naked and vulnerable - concurrency...naked and vulnerable a cybersecurity starter kit...
TRANSCRIPT
![Page 1: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/1.jpg)
Naked and Vulnerable
A Cybersecurity Starter Kit
![Page 2: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/2.jpg)
@MrShannonFritz
Who is this Guy?
• I’m Shannon Fritz
• I’m a Microsoft Enterprise Security MVP
• I’m on twitter @MrShannonFritz
• I’m a Solutions Architect at Concurrency
• We transform businesses
![Page 3: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/3.jpg)
Modern Applications
Modern IT Management
Identity, Management
Identity, Application, InformationCommunications
Customer Engagement
Identity, Application, InformationCommunications
Cloud Data CenterNetwork, Identity
Analytics & Data
Identity, Application, InformationCommunication
Digital
Transformation
RealizedM
ob
ilit
y Secu
rityM
ob
ilitySecu
rity
![Page 4: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/4.jpg)
@MrShannonFritz
A Cybersecurity Starter Kit
• Why you’re hereoYou know you are at risk, but it’s ambiguous
oYou want improve security
oYou uncertain where best to start
• What you’ll getoSome examples to make a case for improving security
oFour specific areas to start making improvements now
![Page 5: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/5.jpg)
@MrShannonFritz
Larg
est
Data
Bre
ach
es Source:
Informationisbeautiful.net
Hack
s re
sultin
g i
n lo
ss o
f m
ore
than 3
0,0
00 r
eco
rds
![Page 6: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/6.jpg)
@MrShannonFritz
![Page 7: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/7.jpg)
@MrShannonFritz
Starting Out
• First, ADMIT that theorganization CAN do better
•Second, KNOW thatyou can ALWAYS do better
•Then, make a PLAN
![Page 8: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/8.jpg)
@MrShannonFritz
Get Specific
• Identify specific things to addressoWhat risk are you concerned with?
oWhy is it bad?
•Select the low hanging fruit
•Make it measurable
![Page 9: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/9.jpg)
@MrShannonFritz
Get Specific - Threats
•Possible Risk ConsiderationsoDDoS / BotNet
oSocial Engineering
oRansomware
oCredential Theft
TIP: Do NOT start with ‘insider’ threats
![Page 10: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/10.jpg)
@MrShannonFritz
Get Specific - Assessments
•Possible Starting PointsoNetwork Segmentation
oBad Configurations
oAPIs and Protocols
oSoftware Versions / Patching
oExcessive Privileges
oCredential Management
![Page 11: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/11.jpg)
@MrShannonFritz
Get Specific - Assessment
ID System Owner Bu
sin
ess
Pro
cess
Hard
ware
Pro
du
ct
So
ftw
are
Pro
du
ct
Co
nfig
ura
tio
n
Threat Vulnerability Controls Imp
act
(Lo
w-M
ed
-Hig
h)
Co
mp
lexi
ty
(Lo
w-M
ed
-Hig
h)
Ris
k
(Lo
w-M
ed
-Hg
ih)
Pri
ori
ty
00001Workstations and
ServersDenise Smith X Privilege Escalation Local Administrators LAPS High Low High 1
00002 Active Directory Qiong Wu X Unauthorized Use Privileged Accounts MIM PAM Med Med Low 4
00003Workstations and
ServersNaoki Sato X Code Execution Patching SCCM X Med Med 3
00004 Business Culture Daniel Roth X Social Engineering Phishing KnowBe4 High Low High 2
00005 WiFi Andrea Dunker X Unauthorized Use Pre-shared Key 802.1X Low High Med 5
00006Workstations and
ServersEric Gruber X Business Data Loss Malicious Software Device Guard High High Med 6
Discover Assess
![Page 12: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/12.jpg)
@MrShannonFritz
Prove It
• If you need to, Prove the risk!
•Exploit the vulnerability
•Record your process
TIP: DO NO HARM
Do not use your own access or Personal Relationships
CYA – Get permission, or Hire a Penetration Tester
![Page 13: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/13.jpg)
@MrShannonFritz
Why Prove It?
•Risks of ProofoSomeone can get angry (or Die?)
oYou can get in trouble (Fired / Legal)
•Benefits of ProofoGets peoples attention
oGets business buy-in
oMakes Security Real / Real Cool
![Page 14: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/14.jpg)
@MrShannonFritz
Analyze it
•What did you get?
•How did you get it?
•What went wrong so you could get it?
•Who is responsible for what went wrong?
![Page 15: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/15.jpg)
@MrShannonFritz
Remediate it
• Team up with the responsiblepeople and collaborate
•Define ‘Remediation Objectives’
• Create official projects with funding,assigned resources and deadlines.
• Test Again!
