Fighting Malware & Reducing RiskAndrea PiazzaNational Security Officer – Microsoft Italy

Trend delle minacce

ADVANCEDA PERSISTEN

TP

THREATTAPT

MalwareCommodity Malware

Very PrevalentMade for the publicCheapDesigned for short-term gain

Examples: Conficker, Cryptolocker

Targeted Attacks

Unique, low volumeTailored & custom madeExpensiveDesigned for long-term gain

Examples: Stuxnet, APT28

Ransomware

Evolution and Enterprise Mitigations

4

Ransomware by country or region

Modern Multi-Stage Ransomware Attacks

010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101

Individual Device/User Impact Enterprise Impact

Plan Enter Traverse Encrypt

Command and Control

0101010101001010101010010101010100101010101001010101010

Command and Control

1. Block attacks at the front line• Raise attacker costs to compromise entry points• Internet facing servers• Workstations and Users

2. Defenses to contain attackers• Assume front line defenses will fail• Raise attacker cost to traverse environment and encrypt

data• Rapid response to detect threats and disrupt attack(s)

3. Data backup in case of emergency• Assume all defenses will fail• Restore data from backups that are inaccessible to

attackers

A Pragmatic Three Part Strategy

Internet Server Defenses1. Apply Security Updates (Upgrade OS and App as needed)2. Operational Hygiene (restrict exposure of privileged access from

endpoints)3. Configuration Hygiene (Change default passwords, apply security

configurations)

Workstation and User Defenses4. Application Reputation5. Mail Content Protections6. Apply Security Updates (Basic)7. Exploit Mitigations8. User Education

Immediate Front Line Defenses

Defenses to contain attackers1. Remove Excessive Access to Shared

Files• Remove file share & SharePoint permissions for large groups

to overwrite data (Everyone, Authenticated Users, Domain Users, etc.)

2. Securing Privileged Access (SPA) Roadmap• Immediately implement Stage 1 (separate admin accounts

and workstations, random local admin passwords)• Begin planning Stages 2 and 3

3. Security Operations: Fast Detect and Cleanup• Leverage cloud enabled anti-malware capabilities for real-

time analysis/response (e.g. Windows Defender with Microsoft Active Protection Service (MAPS) enabled and Defender ATP)

• Ensure availability of experienced analysts & responders

EveryoneFull ControlModify

Active

Director

y

Azure Active Directoryhttp://aka.ms/sparoadmap

Detect Respond Recover

Key ResourcesRansomware: Understanding the Risk http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/

How to Deal with Ransomwarehttps://blogs.technet.microsoft.com/office365security/how-to-deal-with-ransomware/

RECON

•Fingerprint•Observation•OSINT

WEAPONIZE

•Lure•zero-day / EK

•Social engineering

DELIVERY

•Waterhole•Spear-phish•MITM

EXPLOIT

• Installation•Dropper•Downloader

INSTALL

• Installation•EOP/Gain privilege

•Persistence

C&C

•Exploration• Info gathering

•Lateral Movements

ACTIONS

•Exfiltration•Destruction•Compromise

APT: Delivery methods

Strontium

Spear-phishing attachments

lures

Office CVEs

Spear-phishing drive-by URLs

IE/Flash/Java CVEs

Social-engineered code-exec

Firefox XPI

Social-engineer drive-by login

OWA, Yahoo, Gmail

Research & Preparation

First HostCompromised

24-48 Hours

Domain AdminCompromised

Data Exfiltration (Attacker Undetected)11-14 months

Attack Discovered

Targeted Attacks Typical Timeline & Observations

Attack SophisticationAttack operators exploit any

weaknessTarget information on any device or

serviceAttacks not detected

Current detection tools miss most attacks

You may be under attack (or compromised)

Target AD & IdentitiesActive Directory controls access to business assetsAttackers commonly target AD and IT AdminsResponse and RecoveryResponse requires advanced expertise and toolsExpensive and challenging to successfully recover

1. Get in with Phishing Attack (or

other)2. Steal Credentials3. Compromise more hosts &

credentials (searching for Domain Admin)4. Get Domain Admin credentials

5. Execute Attacker Mission (steal data, destroy systems, etc.)

24-48 Hours

Privilege Escalation with Credential Theft (Typical)

