SlideShare a Scribd company logo

What we Learned from Sunburst with Zero Trust

A
Andrew Harris

What did the industry learn from Sunburst as it relates to Zero Trust? What missteps did we identify? What technical controls did we realize we were missing? How does this mature our thinking while we approach Zero Trust?

Technology
1 of 18
Download to read offline
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT WE LEARNED ABOUT ZERO TRUST FROM SUNBURST ANDREW HARRIS, SR. DIRECTOR, PUBLIC SECTOR TECH STRATEGY @CIBERESPONCE
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Steps QUICK REVIEW OF SUNBURST E s t a b l i s h e d T r u s t A D F S — A A D ( S A M L 2 . 0 ) AD FS 1 5 2 3 Supply-chain Server 4 IdP Adversary C2 What the tactics, techniques and procedures taught us, or… reminded us 3 Harvest AD FS Private Key (“Golden SAML”) 2 Lateral Movement to AD FS 1 Supply-chain Server compromised 4 “Golden SAML” Exfiltration 5 Access Azure AD/Office 365 using “Golden SAML”-signed tokens
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SUNSPOT’S IOA
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ON-PREMISES IDENTITY § Service Accounts are typically targeted in campaigns as they predictably have privileges across many systems § 27% of all credentials are service or programmatic accounts § Over 80% of all logon-types are non-interactive § Most US Governments leverage PKI, use of SmartCards, and leverage a setting called Smart Card Required for Interactive Logon (SCRIL) with Active Directory (AD) to force SmartCard use for certain user populations § This is only useful for Interactive Logons, meaning PowerShell, Windows Management Instrumentation (WMI) and other protocols aren’t applicable to these policies § Identity Providers only MFA for Cloud authentication requests! And the blind-spots with Service Accounts and even our Helpdesk and IT Admins We are therefor, mostly blind or have less confidence in non-interactive logons—where majority of us can’t MFA for these vast majority of use cases. It’s technically impossible unless we can enforce policy in AD beyond Microsoft’s stack.
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. GAINING CONTROL ON OUR IDENTITY Account Type Non-interactive (Batch, Scheduled Task, etc) Interactive (RDP, Domain Logon, etc.) Human X X Service Account X § Service accounts should: § Never be used interactively; if they are, they are grossly misconfigured are being used inappropriately in post-exploit activity § Human/people accounts should: § Be challenged via MFA for interactive logons § Be challenged via MFA for non-interactive logons (i.e. PowerShell, WMI, etc.) § There are legitimate use-cases here, such as administrating servers and other infrastructure § Via SmartCard’s and “SCRIL”, this is technically unviable to implement Increasing confidence including on-premises
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CROWDBOARD 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Sketch of AD + Application Video recording
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CROWDBOARD 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EVICTING AN ADVERSARY WITH A CIRCULAR LOOP OF CONTROL Active Directory (application) Operating System Cloud Virtual Fabric Global Admin backdoor account 3 Active Directory Federation Service (Golden SAML) 1 impacted supply chain service account 2 no security boundary no security boundary Cloud On-Premises Back door Back door
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Measuring Cloud Security Posture Management, now including Azure AD CROWDSTRIKE HORIZON For CrowdStrike Horizon customers, let us help you find these egregious permissions in AAD within the Falcon Console!
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
Achieving Mission Resiliency Mission Resiliency through Zero Trust Architecture Principles Secure Exposed Credentials on Endpoints 02 C l o u d S e c u r i t y P o s t u r e M a n a g e m e n t ( C S P M ) , C l o u d W o r k l o a d P r o t e c t i o n ( C W P ) , C I / C D I n t e g r a t i o n s 03 01 S e c u r e O n - P r e m i s e s I d e n t i t y 01 02 03 On-Premises Identity Visibility and Control (Falcon IDP) Future-proof: Zero Trust applied on- premises; Visibility into most targeted accounts (ref Sunburst) Secure, Hardened Endpoints (Falcon EPP) Future-proof: Zero Trust signal (vulns., incidents, hygiene) Measure, Secure & Hardened Cloud and DevSecOps Future-proof: Zero Trust driven conditional accesses, especially for critical control and identity-plane functions—including your CI/CD pipelines
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. GET MORE INFORMATION For more information please refer to: § www.crowdstrike.com/blog/tech- center/assess-sunburst § www.crowdstrike.com/sunburst Need Incident Response or Compromise Assessment support? § www.crowdstrike.com/services § services@crowdstrike.com @CIBERESPONCE

