Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università

928 views

Published on

Prosegue il ciclo dei seminari organizzati dalla Fondazione CRUI e da Microsoft, andando a toccare, questa volta, il delicato tema della Cyber Security. Il webinar è suddiviso in tre argomenti principali: 1) Trend delle minacce: attacchi prevalenti, Ransomware e attacchi avanzati; 2) Strategie per la detection e la protezione dagli attacchi: facendo riferimento a Ransomware e attacchi di furto di credenziali, saranno illustrate le strategia di difesa raccomandate, accennando agli strumenti che si sono rilevati più utili in questi contesti e a come occorre ripensare le architetture di sicurezza per difendersi dal furto di credenziali; 3) Il sistema operativo come prima linea di difesa: facendo riferimento soprattutto a Windows 10 e Windows 8, saranno illustrate le funzionalità di sicurezza già presenti nel sistema operativo di cui ci si può avvalere per implementare una strategia di difesa e di detection efficace
Leave the first comment:

Published in: Education
  • Be the first to comment

  • Be the first to like this

Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università

  1. 1. Trend delle minacce
  2. 2. ADVANCED A PERSISTENT P THREAT T APT Malware Commodity Malware Very Prevalent Made for the public Cheap Designed for short-term gain Examples: Conficker, Cryptolocker Targeted Attacks Unique, low volume Tailored & custom made Expensive Designed for long-term gain Examples: Stuxnet, APT28
  3. 3. 4
  4. 4. Ransomware by country or region
  5. 5. Modern Multi-Stage Ransomware Attacks 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 0101010101010101010101010101010101 Individual Device/User Impact Enterprise Impact Plan Enter Traverse Encrypt Command and Control 01010101010 01010101010 01010101010 01010101010 01010101010 Command and Control
  6. 6. Microsoft Active Protection Service (MAPS) Defender ATP Everyone Full Control Modify http://aka.ms/sparoadmap Detect Respond Recover
  7. 7. http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/ https://blogs.technet.microsoft.com/office365security/how-to-deal-with-ransomware/
  8. 8. RECON •Fingerprint •Observation •OSINT WEAPONIZE •Lure •zero-day / EK •Social engineering DELIVERY •Waterhole •Spear-phish •MITM EXPLOIT •Installation •Dropper •Downloader INSTALL •Installation •EOP/Gain privilege •Persistence C&C •Exploration •Info gathering •Lateral Movements ACTIONS •Exfiltration •Destruction •Compromise APT: Strontium Spear-phishing attachments lures Office CVEs Spear-phishing drive-by URLs IE/Flash/Java CVEs Social-engineered code-exec Firefox XPI Social-engineer drive-by login OWA, Yahoo, Gmail
  9. 9. Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker Undetected) 11-14 months Attack Discovered Targeted Attacks Typical Timeline & Observations
  10. 10. 1. Get in with Phishing Attack (or other) 2. Steal Credentials 3. Compromise more hosts & credentials (searching for Domain Admin) 4. Get Domain Admin credentials 5. Execute Attacker Mission (steal data, destroy systems, etc.) 24-48 Hours Privilege Escalation with Credential Theft (Typical)
  11. 11. Initial Compromise An attacker obtains local administrative rights to a computer by enticing a victim into executing a malicious application, exploiting a known or unpatched vulnerability, or through some other means. Countermeasures: • Patching (MS & 3rd party) • Least Privilege • User Education • Email protection • Threat Detection • App Whitelisting Domain Controller
  12. 12. Domain Controller Lateral Movement Attacker exploits shared secrets (e.g. password hashes, etc.) on a computer to access similar hosts at same trust level Countermeasures: • Randomize Local Admin password • Host firewall across client • Deny logon via network • Credential Guard
  13. 13. Domain Controller Privilege Escalation Attacker is able to capture privileged account credentials used to administer higher level resources (servers illustrated). Countermeasures: • Do not expose privileged credentials • Credential partitioning • Services and Application Hardening
  14. 14. Domain Controller Complete Compromise If a domain administrator account is captured along the way, the infrastructure is completely compromised. Countermeasures: • Detection through monitoring and alerting is key.
  15. 15. Strategie per la detection e la prevenzione degli attacchi
  16. 16. Key Guidance Resources Credential Theft Portal  www.microsoft.com/PTH Credential Theft Whitepapers and Resources Determined Adversaries and Targeted Attacks  http://www.microsoft.com/en-us/download/details.aspx?id=34793 Security Intelligence Report (SIR)  http://www.microsoft.com/SIR
