SlideShare a Scribd company logo

BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security

Download as PPTX, PDF
J
JosephTesta9

This document discusses virtualization based security (VBS) and its strengths and weaknesses. It begins with an introduction of the presenter and their experience. The presentation then covers malware attacks with and without VBS protection. It discusses how VBS uses hardware isolation through virtualization to contain threats in isolated environments. Examples of VBS solutions from Microsoft and Bromium are provided and demonstrated. The pros and cons of VBS are reviewed, noting that while it provides strong isolation of threats, knowledge gaps and existing infections can still allow some threats to persist.

Technology
1 of 28
Virtualization Based Security (“VBS”) Strengths and Weaknesses
Quick Bio • Anthony DiDonato CEO/Principal Architect for Critical Design Associates Inc. • 20+ years of experience in information technology • Twitter: @Anthony_D_CDA • Website: https://criticaldesign.net • LinkedIn: https://www.linkedin.com/in/anthony-didonato- 40b411142/
20+ Years of “Breaking Stuff”… and learning
Agenda • Demonstrate malware attacks and protection • Discuss Detection vs. Isolation and Containment • Discuss Virtualization Based Security (The Why, How, and What) • Review and demonstrate currently available solutions • Discuss the Pros and Cons of VBS
Kick Off Demo: Sacrificial VM! • Olympic Destroyer without VBS • “Effectively a targeted attack using a wiper” • Available on the internet for reverse engineering purposes • A ”hopefully” suitable sacrifice for the demo gods! • Olympic Destroyer with VBS • WannaCry/Ransomware with VBS • Still works today!
A word about AV,NGAV and Whitelisting… • Relies upon detection… which typically fails over time! • Typically requires incident response • Typically requires a patient zero • Prone to mis-configuration and exceptions • Administrative overhead • SIEM/IR overhead • Many false positives • Numerous documented and proven evasion tactics
Isolation and Containment • Uses trust and detection but does not rely upon it • Leverages hypervisor technology to create isolated and protected memory and processes/threads • Creates a higher level of trusted computing by: • Protecting MBR, DMA, and Kernel • Protecting Secrets and the host • Treating all externally created, signed content as “Untrusted”
What is Virtualization Based Security (“VBS”)? • Hardware enforced isolation and containment • Using a hypervisor to create a secure and isolated region of memory from the host operating system. • References: • https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/step-change- in-security-with-modern-devices-and-architecture/ • Major players: • Microsoft • Bromium • *Honorable mention: QubesOs
https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/step-change-in-security-with-modern- devices-and-architecture/ Driver Loaded=Injected
https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/step-change-in-security-with-modern- devices-and-architecture/ VTL1VTL0 Driver Loaded or Injected VSM=Virtual Secure Mode SECUREKERNEL.EXENTOSKRNL.EXE
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/ VIRTUALIZATION BASED SECURITY WINDOWS 10 APPLICATION GUARD VTL1VTL0
Demo: Procdump LSASS.EXE, LSAISO.EXE • Procdump lsass.exe • Procdump lsaiso.exe
BIOS/UEFI NTDLL.DLL API CALLS NTOSKRNL.EXE WINDOWS EXPLORER USER MODE KERNEL MODE Is Admin? Get System Load Library/Driver Dump Memory Get Secrets/Creds Send to Attacker Establish Persistence Hardware Apps Move Laterally
USER MODE KERNEL MODE Isolated USER MODE Secure KERNEL MODE Hypervisor
VM1 VM2 Hypervisor VBS Enabled Host OS Process 0 Process 1 Page Table Process 1 GPA: 666 0x666888 Page Table Process 0 GPA: 666 0x666888 SLAT SLAT Intel VT-d/EPT Process 0 Page Table Process 1 SPA:666 0x666888
Demo: Credential Guard and Mimikatz • Demonstrate obtaining cleartext passwords with WDCG enabled. • Mimikatz Custom SSP (Security Support Provider, Circa 2014) • Added to memory (fileless) • Runas Admin • privilege::debug • misc::memssp • Close
 VBS (Hyper-V) Applications  © Bromium - 2016 WindowsDefender ApplicationGuard forEdge Windows 10 Kernel 
What does Microsoft VBS ”buy” you? Requirements • Windows 10 1607 or Later • Windows Edge • Enterprise or Education • UEFI • TPM Protection • Credential Protection • Driver Signing Protection • Protected Boot/Secrets • Protected Processes (limited)
What does it lack? Windows 10 with WDAG, WDCG • Lacking • Support for Windows 7, 8.x • Support for Adobe, Office, Other Content • Leverages Trusted/Untrusted model (Human Errors) • Support for Chrome, Firefox, Internet Explorer • Total protection of credentials • Protection from fileless malware attacks (WMI, Powershell, Macros,etc...)
© Bromium - 2015 New Micro-VM per ‘user task’ Windows Host Microvisor Boot (Windows 7, 8 upgrade)
Protected Isolated • OS • Network • Intranet • SaaS Sites • Applications • Files • Credentials • Websites • Attachments • USB / shares • Untrusted networks • Vulnerable Applications © Bromium - 201523 Boot (Windows 7, 8 upgrade)
WindowsDefender ApplicationGuard forEdge Protection Monitoring Monitoring Self- remediation 3 Fed to SOC for real-time analytics & hunting 2 © Bromium - 2016 Complete record of execution state (diffs, pcaps, files) 1  VBS (Hyper-V) Applications  Windows 10 Kernel 
• Protection against Pass-the-hash attacks • Kernel code integrity checks • WDAG isolates Edge  Protection & self-remediation for • Network-based attacks • File or data loss • Key-loggers & screen scrapers • Ransomware • Persistent APTs • Pass-the-hash attacks • All malicious execution  Tamper-proof real-time monitoring (EDR) of isolated tasks and the Windows desktop ® Windows 7, 8  Virtualization Based Security with Windows 10 VBS and Bromium
Demo: Bromium vs. Malware • Automatic Containment • Automatic Isolation • Multiple Browser and Application Support • Automatic Incident Response • Automatic Remediation
What’s missing (currently)? • Knowledge and awareness • Trusted resident content (already infected) • Existing persistence (APT) • Mis-Configuration/Exceptions • Ever evolving evasion techniques and exploits
Questions?