Recommended

Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
DevOps.com
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?
MarketingArrowECS_CZ
 
Meet with Watson to be present at Communitech waterloo
Meet with Watson to be present at Communitech waterlooMeet with Watson to be present at Communitech waterloo
Meet with Watson to be present at Communitech waterloo
Sarmad Ibrahim
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
Yusuf Hadiwinata Sutandar
 
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
AWS Chicago
 
Bhadale group of companies - Org service module - Design doc
Bhadale group of companies - Org service module - Design docBhadale group of companies - Org service module - Design doc
Bhadale group of companies - Org service module - Design doc
Vijayananda Mohire
 
Bhadale group of companies multi cloud services catalogue
Bhadale group of companies multi cloud services catalogueBhadale group of companies multi cloud services catalogue
Bhadale group of companies multi cloud services catalogue
Vijayananda Mohire
 
Security in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty MutualSecurity in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty Mutual
VMware Tanzu
 

Recommended

Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
DevOps.com
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?
MarketingArrowECS_CZ
 
Meet with Watson to be present at Communitech waterloo
Meet with Watson to be present at Communitech waterlooMeet with Watson to be present at Communitech waterloo
Meet with Watson to be present at Communitech waterloo
Sarmad Ibrahim
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
Yusuf Hadiwinata Sutandar
 
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
AWS Chicago
 
Bhadale group of companies - Org service module - Design doc
Bhadale group of companies - Org service module - Design docBhadale group of companies - Org service module - Design doc
Bhadale group of companies - Org service module - Design doc
Vijayananda Mohire
 
Bhadale group of companies multi cloud services catalogue
Bhadale group of companies multi cloud services catalogueBhadale group of companies multi cloud services catalogue
Bhadale group of companies multi cloud services catalogue
Vijayananda Mohire
 
Security in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty MutualSecurity in the Hybrid Cloud at Liberty Mutual
Security in the Hybrid Cloud at Liberty Mutual
VMware Tanzu
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
 
Hyperledger: Market, Technology & Community Update
Hyperledger: Market, Technology & Community UpdateHyperledger: Market, Technology & Community Update
Hyperledger: Market, Technology & Community Update
Cloud Standards Customer Council
 
Biznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud ComputingBiznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud Computing
Yusuf Hadiwinata Sutandar
 
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays
 
Oracle Blockchain Cloud Service
Oracle Blockchain Cloud ServiceOracle Blockchain Cloud Service
Oracle Blockchain Cloud Service
Denis Kolupaev
 
Transformace IT s technologiemi VMware
Transformace IT s technologiemi VMwareTransformace IT s technologiemi VMware
Transformace IT s technologiemi VMware
MarketingArrowECS_CZ
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance
NETSCOUT
 
Bhadale group of companies technology ecosystem-role based-AWS
Bhadale group of companies technology ecosystem-role based-AWSBhadale group of companies technology ecosystem-role based-AWS
Bhadale group of companies technology ecosystem-role based-AWS
Vijayananda Mohire
 
Towards the Blockchain-native Economy
Towards the Blockchain-native EconomyTowards the Blockchain-native Economy
Towards the Blockchain-native Economy
Sei Kato (加藤 整)
 
Bhadale group of companies technology ecosystem-role based-GCP
Bhadale group of companies technology ecosystem-role based-GCPBhadale group of companies technology ecosystem-role based-GCP
Bhadale group of companies technology ecosystem-role based-GCP
Vijayananda Mohire
 
Bhadale group of companies 5G services catalogue
Bhadale group of companies 5G services catalogueBhadale group of companies 5G services catalogue
Bhadale group of companies 5G services catalogue
Vijayananda Mohire
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2
Priyanka Aash
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Happiest Minds Technologies
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
Twistlock
 
