Fighting Malware & Reducing RiskAndrea PiazzaNational Security Officer – Microsoft Italy
Trend delle minacce
ADVANCEDA PERSISTEN
TP
THREATTAPT
MalwareCommodity Malware
Very PrevalentMade for the publicCheapDesigned for short-term gain
Examples: Conficker, Cryptolocker
Targeted Attacks
Unique, low volumeTailored & custom madeExpensiveDesigned for long-term gain
Examples: Stuxnet, APT28
Ransomware
Evolution and Enterprise Mitigations
4
Ransomware by country or region
Modern Multi-Stage Ransomware Attacks
010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101
Individual Device/User Impact Enterprise Impact
Plan Enter Traverse Encrypt
Command and Control
0101010101001010101010010101010100101010101001010101010
Command and Control
1. Block attacks at the front line• Raise attacker costs to compromise entry points• Internet facing servers• Workstations and Users
2. Defenses to contain attackers• Assume front line defenses will fail• Raise attacker cost to traverse environment and encrypt
data• Rapid response to detect threats and disrupt attack(s)
3. Data backup in case of emergency• Assume all defenses will fail• Restore data from backups that are inaccessible to
attackers
A Pragmatic Three Part Strategy
Internet Server Defenses1. Apply Security Updates (Upgrade OS and App as needed)2. Operational Hygiene (restrict exposure of privileged access from
endpoints)3. Configuration Hygiene (Change default passwords, apply security
configurations)
Workstation and User Defenses4. Application Reputation5. Mail Content Protections6. Apply Security Updates (Basic)7. Exploit Mitigations8. User Education
Immediate Front Line Defenses
Defenses to contain attackers1. Remove Excessive Access to Shared
Files• Remove file share & SharePoint permissions for large groups
to overwrite data (Everyone, Authenticated Users, Domain Users, etc.)
2. Securing Privileged Access (SPA) Roadmap• Immediately implement Stage 1 (separate admin accounts
and workstations, random local admin passwords)• Begin planning Stages 2 and 3
3. Security Operations: Fast Detect and Cleanup• Leverage cloud enabled anti-malware capabilities for real-
time analysis/response (e.g. Windows Defender with Microsoft Active Protection Service (MAPS) enabled and Defender ATP)
• Ensure availability of experienced analysts & responders
EveryoneFull ControlModify
Active
Director
y
Azure Active Directoryhttp://aka.ms/sparoadmap
Detect Respond Recover
Key ResourcesRansomware: Understanding the Risk http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/
How to Deal with Ransomwarehttps://blogs.technet.microsoft.com/office365security/how-to-deal-with-ransomware/
RECON
•Fingerprint•Observation•OSINT
WEAPONIZE
•Lure•zero-day / EK
•Social engineering
DELIVERY
•Waterhole•Spear-phish•MITM
EXPLOIT
• Installation•Dropper•Downloader
INSTALL
• Installation•EOP/Gain privilege
•Persistence
C&C
•Exploration• Info gathering
•Lateral Movements
ACTIONS
•Exfiltration•Destruction•Compromise
APT: Delivery methods
Strontium
Spear-phishing attachments
lures
Office CVEs
Spear-phishing drive-by URLs
IE/Flash/Java CVEs
Social-engineered code-exec
Firefox XPI
Social-engineer drive-by login
OWA, Yahoo, Gmail
Research & Preparation
First HostCompromised
24-48 Hours
Domain AdminCompromised
Data Exfiltration (Attacker Undetected)11-14 months
Attack Discovered
Targeted Attacks Typical Timeline & Observations
Attack SophisticationAttack operators exploit any
weaknessTarget information on any device or
serviceAttacks not detected
Current detection tools miss most attacks
You may be under attack (or compromised)
Target AD & IdentitiesActive Directory controls access to business assetsAttackers commonly target AD and IT AdminsResponse and RecoveryResponse requires advanced expertise and toolsExpensive and challenging to successfully recover
