41
12 Crucial Windows Security Skills for 2017 Paula Januszkiewicz CQURE: CEO, Penetration Tester; Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Greg Tworek CQURE: CTO, Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT

12 Crucial Windows Security Skills for 2017

Embed Size (px)

Citation preview

Page 1: 12 Crucial Windows Security Skills for 2017

12 Crucial Windows Security Skills for 2017

Paula JanuszkiewiczCQURE: CEO, Penetration Tester; Security ExpertCQURE Academy: TrainerMVP: Enterprise Security, MCT

Greg TworekCQURE: CTO, Security ExpertCQURE Academy: TrainerMVP: Enterprise Security, MCT

Page 2: 12 Crucial Windows Security Skills for 2017

What does CQURE do?

Consulting Services:Extensive IT Security Audits and Penetration Tests of all kindsConfiguration Audit and Architecture DesignSocial Engineering TestsAdvanced Troubleshooting and DebuggingEmergency Response Services

R&D & PublicationsTrainings & Seminars:Offline (mainly in New York or via our partners worldwide)Online (you will hear more about it in the end of this Webinar)

Page 3: 12 Crucial Windows Security Skills for 2017

MichaelKama

Dorothy

Olga

Michal

Paula Greg

Kamil

Ken

Chris

Page 4: 12 Crucial Windows Security Skills for 2017

To ensure the good quality of your experience:1. If you have problems with viewing the Webinar try

refreshing the page first or try another browser.

2. If problems persist please let us know in the comment section or on [email protected].

3. If there will be connection or software problem, please look into your email box or fb.com/cqure for instructions.

4.We will be taking questions at the end of the Webinar during Q and A session so write them down!

Page 5: 12 Crucial Windows Security Skills for 2017

What can you expect today?1.The BIG REVEAL of 12 skills that our CQURE team

has identified as crucial to keep your IT safe in 2017.

2. Live demonstrations!

3.Tips on how you learn this stuff on your own.

4.A hacking challenge with a cool prize :)

5. Live Q&A with me and the CQURE Team.

6.You will get files of all the tools we will be using here!

Page 6: 12 Crucial Windows Security Skills for 2017

What was your score in our Windows Security QUIZ - share in the comment

section!

Page 7: 12 Crucial Windows Security Skills for 2017

According to the industry’s statistics, by 2019 the market will need 6 mln security

professionals. But only 4 to 5 million of them will have the

needed qualifications.

*Source: Financial Times

Page 8: 12 Crucial Windows Security Skills for 2017

12 Crucial Windows Security Skills for 2017

10101010101101101000010110101010101000101001110101

01101011100101010011010101010110110100001011010101

01010001010011101010110101110010101001101010101011

01101000010110101010101000101001110101011010111001

01010010101010101100111010101101011100101010011010

10101011011010000101101010101010001010011101010110

101110010101001010101010

Page 9: 12 Crucial Windows Security Skills for 2017

#1 Skill: Machine Learning for Threat Protection 

Antivirus solution is not enoughSignature and behavioral recognition is not enough tooIn most cases it is possible to run an unknown code… if not then it is possible to run PowerShell

Modern solutionsAre capable of machine learning but it takes time Are quire easy to implement bur require a lot of understanding of what do they actually do

For example: What if we use a custom reflective PE Loader to create and run custom code?

Page 10: 12 Crucial Windows Security Skills for 2017

#2A Skill: Incident Response Plan  Action listIn case of emergency situation: allows to act reasonably and according to the planIncreases chances that evidence is gathered properlyAllows to define responsibilities for recoveryDiscussions provide management with understanding of security

Jump Bag: preserving evidenceDisk data: Disk2VHD, WinDD, FTK ImagerMemory dumps: DumpIT, Mdd, Mandiant tools, LiME, OSXPMemCentralization of the event logsPre-incident steps: use Sysmon for better knowledge about processes and network

Page 11: 12 Crucial Windows Security Skills for 2017

#2B Skill: Malware Analysis SandboxAllows to be familiar with the current trendsMakes security team more aware how malicious software works Very useful in situations where malware is unrecognized by the used antivirus softwareUsually it is a dedicated computerIt is packed with the analysis tools Computer is disconnected from the network

Allows to implement appropriate security measures

Page 12: 12 Crucial Windows Security Skills for 2017

#3 Skill: WhitelistingCode execution preventionIt is an absolute necessity taking into consideration the current security trendsPowerShell is a new hacking tool

Scripting languages are the biggest threat Ransomware can be in a form of PowerShell scriptJust Enough Administration: PowerShell should be blocked for users and limited for helpdesk to use the necessary commandsIt is necessary to know what executes on your serversSysmon is perfect for this AppLocker / DeviceGuard in the audit mode