Open Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier BankOpen Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier Bank
WSO2
 
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESBGeo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
WSO2
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
Kyle Watson
 
Bhadale group of companies technology ecosystem for GCP
Bhadale group of companies technology ecosystem for GCPBhadale group of companies technology ecosystem for GCP
Bhadale group of companies technology ecosystem for GCP
Vijayananda Mohire
 
Bhadale group of companies quantum ml industrial solutions catalogue
Bhadale group of companies quantum ml industrial solutions catalogueBhadale group of companies quantum ml industrial solutions catalogue
Bhadale group of companies quantum ml industrial solutions catalogue
Vijayananda Mohire
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Bruno Caseiro
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
 

More Related Content

What's hot

Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
 
Hyperledger: Market, Technology & Community Update
Hyperledger: Market, Technology & Community UpdateHyperledger: Market, Technology & Community Update
Hyperledger: Market, Technology & Community Update
Cloud Standards Customer Council
 
Biznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud ComputingBiznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud Computing
Yusuf Hadiwinata Sutandar
 
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays
 
Oracle Blockchain Cloud Service
Oracle Blockchain Cloud ServiceOracle Blockchain Cloud Service
Oracle Blockchain Cloud Service
Denis Kolupaev
 
Transformace IT s technologiemi VMware
Transformace IT s technologiemi VMwareTransformace IT s technologiemi VMware
Transformace IT s technologiemi VMware
MarketingArrowECS_CZ
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance
NETSCOUT
 
Bhadale group of companies technology ecosystem-role based-AWS
Bhadale group of companies technology ecosystem-role based-AWSBhadale group of companies technology ecosystem-role based-AWS
Bhadale group of companies technology ecosystem-role based-AWS
Vijayananda Mohire
 
Towards the Blockchain-native Economy
Towards the Blockchain-native EconomyTowards the Blockchain-native Economy
Towards the Blockchain-native Economy
Sei Kato (加藤 整)
 
Bhadale group of companies technology ecosystem-role based-GCP
Bhadale group of companies technology ecosystem-role based-GCPBhadale group of companies technology ecosystem-role based-GCP
Bhadale group of companies technology ecosystem-role based-GCP
Vijayananda Mohire
 
Bhadale group of companies 5G services catalogue
Bhadale group of companies 5G services catalogueBhadale group of companies 5G services catalogue
Bhadale group of companies 5G services catalogue
Vijayananda Mohire
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2
Priyanka Aash
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Happiest Minds Technologies
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
Twistlock
 
Open Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier BankOpen Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier Bank
WSO2
 
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESBGeo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
WSO2
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
Kyle Watson
 
Bhadale group of companies technology ecosystem for GCP
Bhadale group of companies technology ecosystem for GCPBhadale group of companies technology ecosystem for GCP
Bhadale group of companies technology ecosystem for GCP
Vijayananda Mohire
 
Bhadale group of companies quantum ml industrial solutions catalogue
Bhadale group of companies quantum ml industrial solutions catalogueBhadale group of companies quantum ml industrial solutions catalogue
Bhadale group of companies quantum ml industrial solutions catalogue
Vijayananda Mohire
 

What's hot (20)

Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
Hyperledger: Market, Technology & Community Update
Hyperledger: Market, Technology & Community UpdateHyperledger: Market, Technology & Community Update
Hyperledger: Market, Technology & Community Update
 
Biznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud ComputingBiznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud Computing
 
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
 
Oracle Blockchain Cloud Service
Oracle Blockchain Cloud ServiceOracle Blockchain Cloud Service
Oracle Blockchain Cloud Service
 
Transformace IT s technologiemi VMware
Transformace IT s technologiemi VMwareTransformace IT s technologiemi VMware
Transformace IT s technologiemi VMware
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance
 
Bhadale group of companies technology ecosystem-role based-AWS
Bhadale group of companies technology ecosystem-role based-AWSBhadale group of companies technology ecosystem-role based-AWS
Bhadale group of companies technology ecosystem-role based-AWS
 