1. Get in with Phishing Attack (or
other)2. Steal Credentials3. Compromise more hosts &
credentials (searching for Domain Admin)4. Get Domain Admin credentials
5. Execute Attacker Mission (steal data, destroy systems, etc.)
24-48 Hours
Privilege Escalation with Credential Theft (Typical)
Attack ScenarioInitial Compromise
An attacker obtains local administrative rights to a computer by enticing a victim into executing a malicious application, exploiting a known or unpatched vulnerability, or through some other means. Countermeasures:• Patching (MS & 3rd
party)• Least Privilege• User Education• Email protection• Threat Detection• App Whitelisting
Domain Controller
Attack Scenario
Domain Controller
Lateral Movement
Attacker exploits shared secrets (e.g. password hashes, etc.) on a computer to access similar hosts at same trust level
Countermeasures:• Randomize Local
Admin password• Host firewall across
client• Deny logon via
network• Credential Guard
Attack Scenario
Domain Controller
Privilege Escalation
Attacker is able to capture privileged account credentials used to administer higher level resources (servers illustrated).
Countermeasures:• Do not expose
privileged credentials• Credential partitioning• Services and
Application Hardening
Attack Scenario
Domain Controller
Complete Compromise
If a domain administrator account is captured along the way, the infrastructure is completely compromised.
Countermeasures:• Detection through
monitoring and alerting is key.
Strategie per la detection e la prevenzione degli attacchi
Key Guidance Resources
Credential Theft Portal www.microsoft.com/PTH
Credential Theft Whitepapers and Resources
Determined Adversaries and Targeted Attacks http://www.microsoft.com/en-us/download/details.aspx?id=347
93 Security Intelligence Report (SIR) http://www.microsoft.com/SIR
Key Preventive Controls1. Admin Workstations & Logon Restrictions• Domain Admins• Server, Application, and Cloud Infrastructure Admins• Workstation Admins
2. Random Local Account Passwords• Workstations• Servers• Specialized Devices (Cash Registers, ATMs, etc.)
3. RDP /RestrictedAdmin Mode• Server and Application Admins• Workstation and Specialized Device Admins
Do these NOW!
Tier 0 Administration SecurityDomain/Enterprise Admins and Equivalent
Good/Minimum
• Separate Admin Desktops• and associated IT Admin process changes
• Separate Admin Accounts• Remove accounts from Tier 0
• Service Accounts• Personnel - Only DC Maintenance, Delegation, and Forest
Maintenance
Better
Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords,
etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive redesign of IT Process and Privilege Delegation
• Administrative Forest (for AD admin roles in current releases)• Credential Guard• Microsoft Passport and Windows Hello
Tier 1 Administration SecurityHuman admins of Servers, Cloud Services, Virtualization, Management Tools, etc. (that aren’t Tier 0)
Good/Minimum
• Separate Admin Accounts• Separate Admin Desktops
• Associated IT Admin process changes• Enforce use of RDP RestrictedAdmin Mode
• Local Administrator Password Solution (LAPS)• Or alternate from PTHv1
Better
Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords, etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive overhaul of IT Process and Privilege Delegation
• Credential Guard• Microsoft Passport and Windows Hello
Tier 2 Administration SecurityHuman admins of User Workstations, User Devices, Printers, etc. (Typically helpdesk and PC support)
Good/Minimum
• Separate Admin Accounts• Separate Admin Desktops
• Associated IT Admin process changes• Enforce use of RDP RestrictedAdmin Mode
• Local Administrator Password Solution (LAPS)• Or alternate from PTHv1
Better
Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords, etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive overhaul of IT Process and Privilege Delegation
• Credential Guard• Microsoft Passport and Windows Hello
Securing Privileged Access (SPA) RoadmapTop Defenses for Targeted Attacks• Comprehensive Strategy • Prioritized 3 Phase Plan• Detailed technical instructions
http://aka.ms/SPAroadmap
Based on real world experience deploying Microsoft cybersecurity services solutions
Protecting Active Directory and Admin privileges
1. Separate Admin account for admin tasks
3. Unique Local Admin Passwords for Workstationshttp://Aka.ms/LAPS
2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW
4. Unique Local Admin Passwords for Servershttp://Aka.ms/LAPS