Attack ScenarioInitial Compromise

An attacker obtains local administrative rights to a computer by enticing a victim into executing a malicious application, exploiting a known or unpatched vulnerability, or through some other means. Countermeasures:• Patching (MS & 3rd

party)• Least Privilege• User Education• Email protection• Threat Detection• App Whitelisting

Domain Controller

Attack Scenario

Domain Controller

Lateral Movement

Attacker exploits shared secrets (e.g. password hashes, etc.) on a computer to access similar hosts at same trust level

Countermeasures:• Randomize Local

Admin password• Host firewall across

client• Deny logon via

network• Credential Guard

Attack Scenario

Domain Controller

Privilege Escalation

Attacker is able to capture privileged account credentials used to administer higher level resources (servers illustrated).

Countermeasures:• Do not expose

privileged credentials• Credential partitioning• Services and

Application Hardening

Attack Scenario

Domain Controller

Complete Compromise

If a domain administrator account is captured along the way, the infrastructure is completely compromised.

Countermeasures:• Detection through

monitoring and alerting is key.

Strategie per la detection e la prevenzione degli attacchi

Key Guidance Resources

Credential Theft Portal www.microsoft.com/PTH

Credential Theft Whitepapers and Resources

Determined Adversaries and Targeted Attacks http://www.microsoft.com/en-us/download/details.aspx?id=347

93 Security Intelligence Report (SIR) http://www.microsoft.com/SIR

Key Preventive Controls1. Admin Workstations & Logon Restrictions• Domain Admins• Server, Application, and Cloud Infrastructure Admins• Workstation Admins

2. Random Local Account Passwords• Workstations• Servers• Specialized Devices (Cash Registers, ATMs, etc.)

3. RDP /RestrictedAdmin Mode• Server and Application Admins• Workstation and Specialized Device Admins

Do these NOW!

Tier 0 Administration SecurityDomain/Enterprise Admins and Equivalent

Good/Minimum

• Separate Admin Desktops• and associated IT Admin process changes

• Separate Admin Accounts• Remove accounts from Tier 0

• Service Accounts• Personnel - Only DC Maintenance, Delegation, and Forest

Maintenance

Better

Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords,

etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive redesign of IT Process and Privilege Delegation

• Administrative Forest (for AD admin roles in current releases)• Credential Guard• Microsoft Passport and Windows Hello

Tier 1 Administration SecurityHuman admins of Servers, Cloud Services, Virtualization, Management Tools, etc. (that aren’t Tier 0)

Good/Minimum

• Separate Admin Accounts• Separate Admin Desktops

• Associated IT Admin process changes• Enforce use of RDP RestrictedAdmin Mode

• Local Administrator Password Solution (LAPS)• Or alternate from PTHv1

Better

Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords, etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive overhaul of IT Process and Privilege Delegation

• Credential Guard• Microsoft Passport and Windows Hello

Tier 2 Administration SecurityHuman admins of User Workstations, User Devices, Printers, etc. (Typically helpdesk and PC support)

Good/Minimum

• Separate Admin Accounts• Separate Admin Desktops

• Associated IT Admin process changes• Enforce use of RDP RestrictedAdmin Mode

• Local Administrator Password Solution (LAPS)• Or alternate from PTHv1

Better

Best• Detection - Advanced Threat Analytics• Multi-factor Authentication (Smartcards, One Time Passwords, etc.)• Just in Time (JIT) Privileges - Privileged Access Management• Extensive overhaul of IT Process and Privilege Delegation

• Credential Guard• Microsoft Passport and Windows Hello

Securing Privileged Access (SPA) RoadmapTop Defenses for Targeted Attacks• Comprehensive Strategy • Prioritized 3 Phase Plan• Detailed technical instructions

http://aka.ms/SPAroadmap

Based on real world experience deploying Microsoft cybersecurity services solutions

Protecting Active Directory and Admin privileges

1. Separate Admin account for admin tasks

3. Unique Local Admin Passwords for Workstationshttp://Aka.ms/LAPS

2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW

4. Unique Local Admin Passwords for Servershttp://Aka.ms/LAPS

2-4 weeks

First response to the most frequently used attack techniques

Protecting Active Directory and Admin privileges

6. Time-bound privileges (no permanent admins)http://aka.ms/PAMhttp://aka.ms/AzurePIM

1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW

2. Just Enough Admin (JEA) for DC Maintenancehttp://aka.ms/JEA

9872521

5. Attack Detectionhttp://aka.ms/ata

3. Lower attack surface of Domain and DCs http://aka.ms/HardenAD

1-3 months

Build visibility and control of administrator activity, increase protection against typical follow-up attacks

