Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Protecting your critical systems from
new and unknown malware, 0-days,
and APT
WE DRIVE BUSINESS EVOLUTION FORWARD
The ONE solution
https://en.wikipedia.org/wiki/Snake_oil
WE DRIVE BUSINESS EVOLUTION FORWARD
Modern Users
WE DRIVE BUSINESS EVOLUTION FORWARD
Last Weeks Customer Incident
WE DRIVE BUSINESS EVOLUTION FORWARD
Luck vs Solution
Luck
- Honesty
- No Judgment
- Response time
Bad Luck
- (Just about)O...
WE DRIVE BUSINESS EVOLUTION FORWARD
Affected Client
Bad Luck
• USB Backup Disk
• Local Admin (Exception)
Mitigation
• Azur...
WE DRIVE BUSINESS EVOLUTION FORWARD
WHY!!!
WE DRIVE BUSINESS EVOLUTION FORWARD
Man vs Machine
WE DRIVE BUSINESS EVOLUTION FORWARD
Old School Security
o User Education
o Traditional best practices
o Avoid Exceptions
o...
WE DRIVE BUSINESS EVOLUTION FORWARD
Windows Security History
November 2006August 2004
https://en.wikipedia.org/wiki/Timeli...
WE DRIVE BUSINESS EVOLUTION FORWARD
Windows Vista
UAC:
• Stopped more than 50% of 2000
backdoors, keyloggers, rootkits, ma...
WE DRIVE BUSINESS EVOLUTION FORWARD
The Windows 10 Defense Stack
PROTECT, DETECT & RESPOND
PRE-BREACH POST-BREACH
Windows ...
WE DRIVE BUSINESS EVOLUTION FORWARD
POST-BREACHPRE-BREACH
Breach detection
investigation &
response
Device
protection
Iden...
WE DRIVE BUSINESS EVOLUTION FORWARD
Dynamic Lock / Goodbye
WE DRIVE BUSINESS EVOLUTION FORWARD
Hello (Word) For business
10 Print «Hello World!»
20 Goto 10
Run
WE DRIVE BUSINESS EVOLUTION FORWARD
Hello For Business
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello...
WE DRIVE BUSINESS EVOLUTION FORWARD
Secure Boot / Bitlocker / BIOS -> UEFI
https://msdn.microsoft.com/en-us/windows/hardwa...
Show & Tell
WE DRIVE BUSINESS EVOLUTION FORWARD
The Guards
WE DRIVE BUSINESS EVOLUTION FORWARD
VIRTUALIZATION BASED SECURITY
Kernel
Windows Platform
Services
Apps
Kernel
SystemConta...
WE DRIVE BUSINESS EVOLUTION FORWARD
Device guard in vbs environment
decisive mitigation
Kernel
Windows Platform
Services
A...
WE DRIVE BUSINESS EVOLUTION FORWARD
Credential Guard
Not currently supported on Windows Server2016
WE DRIVE BUSINESS EVOLUTION FORWARD
WE DRIVE BUSINESS EVOLUTION FORWARD
WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard
KMCI – Kernel Mode Code Integrity
UMCI – User Mode Code Integrity
Whiteli...
WE DRIVE BUSINESS EVOLUTION FORWARD
Drivers
https://msdn.microsoft.com/en-us/windows/hardware/drivers/dashboard/windows-ce...
WE DRIVE BUSINESS EVOLUTION FORWARD
Certificates and Views
2 314 831 bytes
888 068 bytes
WE DRIVE BUSINESS EVOLUTION FORWARD
Exceptions (Known Threats)
• Narrator
• Wifi
• Blacklist whitelisted
• Exploit Monday
...
WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard Getting started
• Golden Image
• Audit Mode
• Failed
• Drivers
• Policy f...
WE DRIVE BUSINESS EVOLUTION FORWARD
Group Policy
WE DRIVE BUSINESS EVOLUTION FORWARD
Config Manager
https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/manag...
WE DRIVE BUSINESS EVOLUTION FORWARD
CMD:
Powershell Get-ExecutionPolicy
Powershell Set-ExecutionPolicy unrestricted -scope...
WE DRIVE BUSINESS EVOLUTION FORWARD
Management
• Group Policy
• Intune (Comming)
• System Center
WE DRIVE BUSINESS EVOLUTION FORWARD
New-CIPolicy -FilePath c:MyRulesMyRule.xml -Level PcaCertificate -ScanPath
Set-RuleOpt...
WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard Links
Basic:
https://technet.microsoft.com/en-us/itpro/windows/keep-secur...
WE DRIVE BUSINESS EVOLUTION FORWARD
Conclusion
WE DRIVE BUSINESS EVOLUTION FORWARD
Machine vs Man
Olav Tvedt
Senior Principal Architect
Lumagate A/S
Blog: olavtvedt.blogspot.com
Twitter: OlavTwitt
Epost: Olav.Tvedt@Lumag...
Hackcon 2017
Hackcon 2017
Hackcon 2017
Hackcon 2017
Hackcon 2017
Hackcon 2017
Upcoming SlideShare
Loading in …5
×

