2016, A New Era of OS and Cloud Security - Tudor Damian

@ITCAMPRO #ITCAMP16Community Conference for IT Professionals

2016 – A New Era of OS and Cloud Security

Tudor Damian

Microsoft Cloud and Datacenter Management MVP

Certified Ethical Hacker

[email protected] / @tudydamian / tudy.tel

mailto:[email protected]

https://twitter.com/tudydamian

http://www.tudy.tel/


Many thanks to our sponsors & partners!

GOLD

SILVER

PARTNERS

PLATINUM

POWERED BY


• Overview of Security Trends

• Windows security on-prem & Cloud-enabled improvements

– Guarded Fabric

• Shielded VMs & Hypervisor Code Integrity (HVCI)

– Device Guard

– Provable PC Health (PPCH) Service

– Advanced Threat Analytics

– Windows Defender Advanced Threat Protection

– Azure Security Center

– Operations Management Suite

Agenda


INDUSTRY SECURITY TRENDS


The Evolution of Attacks

Volume and Impact

Script Kiddies

BLASTER, SLAMMER

Motive: Mischief

2003-2004

Ignite 2015 BRK2325



2005-PRESENT

Organized Crime

RANSOMWARE, CLICK-FRAUD,

IDENTITY THEFT

Motive: Profit

Script Kiddies

BLASTER, SLAMMER

Motive: Mischief

2003-2004

Ignite 2015 BRK2325



2005-PRESENT

Organized Crime

RANSOMWARE, CLICK-FRAUD,

IDENTITY THEFT

Motive: Profit

Script Kiddies

BLASTER, SLAMMER

Motive: Mischief

2012 - Beyond

Nation States, Activists, Terror

Groups

BRAZEN, COMPLEX,

PERSISTENT

Motives:IP Theft,Damage,

Disruption

2003-2004

Ignite 2015 BRK2325


Changing nature of cybersecurity attacks

Causing significant financial loss, impact to brand reputation, loss of confidential data and executive jobs

Compromising user credentials in the vast majority of attacks

Today’s cyber attackers are:

Staying in the network an average of eight months before detection

Using legitimate IT tools rather than malware – harder to detect

Ignite 2015 BRK3870








Ignite 2015 BRK3870








Ignite 2015 BRK3870








Ignite 2015 BRK3870


Median number of days attackers are

present on a victims network before

detection

200+Days after detection

to full recovery

80Impact of lost

productivity and growth

$3Trillion

Average cost of a data breach (15% YoY

increase)

$3.5Million

“ T H E R E A R E T W O K I N D S O F B I G C O M PA N I ES , T H O S E W H O ’ V E B E E N H A C K E D, A N D T H O S E W H O D O N ’ T K N OW T H E Y ’ V E B E E N H A C K E D.”

- J A M E S C O M E Y , F B I D I R E C T O R

Build 2016 B890


Timeline of discovery for cyber attacks worldwide

Hours, 9%

Days, 8%

Weeks, 16%

Months, 62%

Years, 5%

Hours Days Weeks Months Years

Source: Verizon


• Some Verizon DBIR findings

– The time to compromise is almost always days or less, if

not minutes or less

– 85% of breaches took weeks to discover

– 96% of breaches were not highly difficult

– 97% of breaches were avoidable through

simple/intermediate controls

– 63% of confirmed data breaches involved weak, default or

stolen passwords

– 95% of confirmed web app breaches were financially

motivated

• The 2014 DBIR report shows that 92% of the

100.000 incidents they’ve analyzed over the past 10

years can be described by just 9 basic patterns

Verizon Data Breach Investigations Report

Source: http://www.verizonenterprise.com/DBIR/

http://www.verizonenterprise.com/DBIR/


Pwn2Own 2014-2016

• Sandbox escapes or 3rd party code execution:– Internet Explorer

– Edge

– Mozilla Firefox

– Google Chrome

– Adobe Flash

– Adobe Reader XI

– Apple Safari on Mac OS X

– Windows

– OS X

• 2014 - $850.000 total prize money, paid to 8 entrants

• 2015 - $557.500 total prize money, paid to 6 entrants

• 2016 - $460.000 total prize moneySources:http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.htmlhttp://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws

http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-One-results/ba-p/6722204

http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws


• Heartbleed (2014)