2-4 weeks
First response to the most frequently used attack techniques
Protecting Active Directory and Admin privileges
6. Time-bound privileges (no permanent admins)http://aka.ms/PAMhttp://aka.ms/AzurePIM
1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
2. Just Enough Admin (JEA) for DC Maintenancehttp://aka.ms/JEA
9872521
5. Attack Detectionhttp://aka.ms/ata
3. Lower attack surface of Domain and DCs http://aka.ms/HardenAD
1-3 months
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
7. Multi-factor for elevation
4. Domain Controller Security UpdatesTarget full deployment within 7 days
Protecting Active Directory and Admin privileges
2. Smartcard or Passport Authentication for all adminshttp://aka.ms/Passport
1. Modernize Roles and Delegation Model
https://www.microsoft.com/security
3. Admin Forest for Active Directory administratorshttp://aka.ms/ESAE
6. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)http://aka.ms/shieldedvms
5. Code Integrity Policy for DCs (Server 2016)
6+ months
Move to proactive security posture
4. Apply Baseline Security Policies to DCs
Il Sistema Operativo come prima linea di difesa
Key Threats• Code Red and Nimda (2001),
Blaster (2003), Slammer (2003)
• 9/11• Mainly exploiting
buffer overflows• Script kiddies• Time from patch to exploit:
Several days to weeks
Key Threats• Zotob (2005)• Attacks «moving up
the stack» (Summer of Office 0-day)
• Rootkits• Exploitation of
Buffer Overflows• Script Kiddies• Rise of Phishing• User running as Admin
Key Threats• Organized Crime• Botnets• Identity Theft• Conficker (2008)• Time from patch to
exploit: days
Key Threats• Organized Crime,
potential state actors• Sophisticated
Targeted Attacks• Operation Aurora (2009)• Stuxnet (2010)• Hacktivism (Anonymous)
2004 2007 2009 2012 2013 2016
Key features:Credential managerOperation-based auditingData encryptionServices turned off by default
Key features:Windows FirewallUser Account Control (UAC)Server Core installation option
Key features:Credentials protectionsBitLocker enhancementsVirtual Smart CardAppLocker enhancedFile classification and encryptionDynamic Access Control (DAC)
Key features:Just in Time and Just Enough AdministrationShielded Virtual Machines with Host Guardian ServerVirtualization Based Code IntegrityCredential Guard
From hardening the operating system to defending against emerging threats across the on-premises datacenter and the cloud.
Windows Server 2003Secure by design, secure by default
Windows Server 2008 Harden the platform
Windows Server 2012Protect information, protect the environment
Windows Server 2016Assume breach, secure the guest
Key Threats• Nation states active attacking
private institutions• CryptoLocker (2013) and
APT’s at scale• Adding disruption and terror
to playbook• Rampant Passwords theft and
abuse• Pass the Hash becomes part
of the default playbook• AV unable to keep up
Key Threats• Organized Crime, potential
state actors• Sophisticated targeted
attacks• Aurora (2009) and Stuxnet
(2010)• Password and digital identity
theft and misuse• Signatures based AV unable
to keep up• Digital signature tampering• Browser plug-in exploits• Data loss on BYOD device
Key Threats• Nation states active attacking
private institutions• CryptoLocker (2013) and APT’s at
scale• Adding disruption and terror to
playbook• Rampant Passwords theft and
abuse• Pass the Hash becomes part of
the default playbook• AV unable to keep up
Key Threats• Melissa (1999), Love Letter
(2000)• Mainly leveraging social
engineering
Key Threats• Code Red and Nimda (2001),
Blaster (2003), Slammer (2003)• 9/11• Mainly exploiting buffer
overflows• Script kiddies• Time from patch to exploit:
Several days to weeks
Key Threats• Zotob (2005)• Attacks «moving up the stack»
(Summer of Office 0-day)• Rootkits• Exploitation of Buffer Overflows• Script Kiddies• Rise of Phishing• User running as Admin
Key Threats• Organized Crime• Botnets• Identity Theft• Conficker (2008)• Time from patch to exploit: days
Key Threats• Organized Crime, potential state
actors• Sophisticated targeted attacks• Aurora (2009) and Stuxnet
(2010)• Password and digital identity
theft and misuse• Signatures based AV unable to
keep up• Digital signature tampering• Browser plug-in exploits• Data loss on BYOD device
Windows 10• Virtual Secure Mode• Virtual TPM• Control Flow Guard• Microsoft Passport• Windows Hello• Biometric Framework
Improvements (Iris, Facial)• Broad OEM support for Biometric