Towards the Blockchain-native Economy
Towards the Blockchain-native EconomyTowards the Blockchain-native Economy
Towards the Blockchain-native Economy
 
Bhadale group of companies technology ecosystem-role based-GCP
Bhadale group of companies technology ecosystem-role based-GCPBhadale group of companies technology ecosystem-role based-GCP
Bhadale group of companies technology ecosystem-role based-GCP
 
Bhadale group of companies 5G services catalogue
Bhadale group of companies 5G services catalogueBhadale group of companies 5G services catalogue
Bhadale group of companies 5G services catalogue
 
Workshop on CASB Part 2
Workshop on CASB Part 2Workshop on CASB Part 2
Workshop on CASB Part 2
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
 
Open Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier BankOpen Source adoption in a Mexicon Second tier Bank
Open Source adoption in a Mexicon Second tier Bank
 
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESBGeo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
Geo Enabling Enterprises - Powered by Rolta i Perspective and the WSO2 ESB
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
 
Bhadale group of companies technology ecosystem for GCP
Bhadale group of companies technology ecosystem for GCPBhadale group of companies technology ecosystem for GCP
Bhadale group of companies technology ecosystem for GCP
 
Bhadale group of companies quantum ml industrial solutions catalogue
Bhadale group of companies quantum ml industrial solutions catalogueBhadale group of companies quantum ml industrial solutions catalogue
Bhadale group of companies quantum ml industrial solutions catalogue
 

Similar to What we Learned from Sunburst with Zero Trust

Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Bruno Caseiro
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
 
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
Steven Aiello
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Identity Days
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
Trend Micro
 
Observability in real time at scale
Observability in real time at scaleObservability in real time at scale
Observability in real time at scale
Balvinder Hira
 
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScalePixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
António Alegria
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers!
elangovans
 
a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2
Mike Revell
 
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
Priyanka Aash
 
R u hacked
R u hackedR u hacked
R u hacked
Sumedt Jitpukdebodin
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Amazon Web Services
 
Red Hat Insights
Red Hat InsightsRed Hat Insights
Red Hat Insights
Alessandro Silva
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
Robert Herjavec
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Amazon Web Services
 
Partner Briefing_January 25 (FINAL).pptx
Partner Briefing_January 25 (FINAL).pptxPartner Briefing_January 25 (FINAL).pptx
Partner Briefing_January 25 (FINAL).pptx
Cloudera, Inc.
 
CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2
ShivamSharma909
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
lior mazor
 

Similar to What we Learned from Sunburst with Zero Trust (20)

Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
4 Cyber Security KPIs
4 Cyber Security KPIs4 Cyber Security KPIs
4 Cyber Security KPIs
 
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
Sécurité Active Directory : 10 ans d’échec, mais beaucoup d’espoir ! - Par Ro...
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
 
Observability in real time at scale
Observability in real time at scaleObservability in real time at scale
Observability in real time at scale
 
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScalePixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers!
 
a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2a-guide-to-ddos-2015-2
a-guide-to-ddos-2015-2
 
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
 
R u hacked
R u hackedR u hacked
R u hacked
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 
Red Hat Insights
Red Hat InsightsRed Hat Insights
Red Hat Insights
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
 
Partner Briefing_January 25 (FINAL).pptx
Partner Briefing_January 25 (FINAL).pptxPartner Briefing_January 25 (FINAL).pptx
Partner Briefing_January 25 (FINAL).pptx
 
CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 

Recently uploaded

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 

Recently uploaded (20)

