4. An adversary’s goal is much easier to achieve
with elevated privileges:
Securing privileged access can:
5. Tier 2
Workstation
& Device
Admins
Tier 0
Domain &
Enterprise
Admins
Tier 1
Server
Admins
2. Restrict Lateral Movement
a. Random Local Password
1. Restrict Privilege Escalation
a. Privileged Access Workstations
b. Assess AD Security
4. Organizational Preparation
a. Strategic Roadmap
b. Technical Education
Restrict Lateral Movement
Restrict Privilege Escalation
Attack Detection
Advanced Threat Analytics (ATA)
Hunt for Adversaries
3. Attack Detection
a. Attack Detection
b. Hunt for Adversaries
Organizational
Preparation Education
Strategy &
Integration
6. Site & Service / Trust / Naming Convention
• It is recommended to create AD Site as per network nomenclature or vice versa.
• There is no business requirement.
• Enforce uniformity in GPO Nomenclature.
7. Legacy Protocol Recommendation
legacy Protocols Recommendations
TLS 1.0 & 1.1
Microsoft recommends that customers remove TLS 1.0/1.1 dependencies in their environments and disable TLS 1.0 and
1.1 at the operating system level where possible.
Server Message Block v1 (SMBv1)
Microsoft recommends that customers remove SMB1 dependencies in their environments and disable SMBv1 at the
operating system level where possible. (Microsoft Premier Assessment report)
LanMan (LM) / NTLMv1 It is recommended to replace NTLM with modern Auth or enforce NTLMv2 using GPO.
Digest Authentication Replace the legacy web protocols like basic and Digest with Modern protocols
8. Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced
attacks in hybrid environments to :
•Monitor users, entity behavior, and activities with learning-based analytics.
•Protect user identities and credentials stored in the Active Directory.
•Identify and investigate suspicious user activities and advanced attacks throughout the kill chain.
•Provide clear incident information on a simple timeline for fast triage.
Microsoft Defender for Identity
9. .
It is vital to encrypt the workstations which carries the admin credentials and critical Data. Hence Microsoft
recommend BitLocker Encryption as a data protection feature that integrates with the operating system. BitLocker
provides utmost protection when used with a Trusted Platform Module (TPM version 1.2 or later)
Benefits:
• It addresses the various threats of data theft or exposure from lost, stolen, or inappropriately decommissioned
computers.
• It encrypts your data drive or entire system.
• Provides a high-level of security using the TPM module.
• You can set up BitLocker to automatically save keys to Active Directory.
• There are no additional licensing costs as a native Windows function.
• Negligible impact on read performance and no impact on write performance.
Deploy Bit Locker
Slide objective: Supporting arguments for why securing privileged access is important
Notes:
Microsoft’s incidence response team has seen that in the majority of compromises, the adversary has managed to acquire significant privileged access, such as Domain Administrator access, which allowed them to more efficiently steal, modify and damage data; move laterally within the network to gain access to additional resources and remaining undiscovered on the network for longer.
While also being a critical security control, the implementation, or lack of, a secure administration environment can make a significant difference to the effectiveness of investigation and remediation activities carried out by incident responders in response to a cyber incident. This is particularly the case when the incident responders knows that the adversary already has privileged access or suspects that it is highly possible due to perceived poor security posture of the network.
When confronted with a significant network compromise, it is common that one of the key remediation activities that the Incident Response team will recommend to the agency is to establish a secure administration environment. Because of this, resources which would otherwise be focused on remediation activities may be spent on establishing a secure administration environment. This can lead to a delay in the full remediation of a network, increasing the consequences associated with a compromise, as the adversary has more time to propagate within the network resulting in the theft of sensitive information
Key Slide Outcome – New types of defenses are required to protect against these attacks as they are designed to evade traditional defenses.
This is the attack chain of events that led to compromise that we just saw. This is a well established pattern by targeted many attackers and has recently also been adopted by the emergent enterprise ransomware threat as well.
Microsoft recommends adopting a damage containment strategy that focuses first on mitigating the most common and impactful attack techniques. It is critical to have a complete strategy that incorporates effective protections, detection mechanisms, and response to active threats.
*CLICK 1*
Restricting privilege escalation is critical to containing these attacks to limit the scope and damage. You must protect both the identity systems in control of privileged access (including active directory) as well as the systems where the identity administrators log on.
[Red workstation] Establish privileged access workstations to protect the accounts, credentials, and personnel from direct and indirect attacks
[Teal Circle] Assess your active directory for configurations and practices that can create risk of compromise
*CLICK 2*
Next, restricting lateral movement to limit the ability of adversaries steal and re-use a common local administrator password to access all resources configured with the same password.
*CLICK 3*
Detection – You need to detect attackers using these techniques as well as attackers that may have already gotten in
Attack detection capabilities to identify known identity attack techniques as well as user entity behavioral analytics (UEBA) to learn your environment’s normal patterns and alert on anomalous account usage.
A hunt for adversaries to identify persistent adversaries that have already compromised your assets. This requires similar tools and skillsets as a trained blue team or professional incident response team.
*CLICK 4*
Organizational preparation should include deep technical education on these issues for your technical personnel as well as a strategic roadmap integrating these defenses with your existing capabilities and requirements, putting you on a clear path to becoming a secure modern enterprise