Hackcon 2017

174 views

Published on

Presentation from Hackcon #12, 2017. Windows Security, Device Guard, Credential Guard

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hackcon 2017

  1. 1. Protecting your critical systems from new and unknown malware, 0-days, and APT
  2. 2. WE DRIVE BUSINESS EVOLUTION FORWARD The ONE solution https://en.wikipedia.org/wiki/Snake_oil
  3. 3. WE DRIVE BUSINESS EVOLUTION FORWARD Modern Users
  4. 4. WE DRIVE BUSINESS EVOLUTION FORWARD Last Weeks Customer Incident
  5. 5. WE DRIVE BUSINESS EVOLUTION FORWARD Luck vs Solution Luck - Honesty - No Judgment - Response time Bad Luck - (Just about)Only local Admin user - User permission Mitigation - Monitoring (ATA) - User Training - Procedures, monitoring and alerts (ATP/ATA)
  6. 6. WE DRIVE BUSINESS EVOLUTION FORWARD Affected Client Bad Luck • USB Backup Disk • Local Admin (Exception) Mitigation • Azure Backup • LAPS • Local Administrator Password Solution • Device Guard https://www.microsoft.com/en-us/download/details.aspx?id=46899
  7. 7. WE DRIVE BUSINESS EVOLUTION FORWARD WHY!!!
  8. 8. WE DRIVE BUSINESS EVOLUTION FORWARD Man vs Machine
  9. 9. WE DRIVE BUSINESS EVOLUTION FORWARD Old School Security o User Education o Traditional best practices o Avoid Exceptions o Etc. Think!!!
  10. 10. WE DRIVE BUSINESS EVOLUTION FORWARD Windows Security History November 2006August 2004 https://en.wikipedia.org/wiki/Timeline_of_Microsoft_Windows
  11. 11. WE DRIVE BUSINESS EVOLUTION FORWARD Windows Vista UAC: • Stopped more than 50% of 2000 backdoors, keyloggers, rootkits, mass mailers, trojan horses, spyware, adware, and various others directly • Less then 5% survived UAV during reboot http://us.norton.com/support/premium_services/malware_removal_guide.pdf
  12. 12. WE DRIVE BUSINESS EVOLUTION FORWARD The Windows 10 Defense Stack PROTECT, DETECT & RESPOND PRE-BREACH POST-BREACH Windows Defender ATP Breach detection investigation & response Device protection Device Health attestation Device Guard Device Control Security policies Information protection Device protection / Drive encryption Enterprise Data Protection Conditional access Threat resistance SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows Hello ;) Identity protection Breach detection investigation & response Device protection Information protection Threat resistance Conditional Access Windows Defender ATP Device integrity Device control BitLocker and BitLocker to Go Windows Information Protection SmartScreen Windows Firewall Microsoft Edge Device Guard Windows Defender Windows Hello ;) Credential Guard Identity protection
  13. 13. WE DRIVE BUSINESS EVOLUTION FORWARD POST-BREACHPRE-BREACH Breach detection investigation & response Device protection Identity protection Information protection Threat resistance Windows 10 Security on Legacy or Modern Devices (Upgraded from Windows 7 or 32-bit Windows 8)
  14. 14. WE DRIVE BUSINESS EVOLUTION FORWARD Dynamic Lock / Goodbye
  15. 15. WE DRIVE BUSINESS EVOLUTION FORWARD Hello (Word) For business 10 Print «Hello World!» 20 Goto 10 Run
  16. 16. WE DRIVE BUSINESS EVOLUTION FORWARD Hello For Business https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification
  17. 17. WE DRIVE BUSINESS EVOLUTION FORWARD Secure Boot / Bitlocker / BIOS -> UEFI https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview
  18. 18. Show & Tell
  19. 19. WE DRIVE BUSINESS EVOLUTION FORWARD
  20. 20. The Guards