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 

What we Learned from Sunburst with Zero Trust

  • 1. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT WE LEARNED ABOUT ZERO TRUST FROM SUNBURST ANDREW HARRIS, SR. DIRECTOR, PUBLIC SECTOR TECH STRATEGY @CIBERESPONCE
  • 2. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
  • 3. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Steps QUICK REVIEW OF SUNBURST E s t a b l i s h e d T r u s t A D F S — A A D ( S A M L 2 . 0 ) AD FS 1 5 2 3 Supply-chain Server 4 IdP Adversary C2 What the tactics, techniques and procedures taught us, or… reminded us 3 Harvest AD FS Private Key (“Golden SAML”) 2 Lateral Movement to AD FS 1 Supply-chain Server compromised 4 “Golden SAML” Exfiltration 5 Access Azure AD/Office 365 using “Golden SAML”-signed tokens
  • 4. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
  • 5. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SUNSPOT’S IOA
  • 6. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
  • 7. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ON-PREMISES IDENTITY § Service Accounts are typically targeted in campaigns as they predictably have privileges across many systems § 27% of all credentials are service or programmatic accounts § Over 80% of all logon-types are non-interactive § Most US Governments leverage PKI, use of SmartCards, and leverage a setting called Smart Card Required for Interactive Logon (SCRIL) with Active Directory (AD) to force SmartCard use for certain user populations § This is only useful for Interactive Logons, meaning PowerShell, Windows Management Instrumentation (WMI) and other protocols aren’t applicable to these policies § Identity Providers only MFA for Cloud authentication requests! And the blind-spots with Service Accounts and even our Helpdesk and IT Admins We are therefor, mostly blind or have less confidence in non-interactive logons—where majority of us can’t MFA for these vast majority of use cases. It’s technically impossible unless we can enforce policy in AD beyond Microsoft’s stack.
  • 8. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. GAINING CONTROL ON OUR IDENTITY Account Type Non-interactive (Batch, Scheduled Task, etc) Interactive (RDP, Domain Logon, etc.) Human X X Service Account X § Service accounts should: § Never be used interactively; if they are, they are grossly misconfigured are being used inappropriately in post-exploit activity § Human/people accounts should: § Be challenged via MFA for interactive logons § Be challenged via MFA for non-interactive logons (i.e. PowerShell, WMI, etc.) § There are legitimate use-cases here, such as administrating servers and other infrastructure § Via SmartCard’s and “SCRIL”, this is technically unviable to implement Increasing confidence including on-premises
  • 9. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
  • 10. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CROWDBOARD 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 11. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Sketch of AD + Application Video recording
  • 12. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. CROWDBOARD 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 13. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
  • 14. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EVICTING AN ADVERSARY WITH A CIRCULAR LOOP OF CONTROL Active Directory (application) Operating System Cloud Virtual Fabric Global Admin backdoor account 3 Active Directory Federation Service (Golden SAML) 1 impacted supply chain service account 2 no security boundary no security boundary Cloud On-Premises Back door Back door
  • 15. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Measuring Cloud Security Posture Management, now including Azure AD CROWDSTRIKE HORIZON For CrowdStrike Horizon customers, let us help you find these egregious permissions in AAD within the Falcon Console!
  • 16. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 Indicators of Attack (IoA’s) 2 Service Accounts, Helpdesk/IT Admins 3 On-Premises to the Cloud (bypassing MFA) 4 Evicting the adversary?... Not so easy 5 Mission Resiliency WHAT WE LEARNED Or rather, what’s now impossible to ignore…
  • 17. Achieving Mission Resiliency Mission Resiliency through Zero Trust Architecture Principles Secure Exposed Credentials on Endpoints 02 C l o u d S e c u r i t y P o s t u r e M a n a g e m e n t ( C S P M ) , C l o u d W o r k l o a d P r o t e c t i o n ( C W P ) , C I / C D I n t e g r a t i o n s 03 01 S e c u r e O n - P r e m i s e s I d e n t i t y 01 02 03 On-Premises Identity Visibility and Control (Falcon IDP) Future-proof: Zero Trust applied on- premises; Visibility into most targeted accounts (ref Sunburst) Secure, Hardened Endpoints (Falcon EPP) Future-proof: Zero Trust signal (vulns., incidents, hygiene) Measure, Secure & Hardened Cloud and DevSecOps Future-proof: Zero Trust driven conditional accesses, especially for critical control and identity-plane functions—including your CI/CD pipelines
  • 18. 2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. GET MORE INFORMATION For more information please refer to: § www.crowdstrike.com/blog/tech- center/assess-sunburst § www.crowdstrike.com/sunburst Need Incident Response or Compromise Assessment support? § www.crowdstrike.com/services § services@crowdstrike.com @CIBERESPONCE