  17. 17. Key Preventive Controls 1. Admin Workstations & Logon Restrictions • Domain Admins • Server, Application, and Cloud Infrastructure Admins • Workstation Admins 2. Random Local Account Passwords • Workstations • Servers • Specialized Devices (Cash Registers, ATMs, etc.) 3. RDP /RestrictedAdmin Mode • Server and Application Admins • Workstation and Specialized Device Admins Do these NOW!
  18. 18. Tier 0 Administration Security Domain/Enterprise Admins and Equivalent Good/Minimum • Separate Admin Desktops • and associated IT Admin process changes • Separate Admin Accounts • Remove accounts from Tier 0 • Service Accounts • Personnel - Only DC Maintenance, Delegation, and Forest Maintenance Better Best • Detection - Advanced Threat Analytics • Multi-factor Authentication (Smartcards, One Time Passwords, etc.) • Just in Time (JIT) Privileges - Privileged Access Management • Extensive redesign of IT Process and Privilege Delegation • Administrative Forest (for AD admin roles in current releases) • Credential Guard • Microsoft Passport and Windows Hello
  19. 19. Good/Minimum • Separate Admin Accounts • Separate Admin Desktops • Associated IT Admin process changes • Enforce use of RDP RestrictedAdmin Mode • Local Administrator Password Solution (LAPS) • Or alternate from PTHv1 Better Best • Detection - Advanced Threat Analytics • Multi-factor Authentication (Smartcards, One Time Passwords, etc.) • Just in Time (JIT) Privileges - Privileged Access Management • Extensive overhaul of IT Process and Privilege Delegation • Credential Guard • Microsoft Passport and Windows Hello
  20. 20. Good/Minimum • Separate Admin Accounts • Separate Admin Desktops • Associated IT Admin process changes • Enforce use of RDP RestrictedAdmin Mode • Local Administrator Password Solution (LAPS) • Or alternate from PTHv1 Better Best • Detection - Advanced Threat Analytics • Multi-factor Authentication (Smartcards, One Time Passwords, etc.) • Just in Time (JIT) Privileges - Privileged Access Management • Extensive overhaul of IT Process and Privilege Delegation • Credential Guard • Microsoft Passport and Windows Hello
  21. 21. http://aka.ms/SPAroadmap Based on real world experience deploying Microsoft cybersecurity services solutions
  22. 22. 1. Separate Admin account for admin tasks 3. Unique Local Admin Passwords for Workstations http://Aka.ms/LAPS 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://Aka.ms/CyberPAW 4. Unique Local Admin Passwords for Servers http://Aka.ms/LAPS 2-4 weeks First response to the most frequently used attack techniques
  23. 23. 6. Time-bound privileges (no permanent admins) http://aka.ms/PAMhttp://aka.ms/AzurePIM 1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/CyberPAW 2. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/JEA 9872521 5. Attack Detection http://aka.ms/ata 3. Lower attack surface of Domain and DCs http://aka.ms/HardenAD 1-3 months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 7. Multi-factor for elevation 4. Domain Controller Security Updates Target full deployment within 7 days
  24. 24. 2. Smartcard or Passport Authentication for all admins http://aka.ms/Passport 1. Modernize Roles and Delegation Model https://www.microsoft.com/security 3. Admin Forest for Active Directory administrators http://aka.ms/ESAE 6. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms 5. Code Integrity Policy for DCs (Server 2016) 6+ months Move to proactive security posture 4. Apply Baseline Security Policies to DCs
  25. 25. Il Sistema Operativo come prima linea di difesa
  26. 26. • Nation states active attacking private institutions • CryptoLocker (2013) and APT’s at scale • Adding disruption and terror to playbook • Rampant Passwords theft and abuse • Pass the Hash becomes part of the default playbook • AV unable to keep up • Organized Crime, potential state actors • Sophisticated targeted attacks • Aurora (2009) and Stuxnet (2010) • Password and digital identity theft and misuse • Signatures based AV unable to keep up • Digital signature tampering • Browser plug-in exploits • Data loss on BYOD device
