Using Advanced Threat Analytics

To Prevent Privilege Escalation

Attacks

Presenter:

RUSSELL SMITH

@smithrussell

Russell Smith

Russell Smith

packtpub.com

Are there IT staff in your organization that

are permanently assigned Domain Admin

privileges

• Prevent unwanted system-wide changes (system integrity/stability)

• AV, application control, and Group Policy can easily be evaded

• Domain admins have full access to domain controllers

• Regulatory compliance

Why Remove Admin Privileges?

Unpatched privilege escalation

vulnerabilities

Zero-day vulnerabilities

Remaining/temporary admin

users

But There Are Still Risks…

Image Credit: Microsoft

What is Microsoft Advanced Threat

Analytics?

Reconnaissance

Lateralmovement

cycle

Domain dominance (persistence)

Cyber-Attack Kill Chain

ATA Architecture

Image Credit: Microsoft

• Monitors domain controllers and DNS servers (DCs)

• Port mirroring

• Lightweight gateway for DCs available

• ATA Center and Gateway

ATA Architecture

SMB enumeration

NET USER and GROUP

queries

DNS zone transfer

Reconnaissance

• Pass-the-Ticket (PtT)

• Pass-the-Hash (PtH)

• Overpass-the-Hash

Lateral Movement

Malicious replications

Reconnaissance

Brute ForceRemote

execution

Other Attack Methods

Anomalous logins

Unknown threats

Password sharing

Lateral movement

Behavioural Analysis And

Machine Learning

Broken trustsWeak

protocols

Known protocol

vulnerabilities

Security Risks and Issues

Privilege Escalation

Image Credit: Microsoft

Reconnaissance

Image Credit: Microsoft

Gather information

Reconnaissance

Image Credit: Microsoft

Reconnaissance

Image Credit: Microsoft

Gather information

Local escalation

Harvest in-memory

credentials

Users’ location

Reconnaissance

Image Credit: Microsoft

Local Privilege Escalation

Image Credit: Microsoft

Determine permissions

Overpass-the-Hash

Local Privilege Escalation

Image Credit: Microsoft

Domain Escalation

Image Credit: Microsoft

Move hacker tools

Get Kerberos

ticket

Pass-the-Ticket

Domain Escalation

Image Credit: Microsoft

Domain Escalation

Image Credit: Microsoft

Domain Dominance

Image Credit: Microsoft

Create a backdoor on

DC

Domain Dominance

Image Credit: Microsoft

• Least Privilege Security

• Protected Users

• Just-In-Time Administration

• Defense-in-Depth

Best Practices

PowerBroker for

Windows

Least Privilege and Application Control

for Windows Servers and Desktops

Summary: Why PowerBroker for Windows?

• Asset discovery, application control, risk compliance, Windows event log monitoring included

• Optional: Session monitoring, file integrity monitoringDeep capability

• U.S. Patent (No. 8,850,549) for the methods and systems employed for controlling access to resources and privileges per process

Mature, patented leader

• Tightly integrated with vulnerability management

• Deep reporting and analytics insights for compliance and operations

Centralized reporting, analytics and management

• Privilege and session management on Unix, Linux and Windows

• Privileged password and session management

• Integrate Linux, Unix, and Mac OS X with Microsoft AD

• Real-time auditing of AD, File System, Exchange & SQL

Part of a broad solution family

Va

lida

ted

by c

usto

me

rs a

nd

an

aly

sts

alik

e

Your solution should:

• Elevate privileges to applications, not users, on an as-needed basis without

exposing passwords

• Enforce least-privilege access based on an application’s known vulnerabilities

• Track and control applications with known vulnerabilities or malware to further

protect endpoints

• Monitor event logs and file integrity for unauthorized changes to key files and

directories

• Capture keystrokes and screens when rules are triggered with searchable

playback

Product Demonstration

Poll

Thank you for attending

today’s webinar!