This document discusses virtualization based security (VBS) and its strengths and weaknesses. It begins with an introduction of the presenter and their experience. The presentation then covers malware attacks with and without VBS protection. It discusses how VBS uses hardware isolation through virtualization to contain threats in isolated environments. Examples of VBS solutions from Microsoft and Bromium are provided and demonstrated. The pros and cons of VBS are reviewed, noting that while it provides strong isolation of threats, knowledge gaps and existing infections can still allow some threats to persist.
2. Quick Bio
• Anthony DiDonato CEO/Principal Architect for Critical Design
Associates Inc.
• 20+ years of experience in information technology
• Twitter: @Anthony_D_CDA
• Website: https://criticaldesign.net
• LinkedIn: https://www.linkedin.com/in/anthony-didonato-
40b411142/
4. Agenda
• Demonstrate malware attacks and protection
• Discuss Detection vs. Isolation and Containment
• Discuss Virtualization Based Security (The Why, How, and What)
• Review and demonstrate currently available solutions
• Discuss the Pros and Cons of VBS
5. Kick Off Demo: Sacrificial VM!
• Olympic Destroyer without VBS
• “Effectively a targeted attack using a wiper”
• Available on the internet for reverse engineering purposes
• A ”hopefully” suitable sacrifice for the demo gods!
• Olympic Destroyer with VBS
• WannaCry/Ransomware with VBS
• Still works today!
6. A word about AV,NGAV and Whitelisting…
• Relies upon detection… which typically fails over time!
• Typically requires incident response
• Typically requires a patient zero
• Prone to mis-configuration and exceptions
• Administrative overhead
• SIEM/IR overhead
• Many false positives
• Numerous documented and proven evasion tactics
7. Isolation and Containment
• Uses trust and detection but does not rely upon it
• Leverages hypervisor technology to create isolated and protected
memory and processes/threads
• Creates a higher level of trusted computing by:
• Protecting MBR, DMA, and Kernel
• Protecting Secrets and the host
• Treating all externally created, signed content as “Untrusted”
8.
9. What is Virtualization Based Security (“VBS”)?
• Hardware enforced isolation and containment
• Using a hypervisor to create a secure and isolated region of memory
from the host operating system.
• References:
• https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/step-change-
in-security-with-modern-devices-and-architecture/
• Major players:
• Microsoft
• Bromium
• *Honorable mention: QubesOs
19. What does Microsoft VBS ”buy” you?
Requirements
• Windows 10 1607 or Later
• Windows Edge
• Enterprise or Education
• UEFI
• TPM
Protection
• Credential Protection
• Driver Signing Protection
• Protected Boot/Secrets
• Protected Processes (limited)
20. What does it lack? Windows 10 with WDAG, WDCG
• Lacking
• Support for Windows 7, 8.x
• Support for Adobe, Office, Other Content
• Leverages Trusted/Untrusted model (Human Errors)
• Support for Chrome, Firefox, Internet Explorer
• Total protection of credentials
• Protection from fileless malware attacks (WMI, Powershell, Macros,etc...)
25. • Protection against Pass-the-hash
attacks
• Kernel code integrity checks
• WDAG isolates Edge
Protection & self-remediation for
• Network-based attacks
• File or data loss
• Key-loggers & screen scrapers
• Ransomware
• Persistent APTs
• Pass-the-hash attacks
• All malicious execution
Tamper-proof real-time monitoring
(EDR) of isolated tasks and the
Windows desktop
®
Windows 7, 8
Virtualization Based Security with Windows 10 VBS and Bromium
26. Demo: Bromium vs. Malware
• Automatic Containment
• Automatic Isolation
• Multiple Browser and Application Support
• Automatic Incident Response
• Automatic Remediation