Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

37 Implement Mitigations Now! 1 Revamp your culture and support processes 2 3 Plan to adopt Windows 10 Features

Slide 38

Slide 39

Slide 40

Slide 41

Cloud service provider responsibility Tenant responsibility

Slide 42

Private Cloud Fabric Identity Infrastructure as a Service On Premises Infrastructure Federation and Synchronization Single Identity

Slide 43