  27. 27. Key Threats • Nation states active attacking private institutions • CryptoLocker (2013) and APT’s at scale • Adding disruption and terror to playbook • Rampant Passwords theft and abuse • Pass the Hash becomes part of the default playbook • AV unable to keep up Key Threats • Melissa (1999), Love Letter (2000) • Mainly leveraging social engineering Key Threats • Code Red and Nimda (2001), Blaster (2003), Slammer (2003) • 9/11 • Mainly exploiting buffer overflows • Script kiddies • Time from patch to exploit: Several days to weeks Key Threats • Zotob (2005) • Attacks «moving up the stack» (Summer of Office 0-day) • Rootkits • Exploitation of Buffer Overflows • Script Kiddies • Rise of Phishing • User running as Admin Key Threats • Organized Crime • Botnets • Identity Theft • Conficker (2008) • Time from patch to exploit: days Key Threats • Organized Crime, potential state actors • Sophisticated targeted attacks • Aurora (2009) and Stuxnet (2010) • Password and digital identity theft and misuse • Signatures based AV unable to keep up • Digital signature tampering • Browser plug-in exploits • Data loss on BYOD device Windows 10 • Virtual Secure Mode • Virtual TPM • Control Flow Guard • Microsoft Passport • Windows Hello • Biometric Framework Improvements (Iris, Facial) • Broad OEM support for Biometric enabled devices • Enterprise Data Protection • Device Encryption supported on broader range of devices • DMA Attack Mitigations • Device Guard • URL Reputation Improvements • App Reputation Improvements • Windows Defender Improvements • Provable PC Health Improvements Windows XP • Logon (Ctrl+Alt+Del) • Access Control • User Profiles • Security Policy • Encrypting File System (File Based) • Smartcard and PKI Support • Windows Update Windows XP SP2 • Address Space Layout Randomization (ASLR) • Data Execution Prevention (DEP) • Security Development Lifecycle (SDL) • Auto Update on by Default • Firewall on by Default • Windows Security Center • WPA Support Windows Vista • Bitlocker • Improved ASLR and DEP • Full SDL • User Account Control • Internet Explorer Smart Screen Filter • Digital Right Management • Firewall improvements • Signed Device Driver Requirements • TPM Support • Windows Integrity Levels • Secure “by default” configuration (Windows features and IE) Windows 7 • Improved ASLR and DEP • Full SDL • Improved IPSec stack • Managed Service Accounts • Improved User Account Control • Enhanced Auditing • Internet Explorer Smart Screen Filter • AppLocker • BitLocker to Go • Windows Biometric Service • Windows Action Center • Windows Defender Windows 8 • Firmware Based TPM • UEFI (Secure Boot) • Trusted Boot (w/ELAM) • Measured Boot • Significant Improvements to ASLR and DEP • AppContainer • Internet Explorer 10 (Plugin-less and Enhanced Protected Modes) • Application Reputation moved into Core OS • Device Encryption (All SKU) • BitLocker improvements and MBAM • Virtual Smartcards • Dynamic Access Control • Built-in AV (Windows Defender) • Improved Biometrics • TPM Key Protection and Attestation • Certificate Reputation • Provable PC Health • Remote Business Data Removable 20152001 2004 2007 2009 2012 Windows 8 • Firmware Based TPM • UEFI (Secure Boot) • Trusted Boot (w/ELAM) • Measured Boot • Significant Improvements to ASLR and DEP • AppContainer • Internet Explorer 10 (Plugin-less and Enhanced Protected Modes) • Application Reputation moved into Core OS • Device Encryption (All SKU) • BitLocker improvements and MBAM • Virtual Smartcards • Dynamic Access Control • Built-in AV (Windows Defender) • Improved Biometrics • TPM Key Protection and Attestation • Certificate Reputation • Provable PC Health • Remote Business Data Removable Windows 10 • Virtual Secure Mode • Virtual TPM • Device Guard • Microsoft Passport • Windows Hello • Control Flow Guard • Biometric Framework Improvements (Iris, Facial) • Broad OEM support for Biometric enabled devices • Enterprise Data Protection • Device Encryption supported on broader range of devices • DMA Attack Mitigations • URL Reputation Improvements • App Reputation Improvements • Windows Defender Improvements • Provable PC Health Improvements
  28. 28.            
  29. 29. IDP Active Directory Azure AD Google Facebook Microsoft Account 1 Proves Identity Trust my unique key User 2 Windows10 3Intranet Resource 4 4 Here is your authorization tokenI trust tokens from IDP So do I Internet Resource
  30. 30. Virtual Secure Mode (VSM) LocalSecurity AuthService Hypervisor Windows Apps VirtualTPM Hyper-Visor CodeIntegrity
  31. 31. Device Guard VBS - HVCI UEFI Secure BootPlatform Secure Boot KMCI App Locker UMCI
  32. 32. Credential/Device Guard Requirements Requirement XWindows 10 Enterprise Edition Credential Guard Device Guard UEFI firmware version 2.3.1 or higher and Secure Boot Virtualization extensions Firmware lock x64 architecture A VT-d or AMD-Vi IOMMU Secure firmware update process The firmware is updated for Secure MOR TPM 1.2 or 2.0 X X X X X X X X X X X X X X Physical PC X
  33. 33. Enterprise Data Protection
  34. 34. Conclusioni • Il trend delle minacce mostra un continuo aumento della sofisticazione e della frequenza degli attacchi • Microsoft raccomanda l’adozione della roadmap di Secure Privilege Access da parte di tutte le organizzazioni • Il sistema operativo con le sue funzionalità di sicurezza rappresenta una barriera efficace contro gli attacchi moderni, come parte di una strategia di sicurezza multi- livello

×