• Shellshock (2014)

• BadUSB (2014)

• Equation Group (Kaspersky study, 2015)

• Lenovo’s Superfish (2014-2015)

• OAuth & OpenID Covert Redirect (2014)

• Poodle, Freak and Drown SSL attacks (2014-2016)

• Stagefright vulnerability (Android, 2015)

• XCodeGhost malware (iOS, 2015)

• Gemalto SIM cards (2015)

• GSM SS7 vulnerabilities (2014-2016)

Other recent “happenings” in the IT industry


• We have to stop focusing on preventing a data breach and

start assuming the breach has already happened

• Currently: a one-sided, purely preventative strategy

• Future: emphasis on breach detection, incident response,

and effective recovery

– Start thinking about the time when a breach will (almost inevitably)

occur in your infrastructure

– Be prepared for that!

Assume Breach - a change in mindset


GUARDED FABRIC

Shielded VMs, Hypervisor Code Integrity (HVCI)


Fabric, workloads, control plane

Fabricmanager

Workloadmanager

Ignite 2015 BRK2482


Trust plane - isolated from fabric & control plane

Key service

Ignite 2015 BRK2482


Virtual Secure Mode

•

•

•

•

•

•

•

•

•

VSM

Key service

Ignite 2015 BRK2482


VSM

VM protected at rest, in transit

•

•

•

•

3. Deliver vTPM keyencrypted to VSM

TPM

Key service

Workloadmanager

HSM

Ignite 2015 BRK2482


VSM

VM protected in execution

•

•

•

•

Key service

Ignite 2015 BRK2482


VSM

Key service

Trust in the environment

•

•

•

1. Attestation request:TPM public key, VSM public key,UEFI secure boot log, HVCI policy

2. Deliver attestation certificate

Attestationservice

Ignite 2015 BRK2482


• Admin-trusted attestation– Intended to support existing host hardware (no TPM 2.0 available)

– Guarded hosts that can run Shielded VMs are approved by the Host Guardian Service based on membership in a designated Active Directory Domain Services (AD DS) security group

• TPM-trusted attestation– Offers the strongest possible protections

– Requires more configuration steps

– Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with secure boot enabled

– Guarded hosts that can run Shielded VMs are approved based on their TPM identity, measured boot sequence and code integrity policies

Guarded hosts and Shielded VMs attestation

Ignite 2015 BRK2482


VSM Overview

Ignite 2015 BRK2325


• Uploading shielded VM

• Uploading secrets

• Bring-your-own-key with HSM

• Retrieving shielded VM

• Live migration

• Live storage migration

• Non-live migration

• Automatic scale-out

• Cluster failover

• Cross-datacenter, cross-trust migration

• Backup, disaster recovery

• Creating shielded VM from tenant’s template

• Creating shielded VM from third-party template

• Protected guest configuration

• Remote administration

• On-boarding and retiring servers

• Servicing host OS, hardware and firmware

• Managing HVCI policy for host software

• Isolating Guardian service in separate forest

• Remediating compromised and evicted host

• Administrator trust, non-attested

• Troubleshooting

All scenarios become secure, scalable & reliable


DEVICE GUARD


New challenges require a new platform

Ignite 2015 BRK2325


• (Sort of) an improved version of AppLocker

• Hardware Rooted App Control (runs in VSM)– Enables a Windows desktop to be locked down to only run trusted apps, just like

many mobile OS’s (e.g.: Windows Phone)

– Untrusted apps and executables such as malware are unable to run

– Resistant to tampering by an administrator or malware

– Requires devices specially configured by either the OEM or IT

• Getting Apps into the Circle of Trust– Supports all apps including Universal and Desktop (Win32)

– Trusted apps can be created by IHV, ISV, and Organizations using a Microsoft provided signing service

– Apps must be specially signed using the Microsoft signing service. No additional modification is required