enabled devices• Enterprise Data Protection• Device Encryption supported on
broader range of devices• DMA Attack Mitigations• Device Guard• URL Reputation Improvements• App Reputation Improvements• Windows Defender
Improvements• Provable PC Health
Improvements
Windows XP• Logon (Ctrl+Alt+Del)• Access Control• User Profiles• Security Policy• Encrypting File System (File
Based)• Smartcard and PKI Support• Windows Update
Windows XP SP2• Address Space Layout
Randomization (ASLR)• Data Execution Prevention (DEP)• Security Development Lifecycle
(SDL)• Auto Update on by Default• Firewall on by Default• Windows Security Center• WPA Support
Windows Vista• Bitlocker• Improved ASLR and DEP• Full SDL• User Account Control• Internet Explorer Smart Screen
Filter• Digital Right Management• Firewall improvements• Signed Device Driver
Requirements• TPM Support• Windows Integrity Levels• Secure “by default”
configuration (Windows features and IE)
Windows 7• Improved ASLR and DEP• Full SDL• Improved IPSec stack• Managed Service Accounts• Improved User Account Control • Enhanced Auditing• Internet Explorer Smart Screen
Filter• AppLocker• BitLocker to Go• Windows Biometric Service• Windows Action Center• Windows Defender
Windows 8• Firmware Based TPM• UEFI (Secure Boot)• Trusted Boot (w/ELAM)• Measured Boot • Significant Improvements to
ASLR and DEP• AppContainer• Internet Explorer 10 (Plugin-less
and Enhanced Protected Modes)• Application Reputation moved
into Core OS• Device Encryption (All SKU)• BitLocker improvements and
MBAM• Virtual Smartcards• Dynamic Access Control• Built-in AV (Windows Defender)• Improved Biometrics• TPM Key Protection and
Attestation• Certificate Reputation• Provable PC Health• Remote Business Data
Removable
2015
2001
2004
2007
2009
2012
Windows 8• Firmware Based TPM• UEFI (Secure Boot)• Trusted Boot (w/ELAM)• Measured Boot • Significant Improvements to ASLR and DEP• AppContainer• Internet Explorer 10 (Plugin-less and Enhanced
Protected Modes)• Application Reputation moved into Core OS• Device Encryption (All SKU)• BitLocker improvements and MBAM• Virtual Smartcards• Dynamic Access Control• Built-in AV (Windows Defender)• Improved Biometrics• TPM Key Protection and Attestation• Certificate Reputation• Provable PC Health• Remote Business Data Removable
Windows 10• Virtual Secure Mode• Virtual TPM• Device Guard• Microsoft Passport• Windows Hello• Control Flow Guard• Biometric Framework Improvements (Iris, Facial)• Broad OEM support for Biometric enabled devices• Enterprise Data Protection• Device Encryption supported on broader range of devices• DMA Attack Mitigations• URL Reputation Improvements• App Reputation Improvements• Windows Defender Improvements• Provable PC Health Improvements
Una soluzione di controllo delle applicazioni che impedisce l'esecuzione di applicazioni indesiderate e / o sconosciuteConfigurabile in modalità blocco o auditApproccio whitelist o blacklistAppLocker offre una protezione di sicurezza e vantaggi operativi e di conformitàAppLocker può imporre la standardizzazione applicativaAppLocker può essere una componente della strategia di sicurezza globale di un'organizzazione
Applocker
BitLocker di Windows è una funzionalità disponibile nel sistema operativo Windows Client e Server che consente di crittografare tutti i dati archiviati nel volume del sistema operativo Windows e nei volumi di dati configurati. Mediante TPM (Trusted Platform Module), consente inoltre di garantire l'integrità dei componenti di avvio.Consente l’utilizzo di un PIN di avvioPermette la gestione centralizzata delle configurazioni e il recupero delle chiavi di sblocco (tramite il tool MBAM parte della suite Microsoft Desktop Optimization Pack)
Bitlocker
Key New Technologies Device Guard Credential Guard
Move LSASS secrets into Virtual Secure Mode (VSM) OS Instance Microsoft Passport
New Authentication Protocol based on Hardware Bound Keys Windows Hello
Easy to Use Biometrics to unlock credential access Privileged Access Management
Just in Time (JIT) privileges Advanced Threat Analytics
Detect attacks through anomalous authentication patterns Local Administrator Password Solution
BIOS UEFIUEFI (Unified Extensible Firmware Interface) - interfaccia firmware standard per PC progettata
in sostituzione del BIOS (Basic Input/Output System
- Creato da oltre 140 aziende del settore tecnologico nell'ambito del consorzio UEFI, di cui fa parte Microsoft, per migliorare l'interoperabilità del software e risolvere le limitazioni del BIOS.