Recommended

Hacking Google Chrome OS
Hacking Google Chrome OSHacking Google Chrome OS
Hacking Google Chrome OS
kosborn
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
Andre N. Klingsheim
 
Lession 8
Lession 8Lession 8
Lession 8
Vietfreelancer Expert
 
2019 devconfza - legacy js
2019 devconfza - legacy js2019 devconfza - legacy js
2019 devconfza - legacy js
William Brander
 
Lession 3
Lession 3Lession 3
Lession 3
Vietfreelancer Expert
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Intergen
 

Recommended

Hacking Google Chrome OS
Hacking Google Chrome OSHacking Google Chrome OS
Hacking Google Chrome OS
kosborn
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
Andre N. Klingsheim
 
Lession 8
Lession 8Lession 8
Lession 8
Vietfreelancer Expert
 
2019 devconfza - legacy js
2019 devconfza - legacy js2019 devconfza - legacy js
2019 devconfza - legacy js
William Brander
 
Lession 3
Lession 3Lession 3
Lession 3
Vietfreelancer Expert
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Intergen
 
Real Time With Web Sockets
Real Time With Web SocketsReal Time With Web Sockets
Real Time With Web Sockets
ColdFusionConference
 
Lession 10
Lession 10Lession 10
Lession 10
Vietfreelancer Expert
 
Lession 4
Lession 4Lession 4
Lession 4
Vietfreelancer Expert
 
Securing your digital identity with drupal
Securing your digital identity with drupalSecuring your digital identity with drupal
Securing your digital identity with drupal
mysty
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Online Collaboration presented at Newport Interactive Marketers
Online Collaboration presented at Newport Interactive MarketersOnline Collaboration presented at Newport Interactive Marketers
Online Collaboration presented at Newport Interactive Marketers
EditMe (Matt Wiseley)
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
ClubHack
 
Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...
Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...
Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...
Tintri
 
Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...
Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...
Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...
Grand Parade Poland
 
Virtualization for SQL
Virtualization for SQLVirtualization for SQL
Virtualization for SQL
ukdpe
 
Multiple Connectivity Framework Keynote
Multiple Connectivity Framework KeynoteMultiple Connectivity Framework Keynote
Multiple Connectivity Framework Keynote
Li Lin
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
Alexander Benoit
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Stephen Donner
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 

More Related Content

What's hot

Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 

What's hot (13)