– Signing service will be made available to OEM’s, IHV, ISV’s, and Enterprises

Device Guard

Ignite 2015 BRK2325


PROVABLE PC HEALTH (PPCH)


Today, health is assumed

• Unhealthy clients proliferate malware

1

Important resources

2

Ignite 2015 BRK2325


Windows Provable PC Health (PPCH)

• Cloud-based service

–Provides remote health attestation

–Can issue health state “claims”

• Blocks unhealthy devices to protect resources and prevent proliferation

• Intune can provide conditional access based on PPCH health state claims

• Available for use by 3rd party network access, security, and management solutions

Ignite 2015 BRK2325


Provable PC Health overview

1

Important resources

2

3

5

4

Ignite 2015 BRK2325


ADVANCED THREAT ANALYTICS

Protecting corporate environments from advanced attacks


How Microsoft Advanced Threat Analytics works

Analyze1 After installation:

• Simple, non-intrusive port mirroring

configuration copies all AD-related traffic

• Remains invisible to the attackers

• Analyzes all Active Directory network

traffic

• Collects relevant events from SIEM

(Security Information and Event

Management) and information from AD

(titles, group memberships, and more)

Ignite 2015 BRK3870



ATA:

• Automatically starts learning and profiling

entity behavior

• Identifies normal behavior for entities

• Learns continuously to update the activities of

the users, devices, and resources

Learn2

What is an entity?

Entity represents users, devices, or resources

Ignite 2015 BRK3870



Detect3Microsoft Advanced Threat Analytics:

• Looks for abnormal behavior and identifies

suspicious activities

• Only raises red flags if abnormal activities

are contextually aggregated

• Leverages world-class security research to

detect security risks and attacks in near real

time based on attackers Tactics, Techniques

and Procedures (TTPs)

ATA not only compares the entity’s behavior

to its own, but also to the behavior of

entities in its interaction path.

Ignite 2015 BRK3870



Abnormal Behavior Anomalous logins

Remote execution

Suspicious activity

Security issues and risks

Broken trust

Weak protocols

Known protocol vulnerabilities

Malicious attacks

Pass-the-Ticket (PtT)

Pass-the-Hash (PtH)

Overpass-the-Hash

Forged PAC (MS14-068)

Golden Ticket

Skeleton key malware

Reconnaissance

BruteForce

Unknown threats

Password sharing

Lateral movement

Ignite 2015 BRK3870


ATA Topology - Overview

Ignite 2015 BRK3870


Captures and analyzes DC network traffic via port mirroring

Listens to multiple DCs from a single Gateway

Receives events from SIEM

Retrieves data about entities from the domain

Performs resolution of network entities

Transfers relevant data to the ATA Center

ATA Topology - Gateway

Ignite 2015 BRK3870


ATA Topology - Center

Manages ATA Gateway configuration settings

Receives data from ATA Gateways and stores in the database

Detects suspicious activity and abnormal behavior (through Machine Learning)

Provides Web Management Interface

Supports multiple Gateways

Ignite 2015 BRK3870


ATA Interface Overview

Ignite 2015 BRK3870



Ignite 2015 BRK3870



Ignite 2015 BRK3870



Ignite 2015 BRK3870



Ignite 2015 BRK3870


WINDOWS DEFENDER

ADVANCED THREAT PROTECTION

Windows advanced threat detection, investigate and response


STRONTIUM attack case study

@ITCAMPRO #ITCAMP16Community Conference for IT ProfessionalsBuild 2016 B890


From: <attacker>@<email provider.com>

To: <victim>@<email provider.com>

Subject: Re: Mission In Central African Republic

*Dear Sir!*

Please be advised that The Spanish Army personnel and a large

number of the Spanish Guardia Civil officers currently deployed in

the Central African Republic (CAR) as part of the

European EUFOR RCA mission will return to Spain in early March

as the mission draws to a close.

Visit

for the additional info.

