Post on 12-Apr-2017
Using Advanced Threat Analytics
To Prevent Privilege Escalation
Attacks
Presenter:
RUSSELL SMITH
@smithrussell
Russell Smith
Russell Smith
packtpub.com
Are there IT staff in your organization that
are permanently assigned Domain Admin
privileges
• Prevent unwanted system-wide changes (system integrity/stability)
• AV, application control, and Group Policy can easily be evaded
• Domain admins have full access to domain controllers
• Regulatory compliance
Why Remove Admin Privileges?
Unpatched privilege escalation
vulnerabilities
Zero-day vulnerabilities
Remaining/temporary admin
users
But There Are Still Risks…
Image Credit: Microsoft
What is Microsoft Advanced Threat
Analytics?
Reconnaissance
Lateralmovement
cycle
Domain dominance (persistence)
Cyber-Attack Kill Chain
ATA Architecture
Image Credit: Microsoft
• Monitors domain controllers and DNS servers (DCs)
• Port mirroring
• Lightweight gateway for DCs available
• ATA Center and Gateway
ATA Architecture
SMB enumeration
NET USER and GROUP
queries
DNS zone transfer
Reconnaissance
• Pass-the-Ticket (PtT)
• Pass-the-Hash (PtH)
• Overpass-the-Hash
Lateral Movement
Malicious replications
Reconnaissance
Brute ForceRemote
execution
Other Attack Methods
Anomalous logins
Unknown threats
Password sharing
Lateral movement
Behavioural Analysis And
Machine Learning
Broken trustsWeak
protocols
Known protocol
vulnerabilities
Security Risks and Issues
Privilege Escalation
Image Credit: Microsoft
Reconnaissance
Image Credit: Microsoft
Gather information
Reconnaissance
Image Credit: Microsoft
Reconnaissance
Image Credit: Microsoft
Gather information
Local escalation
Harvest in-memory
credentials
Users’ location
Reconnaissance
Image Credit: Microsoft
Local Privilege Escalation
Image Credit: Microsoft
Determine permissions
Overpass-the-Hash
Local Privilege Escalation
Image Credit: Microsoft
Domain Escalation
Image Credit: Microsoft
Move hacker tools
Get Kerberos
ticket
Pass-the-Ticket
Domain Escalation
Image Credit: Microsoft
Domain Escalation
Image Credit: Microsoft
Domain Dominance
Image Credit: Microsoft
Create a backdoor on
DC
Domain Dominance
Image Credit: Microsoft
• Least Privilege Security
• Protected Users
• Just-In-Time Administration
• Defense-in-Depth
Best Practices
PowerBroker for
Windows
Least Privilege and Application Control
for Windows Servers and Desktops
Summary: Why PowerBroker for Windows?
• Asset discovery, application control, risk compliance, Windows event log monitoring included
• Optional: Session monitoring, file integrity monitoringDeep capability
• U.S. Patent (No. 8,850,549) for the methods and systems employed for controlling access to resources and privileges per process
Mature, patented leader
• Tightly integrated with vulnerability management
• Deep reporting and analytics insights for compliance and operations
Centralized reporting, analytics and management
• Privilege and session management on Unix, Linux and Windows
• Privileged password and session management
• Integrate Linux, Unix, and Mac OS X with Microsoft AD
• Real-time auditing of AD, File System, Exchange & SQL
Part of a broad solution family
Va
lida
ted
by c
usto
me
rs a
nd
an
aly
sts
alik
e
Your solution should:
• Elevate privileges to applications, not users, on an as-needed basis without
exposing passwords
• Enforce least-privilege access based on an application’s known vulnerabilities
• Track and control applications with known vulnerabilities or malware to further
protect endpoints
• Monitor event logs and file integrity for unauthorized changes to key files and
directories
• Capture keystrokes and screens when rules are triggered with searchable
playback
Product Demonstration
Poll
Thank you for attending
today’s webinar!