![Page 16: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/16.jpg)
@MrShannonFritz
Repeat it
•Define the concern
•Prove it is a Risk
•Analyze the Proof
•Remediate and Test it
![Page 17: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/17.jpg)
Four Attacks to Mitigate FirstSource: Praetorian
![Page 18: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/18.jpg)
@MrShannonFritz
The Study
•100 red team penetration tests
•75 different companies
•12 month study (to June 2016)
•450 real-world exploits
•Most attack vectors are OLD exploits, not 0-days
•Top attacks are largely based on Credential Theft
![Page 19: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/19.jpg)
@MrShannonFritz
Attack Stages
•Get creds ofan individual
•Get on thenetwork
•Elevate Access
•Seize the Target
![Page 20: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/20.jpg)
@MrShannonFritz
Attack 1: Weak Domain User Passwords
• Key ProblemsoAD cannot prevent “bad” passwords, only set length and char set
oMany users have Admin rights to their machine
• RecommendationsoUse a passphrase not password; ie: Increase length to 15
oAllow users to keep passwords for a longer time; ie: 180 days)
o Implement an password enforcement solution; ie: blacklist “Password1”
o Implement MFA for Admin and Remote access
Used in 66% of tests to successfully compromise the target
![Page 21: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/21.jpg)
@MrShannonFritz
Attack 1: Weak Domain User Passwords
• Use a passphrase, Keep passwords longeroSet with AD Group Policy
• Password enforcementoAzure AD Premium with Password Reset
• Implement MFA for AdminoMicrosoft Identity Manager Privileged Access Management (MIM PAM)
oAzure AD Privileged Identity Management (AAD PIM)
• Implement MFA for RemoteoRDS Gateway and Azure MFA
oAD FS and/or Azure Application Proxy
![Page 22: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/22.jpg)
@MrShannonFritz
Password Guidance• Use a Passphrase
o A statement with punctuation is easy to remember, longer & harder to crack
• Randomly Generate a Passwordo http://aka.ms/password
• Use Windows Hello (login with PIN, Fingers, Face)o http://tinyurl.com/winhello
• Do you save passwords in your browser?o http://lastpass.com and https://1password.com are far better solutions!
• Do you re-use passwords?o http://haveibeenpwned.comtells if your account was leaked
• Do you want more guidance?o http://aka.ms/passwordguidance
![Page 23: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/23.jpg)
@MrShannonFritz
Attack 2: Name Resolution Poisoning
• Key Problemso Exploits behavior of Windows when connecting to a network
oClient machine is coaxed into transmitting credentials to attackers
oAttacker can replay captured credentials or attempt to crack them
• RecommendationsoDisable LLMNR and NetBIOS (after testing!)
oDisable Proxy autodetection (WPAD)
oMonitor the network for illegitimate Broadcast traffic
oBlock outbound tcp/53 (dns) and tcp/445 (smb) to the Internet
Used in 64% of tests to successfully compromise the target
![Page 24: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/24.jpg)
@MrShannonFritz
Attack 2: Name Resolution Poisoning
• Disable LLMNR and NetBIOSo LLMNR – Use AD Group Policy to disable
oNetBIOS – On DHCP server enable option “001” set to “0x2”
oNetBIOS – On client set a reg key for network adapters (scripting)
• Disable Proxy autodetection (WPAD)oAD GPO for Internet Explorer
![Page 25: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/25.jpg)
@MrShannonFritz
Attack 3: Local Admin / Pass the Hash
• Key ProblemsoMany organizations use the same Local Admin password on all systems
oThe NTLM hash can be can be used without knowing the password
oThe NTLM hash can be used on other systems with the same password
• RecommendationsoRevise business process around the use of local admin accounts
oDeploy Microsoft LAPS
oRead the Microsoft PtH v2 Whitepaper
oDeploy Microsoft Advanced Threat Analytics (ATA)
Used in 64% of tests to successfully compromise the target
![Page 26: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/26.jpg)
@MrShannonFritz
Attack 3: Local Admin / Pass the Hash
• Revise business process around the use of local admin accountsoUpdate the “gold image” build process
oRestrict/eliminate used of local accounts, monitor and alert
• Deploy Microsoft LAPSohttps://aka.ms/laps - Use GPO to install/configure on Clients & Servers
• Read the Microsoft PtH v2 Whitepaperohttps://microsoft.com/pth
• Deploy Microsoft Advanced Threat Analytics (ATA)ohttps://microsoft.com/ata
![Page 27: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/27.jpg)
@MrShannonFritz
Attack 4: Cleartext Passwords in Memory
• Key ProblemsoDomain Credentials are stored in cleartext in the LSASS process
o Local Admin or SYSTEM users can read this memory space
o Exposes not only the Hash, but the actual password itself
• RecommendationsoMove Windows Server 2012 R2+ and Windows 10
o Install and enable Microsoft Security Advisory 2871997 on older OS’s
oRemove local admin rights
oUpdate the “gold image”
Used in 59% of tests to successfully compromise the target
![Page 28: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/28.jpg)
@MrShannonFritz
Attack 4: Cleartext Passwords in Memory
• Move Windows Server 2012 R2+ and Windows 10oThese OS’s do not store the cleartext passwords in memory
oWindows 10 can further be protected with Credential Guard
• Install and enable Microsoft Security Advisory 2871997oUpdates available for Windows 7 and 2008 R2
ohttps://support.microsoft.com/en-us/kb/2871997
oHKLM\SYSTEM\CurrentControlSet\Control SecurityProviders\WdigestUseLogonCredential: 0 (REG_DWORD)
oUsers with SYSTEM can alter this, monitor for changes (use OMS)
![Page 29: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/29.jpg)
@MrShannonFritz
The Fifth Attack!
• Insufficient Network Access Controls
•Used in 52% of tests to successfully compromise
•Read the whitepaper! https://www.praetorian.com/
![Page 30: Naked and Vulnerable - Concurrency...Naked and Vulnerable A Cybersecurity Starter Kit @MrShannonFritz Who is this Guy? •I’m Shannon Fritz •I’m a Microsoft Enterprise Security](https://reader036.vdocuments.site/reader036/viewer/2022070221/61374c810ad5d206764887ed/html5/thumbnails/30.jpg)
Takeaways
• Document and Share your security concerns (internally)• Work from the list, and have others contribute
• Prioritize Remediation based on Likelihood and Impact• Start with a narrow scope and short time frame
• Your Current Passwords are Weak and Puny• Use Stronger Password Policies, SSPR & MFA
• Reusing a Password is Dangerous• Use a Generator and a Manager
• Pace yourself! – It’s easy to get overwhelmed. Get some help.