7. Multi-factor for elevation

4. Domain Controller Security UpdatesTarget full deployment within 7 days

Protecting Active Directory and Admin privileges

2. Smartcard or Passport Authentication for all adminshttp://aka.ms/Passport

1. Modernize Roles and Delegation Model

https://www.microsoft.com/security

3. Admin Forest for Active Directory administratorshttp://aka.ms/ESAE

6. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)http://aka.ms/shieldedvms

5. Code Integrity Policy for DCs (Server 2016)

6+ months

Move to proactive security posture

4. Apply Baseline Security Policies to DCs

Il Sistema Operativo come prima linea di difesa

Key Threats• Code Red and Nimda (2001),

Blaster (2003), Slammer (2003)

• 9/11• Mainly exploiting

buffer overflows• Script kiddies• Time from patch to exploit:

Several days to weeks

Key Threats• Zotob (2005)• Attacks «moving up

the stack» (Summer of Office 0-day)

• Rootkits• Exploitation of

Buffer Overflows• Script Kiddies• Rise of Phishing• User running as Admin

Key Threats• Organized Crime• Botnets• Identity Theft• Conficker (2008)• Time from patch to

exploit: days

Key Threats• Organized Crime,

potential state actors• Sophisticated

Targeted Attacks• Operation Aurora (2009)• Stuxnet (2010)• Hacktivism (Anonymous)

2004 2007 2009 2012 2013 2016

Key features:Credential managerOperation-based auditingData encryptionServices turned off by default

Key features:Windows FirewallUser Account Control (UAC)Server Core installation option

Key features:Credentials protectionsBitLocker enhancementsVirtual Smart CardAppLocker enhancedFile classification and encryptionDynamic Access Control (DAC)

Key features:Just in Time and Just Enough AdministrationShielded Virtual Machines with Host Guardian ServerVirtualization Based Code IntegrityCredential Guard

From hardening the operating system to defending against emerging threats across the on-premises datacenter and the cloud.

Windows Server 2003Secure by design, secure by default

Windows Server 2008 Harden the platform

Windows Server 2012Protect information, protect the environment

Windows Server 2016Assume breach, secure the guest

Key Threats• Nation states active attacking

private institutions• CryptoLocker (2013) and

APT’s at scale• Adding disruption and terror

to playbook• Rampant Passwords theft and

abuse• Pass the Hash becomes part

of the default playbook• AV unable to keep up

Key Threats• Organized Crime, potential

state actors• Sophisticated targeted

attacks• Aurora (2009) and Stuxnet

(2010)• Password and digital identity

theft and misuse• Signatures based AV unable

to keep up• Digital signature tampering• Browser plug-in exploits• Data loss on BYOD device

Key Threats• Nation states active attacking

private institutions• CryptoLocker (2013) and APT’s at

scale• Adding disruption and terror to

playbook• Rampant Passwords theft and

abuse• Pass the Hash becomes part of

the default playbook• AV unable to keep up

Key Threats• Melissa (1999), Love Letter

(2000)• Mainly leveraging social

engineering

Key Threats• Code Red and Nimda (2001),

Blaster (2003), Slammer (2003)• 9/11• Mainly exploiting buffer

overflows• Script kiddies• Time from patch to exploit:

Several days to weeks

Key Threats• Zotob (2005)• Attacks «moving up the stack»

(Summer of Office 0-day)• Rootkits• Exploitation of Buffer Overflows• Script Kiddies• Rise of Phishing• User running as Admin

Key Threats• Organized Crime• Botnets• Identity Theft• Conficker (2008)• Time from patch to exploit: days

Key Threats• Organized Crime, potential state

actors• Sophisticated targeted attacks• Aurora (2009) and Stuxnet

(2010)• Password and digital identity

theft and misuse• Signatures based AV unable to

keep up• Digital signature tampering• Browser plug-in exploits• Data loss on BYOD device

Windows 10• Virtual Secure Mode• Virtual TPM• Control Flow Guard• Microsoft Passport• Windows Hello• Biometric Framework