Tra i vantaggi del firmware UEFI sono inclusi: - Miglioramento della sicurezza grazie alla
protezione del processo prima dell'avvio da attacchi di tipo bootkit.
- Maggiore velocità dei tempi di avvio e di ripresa dallo stato di ibernazione.
- Supporto di unità maggiori di 2,2 terabyte (TB).- Supporto di driver di dispositivi firmware a 64
bit che il sistema può utilizzare per indirizzare più di 17,2 miliardi di gigabyte (GB) di memoria durante l'avvio.
Secure Boot (UEFI)Livelli di sicurezza basati su UEFIUEFI verifica il boot loader
Può essere configurato per caricare solo i file verificati
Innovazioni di sicurezza in Windows 10• Windows Hello (Accesso facilitato al device tramite biometria)
• Microsoft Passport (Accesso a due fattori di autenticazione)
• Credential Guard* (Protezione da attacchi di tipo Pass the Hash)
• Device Guard** (Lock down del device, esecuzione di app certificate)
• Enterprise Data Protection (Separazione tra dati personali ed aziendali)
* Require Enterprise Edition x64, UEFI 2.3.1 or higher, Virtualization Extensions, VT-d or AMD-Vi IMOOU, TPM (2.0 Recommended), Secure firmware update process
** Require Enterprise Edition, UEFI 2.3.1 or higher, Trusted Boot, Virtualization-based Security
Microsoft Passport – Phone sign-in
Microsoft Passport
IDPActive Directory
Azure ADGoogle
FacebookMicrosoft Account
1Proves Identity
Trust my unique key
User2
Windows10
3IntranetResource
4
4
Here is your authorization
tokenI trust tokens from IDP
So do IInternetResource
Credential Guard
Virtual Secure Mode (VSM)Kernel
Loca
l Sec
urity
Au
th S
ervi
ce
HypervisorHardware
WindowsKernel
AppsVi
rtual
TPM
Hype
r-Viso
r Co
de
Inte
grity
Windows Platform Services
Device GuardVBS - HVCI
UEFI Secure BootPlatform Secure Boot KMCI
App Locker
Device Guard Workflow
Definitions:UEFI = Unified Extensible Firmware Interface ELAM = Early Launch Anti-MalwareVBS = Virtualization based SecurityHVCI = Hypervisor based Code IntegrityKMCI = Kernel-mode Code IntegrityUMCI = User-mode Code Integrity
ROM/Fuses
Bootloaders
Native UEFI
Windows OS Loader
Windows Kernel and
DriverELAM
UMCIUser Mode Code
(Apps)
3rd Party
Drivers
Credential/Device Guard RequirementsRequirement
XWindows 10 Enterprise Edition
Credential Guard Device Guard
UEFI firmware version 2.3.1 or higher and Secure Boot
Virtualization extensions
Firmware lock
x64 architecture
A VT-d or AMD-Vi IOMMU
Secure firmware update process
The firmware is updated for Secure MOR
TPM 1.2 or 2.0
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Physical PC X
Enterprise Data ProtectionProtegge i dati sia sul dispositivo al di fuori di esso….Possono essere configurate politiche di blocco della fuoriuscita dei dati
Integrazione all’interno di Windows
Separa dati personali da quelli aziendali
Previene a applicazioni non autorizzate l’accesso ai dati sensibili
Possibilità di Wipe remote dei dati aziendali
Conclusioni• Il trend delle minacce mostra un continuo aumento
della sofisticazione e della frequenza degli attacchi• Microsoft raccomanda l’adozione della roadmap di
Secure Privilege Access da parte di tutte le organizzazioni
• Il sistema operativo con le sue funzionalità di sicurezza rappresenta una barriera efficace contro gli attacchi moderni, come parte di una strategia di sicurezza multi-livello