  21. 21. WE DRIVE BUSINESS EVOLUTION FORWARD VIRTUALIZATION BASED SECURITY Kernel Windows Platform Services Apps Kernel SystemContainer Trustlet#1 Trustlet#2 Trustlet#3 Hypervisor Device Hardware Windows Operating System Hyper-VHyper-V
  22. 22. WE DRIVE BUSINESS EVOLUTION FORWARD Device guard in vbs environment decisive mitigation Kernel Windows Platform Services Apps Kernel SystemContainer DEVICE GUARD Trustlet#2 Trustlet#3 Hypervisor Device Hardware Windows Operating System Hyper-VHyper-V
  23. 23. WE DRIVE BUSINESS EVOLUTION FORWARD Credential Guard Not currently supported on Windows Server2016
  24. 24. WE DRIVE BUSINESS EVOLUTION FORWARD
  25. 25. WE DRIVE BUSINESS EVOLUTION FORWARD
  26. 26. WE DRIVE BUSINESS EVOLUTION FORWARD Device Guard KMCI – Kernel Mode Code Integrity UMCI – User Mode Code Integrity Whitelist ◦ Applications / Apps ◦ Utilities ◦ Drivers Audit / Enforce Lock Policy https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide
  27. 27. WE DRIVE BUSINESS EVOLUTION FORWARD Drivers https://msdn.microsoft.com/en-us/windows/hardware/drivers/dashboard/windows-certified-products-listv
  28. 28. WE DRIVE BUSINESS EVOLUTION FORWARD Certificates and Views 2 314 831 bytes 888 068 bytes
  29. 29. WE DRIVE BUSINESS EVOLUTION FORWARD Exceptions (Known Threats) • Narrator • Wifi • Blacklist whitelisted • Exploit Monday •https://github.com/mattifestation/DeviceGuardBypassMitigationRules
  30. 30. WE DRIVE BUSINESS EVOLUTION FORWARD Device Guard Getting started • Golden Image • Audit Mode • Failed • Drivers • Policy files • Trial and error • Maintaine NB! Sign the policy https://technet.microsoft.com/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for- device-guard
  31. 31. WE DRIVE BUSINESS EVOLUTION FORWARD Group Policy
  32. 32. WE DRIVE BUSINESS EVOLUTION FORWARD Config Manager https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with- configuration-manager/
  33. 33. WE DRIVE BUSINESS EVOLUTION FORWARD CMD: Powershell Get-ExecutionPolicy Powershell Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready Powershell Get-ExecutionPolicy Powershell: Get-ExecutionPolicy Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready Get-ExecutionPolicy Script -Capable -Enable –CG -Enable -HVCI
  34. 34. WE DRIVE BUSINESS EVOLUTION FORWARD Management • Group Policy • Intune (Comming) • System Center
  35. 35. WE DRIVE BUSINESS EVOLUTION FORWARD New-CIPolicy -FilePath c:MyRulesMyRule.xml -Level PcaCertificate -ScanPath Set-RuleOption -FilePath c:MyRulesMyRule.xml -Option X https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file- rules#code-integrity-policy-rules
  36. 36. WE DRIVE BUSINESS EVOLUTION FORWARD Device Guard Links Basic: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/introduction-to-device-guard-virtualization- based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard http://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html Advanced: https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device- guard-in-windows-10/ https://technet.microsoft.com/en-us/library/mt634481.aspx https://www.youtube.com/watch?v=n_fq1WnoQbI https://github.com/mattifestation/DeviceGuardBypassMitigationRules
  37. 37. WE DRIVE BUSINESS EVOLUTION FORWARD Conclusion
  38. 38. WE DRIVE BUSINESS EVOLUTION FORWARD Machine vs Man
  39. 39. Olav Tvedt Senior Principal Architect Lumagate A/S Blog: olavtvedt.blogspot.com Twitter: OlavTwitt Epost: Olav.Tvedt@Lumagate.com Cloud and Datacenter Management Windows and Devices for IT 31. Mai – www.mvpdagen.no

×