Real Time With Web Sockets
Real Time With Web SocketsReal Time With Web Sockets
Real Time With Web Sockets
 
Lession 10
Lession 10Lession 10
Lession 10
 
Lession 4
Lession 4Lession 4
Lession 4
 
Securing your digital identity with drupal
Securing your digital identity with drupalSecuring your digital identity with drupal
Securing your digital identity with drupal
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Online Collaboration presented at Newport Interactive Marketers
Online Collaboration presented at Newport Interactive MarketersOnline Collaboration presented at Newport Interactive Marketers
Online Collaboration presented at Newport Interactive Marketers
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...
Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...
Tintricity on the Road: Minnesota State Colleges & Universities Tintri Deploy...
 
Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...
Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...
Steve Bond - Managing the Threats in Online Gaming (Quality Questions Confere...
 
Virtualization for SQL
Virtualization for SQLVirtualization for SQL
Virtualization for SQL
 
Multiple Connectivity Framework Keynote
Multiple Connectivity Framework KeynoteMultiple Connectivity Framework Keynote
Multiple Connectivity Framework Keynote
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 

Similar to BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security

BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Stephen Donner
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack lab
Joe McCray
 
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
eG Innovations
 

Similar to BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security (20)

Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
 
Midori ppt
Midori pptMidori ppt
Midori ppt
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Sandbox
SandboxSandbox
Sandbox
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applications
 
Microsoft on open source and security
Microsoft on open source and securityMicrosoft on open source and security
Microsoft on open source and security
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack lab
 
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
 
设计开发实效 Web2.0 应用程序
设计开发实效 Web2.0 应用程序设计开发实效 Web2.0 应用程序
设计开发实效 Web2.0 应用程序
 

More from JosephTesta9

More from JosephTesta9 (12)

BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
 
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
 
BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary ...
BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary ...BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary ...
BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary ...
 
BSides Rochester 2018: Timothy Duffy: Civic and Humanitarian Open Source
BSides Rochester 2018: Timothy Duffy: Civic and Humanitarian Open SourceBSides Rochester 2018: Timothy Duffy: Civic and Humanitarian Open Source
BSides Rochester 2018: Timothy Duffy: Civic and Humanitarian Open Source
 
BSides Rochester 2018: Michael West: Sentry, Or: How I Learned To Stop Worryi...
BSides Rochester 2018: Michael West: Sentry, Or: How I Learned To Stop Worryi...BSides Rochester 2018: Michael West: Sentry, Or: How I Learned To Stop Worryi...
BSides Rochester 2018: Michael West: Sentry, Or: How I Learned To Stop Worryi...
 
BSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong
BSides Rochester 2018: Lee Kagan: Red and Blue Ping PongBSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong
BSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong
 
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
 
BSides Rochester 2018: Issa Hafiri & Christian Halbert: IOT Devices (And Why ...
BSides Rochester 2018: Issa Hafiri & Christian Halbert: IOT Devices (And Why ...BSides Rochester 2018: Issa Hafiri & Christian Halbert: IOT Devices (And Why ...
BSides Rochester 2018: Issa Hafiri & Christian Halbert: IOT Devices (And Why ...
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security