Page 13: 12 Crucial Windows Security Skills for 2017

#4 Skill: Privileged Access ManagementAdministrative / power user access

A privileged user is someone who has administrative access to critical systemsPrivileged users have sometimes more access than we think (see: SeBackupRead privilege)Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Domain Admins should log on only to the Domain Controllers

Access Monitoring / Effective Access We need to know about who and where has access toAccess should be role driven

Page 14: 12 Crucial Windows Security Skills for 2017

First CQURE Academy Challenge!Please prepare a content of a file containing SDDL string for a test.txt file. Provided string must include:

1. Allow full control for Guest account2. Deny full control for Guest account3. Allow full control for System account4. Allow full control for Administrators group5. Allow full control for Users group

*Order matters. Permissions from parent folders cannot be inherited. The file you create will be used as a parameter after "icacls.exe . /restore"

WINNER gets a prize worth 2850 USD!

Page 15: 12 Crucial Windows Security Skills for 2017

#5 Skill: Well done PKI ImplementationPretty much every time we do an audit we see incorrectly implemented PKICertificates are or can be used in most of the modern services Be aware of the newest security trends in the certificate services

Smart card logon can be bypassedPrivate key that is not exportable is… exportableCQURE discovery: SID-protected PFX files can be access to by unauthorized users

Page 16: 12 Crucial Windows Security Skills for 2017

What is the most popular attack right now?

Page 17: 12 Crucial Windows Security Skills for 2017

User: Adm...Hash:E1977

Fred’s LaptopFred’s User SessionUser: FredPassword hash: A3D7…

Sue’s LaptopSue’s User Session

Pass The Hash Technique

Malware SessionUser: AdministratorPassword hash: E1977…

Malware User SessionUser: Adm…Hash: E1977

User: SueHash: C9DF

User: SuePassword hash: C9DF…

File Server

User: SueHash:C9DF

1 3 4

1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH

ANOTHER COMPUTER3. MALWARE INFECTS SUE’S LAPTOP AS FRED4. MALWARE INFECTS FILE SERVER AS SUE

2

Page 18: 12 Crucial Windows Security Skills for 2017

#6 Hardware-based Credentials Protection 

Virtual Secure Mode (VSM)

VSM isolates sensitive Windows processes in a hardware based Hyper-V container

VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D)Implements Credential Guard where derived credentials that VSM protected LSA Service gives to Windows are non-replayable

VSM runs the Windows Kernel and a series of Trustlets (Processes) within it

Page 19: 12 Crucial Windows Security Skills for 2017

#7 Skill: PowerShell Level MasterPowerShell implements great automation (and hacking tool)Some solutions are managed by Powershell only (Nano, IoT)Experience shows that administrators try to avoid it – especially these ones with great experience There are so many custom modules available: PowerForensics, AccessControl etc. You can create your own customized modules

Page 20: 12 Crucial Windows Security Skills for 2017

#8 Skill: Learn How to Talk Security to Managers

Sad factsMost of the companies we deal with did not have security policies in place that included security awareness education programs.

Management understands risk. IT also understands it. This can be nicely combined together when we use appropriate language.

Photo: the New York Times Magazine

Page 21: 12 Crucial Windows Security Skills for 2017

#9 Skill: Event Tracing For WindowsWindows 7, 8, 10 is designed to be used securely

Anything can be traced (if we know how to do it)

Achieved Evaluation Assurance Level (EAL) 4+ certification that meets Federal Information Processing Standard (FIPS) #140-2Has C2 certification (Trusted Computer System Evaluation Criteria)Passed the Common Criteria Certification process

Knowledge about ETW is a graal in troubleshooting and securityRequires knowledge about Windows internalsTracing should be obviously set before the event

Page 22: 12 Crucial Windows Security Skills for 2017

Second CQURE Academy Challenge I have the file at http://challenge.cqureacademy.com/test.txtI would like to have a content (and only the content) of test.txt in a file in current directory.

Task: Please provide a Base64 string downloading the file mentioned above. Base64 string is meant to be provided as a value for -EncodedCommand parameter in PowerShell and should be as short as possible.

*Shortest string wins. If we have more than one working string with the same length – the first wins. We test strings on Windows 10 version 1607.

WINNER gets a prize worth 2850 USD!