Improvements (Iris, Facial)• Broad OEM support for Biometric

enabled devices• Enterprise Data Protection• Device Encryption supported on

broader range of devices• DMA Attack Mitigations• Device Guard• URL Reputation Improvements• App Reputation Improvements• Windows Defender

Improvements• Provable PC Health

Improvements

Windows XP• Logon (Ctrl+Alt+Del)• Access Control• User Profiles• Security Policy• Encrypting File System (File

Based)• Smartcard and PKI Support• Windows Update

Windows XP SP2• Address Space Layout

Randomization (ASLR)• Data Execution Prevention (DEP)• Security Development Lifecycle

(SDL)• Auto Update on by Default• Firewall on by Default• Windows Security Center• WPA Support

Windows Vista• Bitlocker• Improved ASLR and DEP• Full SDL• User Account Control• Internet Explorer Smart Screen

Filter• Digital Right Management• Firewall improvements• Signed Device Driver

Requirements• TPM Support• Windows Integrity Levels• Secure “by default”

configuration (Windows features and IE)

Windows 7• Improved ASLR and DEP• Full SDL• Improved IPSec stack• Managed Service Accounts• Improved User Account Control • Enhanced Auditing• Internet Explorer Smart Screen

Filter• AppLocker• BitLocker to Go• Windows Biometric Service• Windows Action Center• Windows Defender

Windows 8• Firmware Based TPM• UEFI (Secure Boot)• Trusted Boot (w/ELAM)• Measured Boot • Significant Improvements to

ASLR and DEP• AppContainer• Internet Explorer 10 (Plugin-less

and Enhanced Protected Modes)• Application Reputation moved

into Core OS• Device Encryption (All SKU)• BitLocker improvements and

MBAM• Virtual Smartcards• Dynamic Access Control• Built-in AV (Windows Defender)• Improved Biometrics• TPM Key Protection and

Attestation• Certificate Reputation• Provable PC Health• Remote Business Data

Removable

2015

2001

2004

2007

2009

2012

Windows 8• Firmware Based TPM• UEFI (Secure Boot)• Trusted Boot (w/ELAM)• Measured Boot • Significant Improvements to ASLR and DEP• AppContainer• Internet Explorer 10 (Plugin-less and Enhanced

Protected Modes)• Application Reputation moved into Core OS• Device Encryption (All SKU)• BitLocker improvements and MBAM• Virtual Smartcards• Dynamic Access Control• Built-in AV (Windows Defender)• Improved Biometrics• TPM Key Protection and Attestation• Certificate Reputation• Provable PC Health• Remote Business Data Removable

Windows 10• Virtual Secure Mode• Virtual TPM• Device Guard• Microsoft Passport• Windows Hello• Control Flow Guard• Biometric Framework Improvements (Iris, Facial)• Broad OEM support for Biometric enabled devices• Enterprise Data Protection• Device Encryption supported on broader range of devices• DMA Attack Mitigations• URL Reputation Improvements• App Reputation Improvements• Windows Defender Improvements• Provable PC Health Improvements

Una soluzione di controllo delle applicazioni che impedisce l'esecuzione di applicazioni indesiderate e / o sconosciuteConfigurabile in modalità blocco o auditApproccio whitelist o blacklistAppLocker offre una protezione di sicurezza e vantaggi operativi e di conformitàAppLocker può imporre la standardizzazione applicativaAppLocker può essere una componente della strategia di sicurezza globale di un'organizzazione

Applocker

BitLocker di Windows è una funzionalità disponibile nel sistema operativo Windows Client e Server che consente di crittografare tutti i dati archiviati nel volume del sistema operativo Windows e nei volumi di dati configurati. Mediante TPM (Trusted Platform Module), consente inoltre di garantire l'integrità dei componenti di avvio.Consente l’utilizzo di un PIN di avvioPermette la gestione centralizzata delle configurazioni e il recupero delle chiavi di sblocco (tramite il tool MBAM parte della suite Microsoft Desktop Optimization Pack)

Bitlocker

Key New Technologies Device Guard Credential Guard

Move LSASS secrets into Virtual Secure Mode (VSM) OS Instance Microsoft Passport

New Authentication Protocol based on Hardware Bound Keys Windows Hello

Easy to Use Biometrics to unlock credential access Privileged Access Management

Just in Time (JIT) privileges Advanced Threat Analytics

Detect attacks through anomalous authentication patterns Local Administrator Password Solution

BIOS UEFIUEFI (Unified Extensible Firmware Interface) - interfaccia firmware standard per PC progettata

in sostituzione del BIOS (Basic Input/Output System

- Creato da oltre 140 aziende del settore tecnologico nell'ambito del consorzio UEFI, di cui fa parte Microsoft, per migliorare l'interoperabilità del software e risolvere le limitazioni del BIOS.