  • 2. Quick Bio • Anthony DiDonato CEO/Principal Architect for Critical Design Associates Inc. • 20+ years of experience in information technology • Twitter: @Anthony_D_CDA • Website: https://criticaldesign.net • LinkedIn: https://www.linkedin.com/in/anthony-didonato- 40b411142/
  • 3. 20+ Years of “Breaking Stuff”… and learning
  • 4. Agenda • Demonstrate malware attacks and protection • Discuss Detection vs. Isolation and Containment • Discuss Virtualization Based Security (The Why, How, and What) • Review and demonstrate currently available solutions • Discuss the Pros and Cons of VBS
  • 5. Kick Off Demo: Sacrificial VM! • Olympic Destroyer without VBS • “Effectively a targeted attack using a wiper” • Available on the internet for reverse engineering purposes • A ”hopefully” suitable sacrifice for the demo gods! • Olympic Destroyer with VBS • WannaCry/Ransomware with VBS • Still works today!
  • 6. A word about AV,NGAV and Whitelisting… • Relies upon detection… which typically fails over time! • Typically requires incident response • Typically requires a patient zero • Prone to mis-configuration and exceptions • Administrative overhead • SIEM/IR overhead • Many false positives • Numerous documented and proven evasion tactics
  • 7. Isolation and Containment • Uses trust and detection but does not rely upon it • Leverages hypervisor technology to create isolated and protected memory and processes/threads • Creates a higher level of trusted computing by: • Protecting MBR, DMA, and Kernel • Protecting Secrets and the host • Treating all externally created, signed content as “Untrusted”
  • 8.
  • 9. What is Virtualization Based Security (“VBS”)? • Hardware enforced isolation and containment • Using a hypervisor to create a secure and isolated region of memory from the host operating system. • References: • https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/step-change- in-security-with-modern-devices-and-architecture/ • Major players: • Microsoft • Bromium • *Honorable mention: QubesOs
  • 13. Demo: Procdump LSASS.EXE, LSAISO.EXE • Procdump lsass.exe • Procdump lsaiso.exe
  • 14. BIOS/UEFI NTDLL.DLL API CALLS NTOSKRNL.EXE WINDOWS EXPLORER USER MODE KERNEL MODE Is Admin? Get System Load Library/Driver Dump Memory Get Secrets/Creds Send to Attacker Establish Persistence Hardware Apps Move Laterally
  • 15. USER MODE KERNEL MODE Isolated USER MODE Secure KERNEL MODE Hypervisor
  • 16. VM1 VM2 Hypervisor VBS Enabled Host OS Process 0 Process 1 Page Table Process 1 GPA: 666 0x666888 Page Table Process 0 GPA: 666 0x666888 SLAT SLAT Intel VT-d/EPT Process 0 Page Table Process 1 SPA:666 0x666888
  • 17. Demo: Credential Guard and Mimikatz • Demonstrate obtaining cleartext passwords with WDCG enabled. • Mimikatz Custom SSP (Security Support Provider, Circa 2014) • Added to memory (fileless) • Runas Admin • privilege::debug • misc::memssp • Close
  • 18.  VBS (Hyper-V) Applications  © Bromium - 2016 WindowsDefender ApplicationGuard forEdge Windows 10 Kernel 
  • 19. What does Microsoft VBS ”buy” you? Requirements • Windows 10 1607 or Later • Windows Edge • Enterprise or Education • UEFI • TPM Protection • Credential Protection • Driver Signing Protection • Protected Boot/Secrets • Protected Processes (limited)
  • 20. What does it lack? Windows 10 with WDAG, WDCG • Lacking • Support for Windows 7, 8.x • Support for Adobe, Office, Other Content • Leverages Trusted/Untrusted model (Human Errors) • Support for Chrome, Firefox, Internet Explorer • Total protection of credentials • Protection from fileless malware attacks (WMI, Powershell, Macros,etc...)
  • 21.
  • 22. © Bromium - 2015 New Micro-VM per ‘user task’ Windows Host Microvisor Boot (Windows 7, 8 upgrade)
  • 23. Protected Isolated • OS • Network • Intranet • SaaS Sites • Applications • Files • Credentials • Websites • Attachments • USB / shares • Untrusted networks • Vulnerable Applications © Bromium - 201523 Boot (Windows 7, 8 upgrade)
  • 24. WindowsDefender ApplicationGuard forEdge Protection Monitoring Monitoring Self- remediation 3 Fed to SOC for real-time analytics & hunting 2 © Bromium - 2016 Complete record of execution state (diffs, pcaps, files) 1  VBS (Hyper-V) Applications  Windows 10 Kernel 
  • 25. • Protection against Pass-the-hash attacks • Kernel code integrity checks • WDAG isolates Edge  Protection & self-remediation for • Network-based attacks • File or data loss • Key-loggers & screen scrapers • Ransomware • Persistent APTs • Pass-the-hash attacks • All malicious execution  Tamper-proof real-time monitoring (EDR) of isolated tasks and the Windows desktop ® Windows 7, 8  Virtualization Based Security with Windows 10 VBS and Bromium
  • 26. Demo: Bromium vs. Malware • Automatic Containment • Automatic Isolation • Multiple Browser and Application Support • Automatic Incident Response • Automatic Remediation
  • 27. What’s missing (currently)? • Knowledge and awareness • Trusted resident content (already infected) • Existing persistence (APT) • Mis-Configuration/Exceptions • Ever evolving evasion techniques and exploits

Editor's Notes

  1. JPMC
  2. JPMC