RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List

2,322 views

Published on

If there is a weakness in your IT security system, wouldn’t it be better to find it before someone else does? As long as we are aware about the value of the resources to be protected, why don’t we put ourselves into the hacker’s role and perform like they do? You will become familiar with the mandatory tasks that are performed by hackers to check for misconfigurations and vulnerabilities.

Published in: Education
  • Be the first to comment

RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List

  1. 1. SESSION ID:SESSION ID: #RSAC Paula Januszkiewicz Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List TECH-W10 CEO, Security Expert, Penetration Tester & Trainer, MVP CQURE @paulacqure | paula@cqure.us
  2. 2. #RSAC
  3. 3. #RSAC
  4. 4. #RSAC Agenda
  5. 5. #RSAC Session Goal Be familiar with the possibilities of the operating system From the user mode and kernel mode We are NOT talking about the forensics! … just doing a little hacking + conclusions My goal: See one of the ways hacker can act
  6. 6. #RSAC Agenda
  7. 7. #RSAC Know your victim
  8. 8. #RSAC Know the services
  9. 9. #RSAC Attack Users Users Users rarely have software up to date Awareness issues ... But for hacker it may be not enough Administrators Local account Password reuse for workstations Different password for workstations Domain account Domain user being local administrator Domain administrator
  10. 10. #RSAC The meaning of scripts
  11. 11. #RSAC Make your backdoor persistent Services DLLs Startup (Menu Start) Task Scheduler LSA Providers Run, Run Once GPO Notification Package Winlogon Image Hijacking Drivers Etc.
  12. 12. #RSAC Stay Persistent
  13. 13. #RSAC Stay undetected If you are not ready to attack: stay stealth and do not change the system behavior Hide your traces Processes Files Infrastructure performance Network traffic Server / Client Platform Performance
  14. 14. #RSAC Stay undetected
  15. 15. #RSAC Leverage your position
  16. 16. #RSAC Victim Recon
  17. 17. #RSAC Use victims to attack more targets Create the remotely controlled network Automate next scans Create your own botnet What can be the hacker’s goal in your infrastructure?
  18. 18. #RSAC Agenda
  19. 19. #RSAC Apply Offline access protection, implementation of solutions like BitLocker. Implementation of the process execution prevention (AppLocker etc.) Log centralization, log reviews - searching for the anomalies, certain log error codes. Performing the regular audits of code running on the servers (fe. Autoruns). Maintenance: Backup implementation and regular updating. Review of the services running on the accounts that are not built in. Change them to gMSAs where possible, set up SPNs. Get rid of NETBIOS. Try to avoid NTLMv2, especially if you do not have AppLocker in place or SMB Signing. Client protection: Implement of the anti-exploit solutions.
  20. 20. #RSAC Apply What You Have Learned Today Next week you should: Implement Local Admin Password Management or other password management solution Build the plan of the periodical configuration reviews and penetration tests (security checks) In the first three months following this presentation you should: Implement the Security Awareness Program among employees and technical training for administrators Review the configuration of client-side firewall and enabling the programs that can communicate through the network Limit of the amount of services running on the servers (SCW and manual activities) Within six month you should: Implement scoping (role management) for permissions and employee roles (SQL Admins, Server Admins etc.) Review network segmentation (+ IPSec Isolation, DNSSec etc.)
  21. 21. #RSAC Apply What You Have Learned Today Next week you should: Implement Local Admin Password Management or other password management solution Build the plan of the periodical configuration reviews and penetration tests (security checks) In the first three months following this presentation you should: Implement the Security Awareness Program among employees and technical training for administrators Review the configuration of client-side firewall and enabling the programs that can communicate through the network Limit of the amount of services running on the servers (SCW and manual activities) Within six month you should: Implement scoping (role management) for permissions and employee roles (SQL Admins, Server Admins etc.) Review network segmentation (+ IPSec Isolation, DNSSec etc.)

×