Page 23: 12 Crucial Windows Security Skills for 2017

#10 Skill: Log Centralization It’s quite obvious that losing logs after attack is not in our dreams

Logs for critical systems should be stored outside the server

Log centralization Can help us to correlate different logs and eventsHelps to maintain the legal proof after attack

Available solutionsOperating system built in: subscriptions, scriptsOther products: SCOM, Splunk, SolarWinds, WhatsUpGold, TripWire & other

Page 24: 12 Crucial Windows Security Skills for 2017

#11 Skill: Mastered Windows Server 2016

It is NEW. We have to know it uber well…Solves a lot of security related issuesNew and useful features like: DNS Polices, Just Enough Administration, DeviceGuard, Credential Guard, Hyper-V Containers and System Containers, Nano, Shielded Virtual Machines, Virtualization Based Security

Should I migrate?You should be familiar with migration paths and scenariosSome features require preparation You should be familiar with hardware requirements

Page 25: 12 Crucial Windows Security Skills for 2017

#12 Skill: Testing Yourself When You Can

For a detailed access control

For internal network protection

For reaction time purposes

For better monitoring

For 3rd party opinionTo discover dependencies in between systems

Page 26: 12 Crucial Windows Security Skills for 2017

12 Crucial Windows Security Skills for 2017

10101010101101101000010110101010101000101001110101

01101011100101010011010101010110110100001011010101

01010001010011101010110101110010101001101010101011

01101000010110101010101000101001110101011010111001

01010010101010101100111010101101011100101010011010

10101011011010000101101010101010001010011101010110

101110010101001010101010

Page 27: 12 Crucial Windows Security Skills for 2017

#1 Skill: Machine Learning for Threat Protection Implementation of the process execution prevention (AppLocker etc.)

#2A Skill: Incident Response Plan#2B Skill: Malware Analysis Sandbox

#3 Skill: Whitelisting

#4 Skill: Privileged Access Management

#5 Skill: Working PKI Implementation

#6 Skill: Hardware-based Credentials Protection 

1 - 6

Page 28: 12 Crucial Windows Security Skills for 2017

#7 Skill: PowerShell Level Master

#8 Skill: Learn How to Talk Security to Managers

#9 Skill: Event Tracing For Windows

#10 Skill: Log Centralization

#11 Skill: Mastered Windows Server 2016

#12 Skill: Testing Yourself When You Can

7 - 12

Page 29: 12 Crucial Windows Security Skills for 2017

Summary: Best Practices Understanding is the key to securityContinuous vulnerability discoveryContext-Aware AnalysisPrioritization Remediation and TrackingConfiguration reviews

Put on the Hacker’s ShoesPrevention is the key to successHow can we know what to prevent if we do not know what is the threat?

Page 30: 12 Crucial Windows Security Skills for 2017

Additional Resources

Websites Microsoft Virtual AcademyArs TechnicaThe RegisterThe Hacker NewsDark ReadingKrebs on SecurityComputer WorldThreat PostBeta NewsTech News WorldTech CrunchZDNetSecurity AffairsComputer WeeklyNetwork WorldSC MagazineWiredSchneier on SecurityElie Bursztein

Books ‘Windows Internals’‘Inside Windows Debugging’‘Advanced Debugging for Windows’‘Practical Malware Analysis’‘Malware Analyst's Cookbook’

Page 31: 12 Crucial Windows Security Skills for 2017
Page 33: 12 Crucial Windows Security Skills for 2017

Key facts about the Advanced Windows Security Course For 2017:

1. ONCE A YEAR ONLY (each year it will be adjusted to meet the upcoming trends).

2. 12 Live Online Sessions with Paula and other experts from CQURE Academy (mostly Tuesday and Thursday, 7PM CEST / 1PM EST / 10AM PST).

3. Video recordings of sessions, slides, scripts & tools included.

4. Closed students group on Facebook (where you can exchange ideas and network).

5. Free access to CQURE Lab (where you will practice and do homework).

Page 34: 12 Crucial Windows Security Skills for 2017

The course finishes with an exam. If you pass (you get at least 70% answers

correct) you will get our CQURE Academy CERTIFICATE:

Windows Security Master 2017

Page 36: 12 Crucial Windows Security Skills for 2017

Tuition: $2,850 $1,900~ If you apply before end of Monday October

31 ~

Page 37: 12 Crucial Windows Security Skills for 2017

About the application process:1.This is for professionals who’ve passed the

intermediate level. We’ll skip the fluff and go straight to the advanced stuff.

2.Admission is selective - to attend you need to APPLY.3.We prioritize: your skills and professional

achievements, but also your attitude and how you can contribute to the group.

4.We’ll be taking on board 200 students only (we did soft launch at Microsoft Ignite and only 100 are still available).

5. If you apply before Monday midnight, you will secure a lower tuition fee of $1,900 (instead of $2850).

Page 39: 12 Crucial Windows Security Skills for 2017

The Prize For Hackers Who Won Today’s Challenge:

A free seat at “Advanced Windows Security Course For 2017” (worth $2,850!)

Page 40: 12 Crucial Windows Security Skills for 2017

Q and A Time!

Page 41: 12 Crucial Windows Security Skills for 2017

Thank You!

If you have questions email us at [email protected]

You can also chat us up on the page https://cqureacademy.com/advanced201

7