Tra i vantaggi del firmware UEFI sono inclusi: - Miglioramento della sicurezza grazie alla

protezione del processo prima dell'avvio da attacchi di tipo bootkit.

- Maggiore velocità dei tempi di avvio e di ripresa dallo stato di ibernazione.

- Supporto di unità maggiori di 2,2 terabyte (TB).- Supporto di driver di dispositivi firmware a 64

bit che il sistema può utilizzare per indirizzare più di 17,2 miliardi di gigabyte (GB) di memoria durante l'avvio.

Secure Boot (UEFI)Livelli di sicurezza basati su UEFIUEFI verifica il boot loader

Può essere configurato per caricare solo i file verificati

Innovazioni di sicurezza in Windows 10• Windows Hello (Accesso facilitato al device tramite biometria)

• Microsoft Passport (Accesso a due fattori di autenticazione)

• Credential Guard* (Protezione da attacchi di tipo Pass the Hash)

• Device Guard** (Lock down del device, esecuzione di app certificate)

• Enterprise Data Protection (Separazione tra dati personali ed aziendali)

* Require Enterprise Edition x64, UEFI 2.3.1 or higher, Virtualization Extensions, VT-d or AMD-Vi IMOOU, TPM (2.0 Recommended), Secure firmware update process

** Require Enterprise Edition, UEFI 2.3.1 or higher, Trusted Boot, Virtualization-based Security

Microsoft Passport – Phone sign-in

Microsoft Passport

IDPActive Directory

Azure ADGoogle

FacebookMicrosoft Account

1Proves Identity

Trust my unique key

User2

Windows10

3IntranetResource

4

4

Here is your authorization

tokenI trust tokens from IDP

So do IInternetResource

Credential Guard

Virtual Secure Mode (VSM)Kernel

Loca

l Sec

urity

Au

th S

ervi

ce

HypervisorHardware

WindowsKernel

AppsVi

rtual

TPM

Hype

r-Viso

r Co

de

Inte

grity

Windows Platform Services

Device GuardVBS - HVCI

UEFI Secure BootPlatform Secure Boot KMCI

App Locker

Device Guard Workflow

Definitions:UEFI = Unified Extensible Firmware Interface ELAM = Early Launch Anti-MalwareVBS = Virtualization based SecurityHVCI = Hypervisor based Code IntegrityKMCI = Kernel-mode Code IntegrityUMCI = User-mode Code Integrity

ROM/Fuses

Bootloaders

Native UEFI

Windows OS Loader

Windows Kernel and

DriverELAM

UMCIUser Mode Code

(Apps)

3rd Party

Drivers

Credential/Device Guard RequirementsRequirement

XWindows 10 Enterprise Edition

Credential Guard Device Guard

UEFI firmware version 2.3.1 or higher and Secure Boot

Virtualization extensions

Firmware lock

x64 architecture

A VT-d or AMD-Vi IOMMU

Secure firmware update process

The firmware is updated for Secure MOR

TPM 1.2 or 2.0

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Physical PC X

Enterprise Data ProtectionProtegge i dati sia sul dispositivo al di fuori di esso….Possono essere configurate politiche di blocco della fuoriuscita dei dati

Integrazione all’interno di Windows

Separa dati personali da quelli aziendali

Previene a applicazioni non autorizzate l’accesso ai dati sensibili

Possibilità di Wipe remote dei dati aziendali

Conclusioni• Il trend delle minacce mostra un continuo aumento

della sofisticazione e della frequenza degli attacchi• Microsoft raccomanda l’adozione della roadmap di

Secure Privilege Access da parte di tutte le organizzazioni

• Il sistema operativo con le sue funzionalità di sicurezza rappresenta una barriera efficace contro gli attacchi moderni, come parte di una strategia di sicurezza multi-livello