*Best regards,*

*Capt. <omitted>, Defence Adviser, Public Diplomacy Division

NATO, Brussels <attacker>@<email provider.com>

TARGET: Diplomat in the Middle East

hxxp://eurasiaglobalnews.com/90670117-spains-armed-forces-conclude-mission-in-central-african-republic/

Build 2016 B890


TARGET: NATO-Themed Spear Phish

hxxp://nato.int -> hxxp://natoint.com

Build 2016 B890


ATTACK: Stages of a 0-day Attack

TimeStamp Alert Data

2015/04/08 10:11:54

Unknown URL Report hxxp:militaryadviser.org/hu/press-center/news/426728-ukraine/440136/

Initial Exploit URL (Flash 0day)

TimeStamp Alert Sha1 FileName Parent Process

2015/04/08 10:12:11

Win32/ContextualDropIETemp b22233684bc8aa939629f4cbebb18545c7121548 runrun.exe iexplore.exe


2015/04/08 10:12:11

#LowFiContextRundllAppdata ef1a7b1a92b7b00f77786b6a1bffc4e495ccf729 odserv.dll rundll32.exe


2015/04/09 06:34:04

#HackTool:Win32/WDigest.A!dha ca709ec79ee0518b77f161bc8bab8847c889cb88 psw.exe rundll32.exe

Kernel Mode Exploit (0day)

Stage 1: Backdoor

Stage 2: Pass-the-Hash Module

1

2

3

4

Build 2016 B890


Device Health attestation

Device GuardDevice Control

Security policies

Built-in 2FAAccount lockdownCredential Guard

Microsoft PassportWindows Hello ;)

Device protection / Drive encryptionEnterprise Data

ProtectionConditional access

SmartScreenAppLocker

Device GuardWindows DefenderNetwork/Firewall

Windows Defender ATP

Device protection Information protection

Threat resistanceBreach detection

Investigation & Response

Pre breach Post breach

Identity protection

The Windows 10 Defense Stack

Build 2016 B890


Powered by cloud

Machine Learning Analytics

over the largest sensor array

in the world

Universal end-point

behavioral sensor,

built into Win10,

with no additional

deployment

requirements

Enhanced by the

community of

researchers and

threat intelligence

Windows Defender ATP Overview

Build 2016 B890


Post breach detection

for advanced attacks

actionable, correlated,

real-time and historical for

known and unknown attacks

Easily investigate & explore

enterprise endpoints to

understand scope of breach

through rich machine

timeline and data pivoting

Self hunting across protected assets

search for current and historical

observables: machines, files, IPs,

or URLs across all endpoints.

Deep file analysis of files

observed on endpoints

Built-in threat intelligence

knowledge base

provides actor and intent

context for threat intel-based

detections, combining 1st and

3rd-party intelligence sources

Windows Defender ATP Features

Build 2016 B890


• Indicators of Compromise (IOCs)

– Monitoring “What (who) we know”

– Threat Intelligence database of known adversary and campaign IOCs

• Indications of Attack (IOAs)

– Monitoring “What (who) we don’t recognize – yet”

– Generic IOA Dictionary of attack-stage behaviors, tools, and techniques

Windows ATP Indicators

Build 2016 B890


Over 1M Microsoft corporate machines

New code, new products, new files

Most are local admins

Hundreds of labs, malware enclaves

1.2 Billion Windowsmachines reporting

1M files detonated daily

Advanceddetection algorithms

& Statistical modelling

APT hunters –OS Security, Exploit & Malware Researchers, & Threat Intelligence

11M Enterprise machines reporting

2.5T URLs indexed and 600M reputation

look ups

Why Microsoft is in a unique position

Build 2016 B890










AZURE SECURITY CENTER

Understand the security state of all of your Azure resources


• Understand the security state of Azure resources

• Use policies that enable you to recommend and monitor security

configurations

• Use DevOps to deploy integrated Microsoft and partner security

solutions

• Identify threats with advanced analysis of your security-related events

• Respond and recover from incidents faster with real-time security

alerts

• Export security events to a SIEM for further analysis

Azure Security Center enables you to:

AzureCon 2015 ACON205


Azure Security Center interface



• Compromised machines

• Failed exploitation attempts

• Brute force attacks

• Data exfiltration

• Web application vulnerabilities

• Advanced malware

• Achieve all this using:– High volume of signals

– Behavioral profiling

– Machine Learning

– Global threat intelligence

• Constantly being expanded with new detection mechanisms

Finds attacks that might go undetected



Rich ecosystem of products and services



OPERATIONS MANAGEMENT SUITE

Transforming machine data into operational intelligence


```

Log Analytics Automation Backup DR and Data Protection Security

Microsoft Operation Management Suite

Simplified Management. Any Cloud, Any OS.


Gain visibility across your

hybrid enterprise cloud

Log Analytics Automation

Orchestrate complex and

repetitive operations

Availability

Increase data protection

and application

availability

Security

Help secure your

workloads, servers, and

users

OMS Solutions


Log Analytics

• Gain visibility across your hybrid enterprise cloud

• Easy collection, correlation, and visualization of your machine data

– Log management across physical, virtual, and cloud infrastructure

• Overview of infrastructure health, capacity, and usage

• Proactive operational data analysis

– Faster investigation and resolution of operational issues with deep insights

• Deliver unparalleled insights across your datacenters and public clouds, including

Azure and AWS

• Collect, store, and analyze log data from virtually any Windows Server and Linux

server source


Integrated search

• Combine and correlate any machine data from multiple sources

– Query, and filter the results by using facet controls.

– Automated data visualization

– Metrics pivoted around a particular problem areas

– Common search queries


Custom Dashboard

• Visualize all of your saved searches

– Custom or sample searches

– Customizable visual information

– Shareable across teams


Solution Packs

• Collection of logic, visualization and data acquisition rules

– Powered by search

– Metrics pivoted around a particular problem areas

– Investigate and resolve operational issues

– Can be added/removed and customized


Alert Management

• Expose your integrated System Center Operations Manager alerts

• Web based Alert visualization

• Integrated search for deeper analysis

• Common alert queries


Capacity Planning

• Plan for future capacity and trends using historical data

• VM utilization and efficiency

• Compute projection

• Storage utilization


Active Directory Assessment

• Using best practices and data collection, identify potential issues

• Security and Compliance

• Availability and business continuity

• Performance and security

• Upgrade, migration and deployment


SQL Server Assessment

• Security and Compliance

• Availability and business continuity

• Performance and security

• Upgrade, migration and deployment

• Operations and monitoring

• Change and configuration


Change Tracking

• Track every change on your system across any environment

• Configuration type change

• Software & application changes

• Windows Service changes


Azure Automation Dashboard

• Quick glance view of runbook health and status

– Active runbooks & total jobs

– Link into Azure Automation portal


Azure Backup and Recovery Dashboard

• Quick glance view of backup and protection status

– Registered servers

– Backup size & jobs status

– Link into Azure portal for backup and recovery


System Update Assessment

• Understand server update and patching status across your environment

• Servers missing security updates

• Servers not updated recently

• Types of updates missing


Malware Assessment

• Quickly define your servers malware status and potential threats

• Detected threats

• Protection status


Security and Audit

• Collect security events and perform forensic, audit and breach analysis

– Security posture

– Notable issues

– Summary threats


• Security Posture

– Quick glance showcasing server workload

and server security threats

– Computer growth change

– Account authentication

– Total system activities

– Processes executed

– Change in policy

– Remote IP Tracking

Security Solution Pack


• Notable issues

– Understand notable security issues,

and audit rate of change

– Failed account access

– Security policy and group changes

– Password resets

– Event log cleaning

– Lock-out accounts



• Security context

– Quick view of security positon across

your enterprise

– Active threats

– Patch status

– Software changes

– Service changes

– Critical and warning alerts



AND THAT’S NOT ALL OF IT…


Responsibility for Security in the Cloud era

Ignite 2015 BRK2482


Some other things to keep in mind

• Start using an “Assume Breach” approach

• UEFI Secure Boot and TPM support on your hardware

• Just-Enough/Just-In-Time Administration (coming in WS 2016)

• Azure Rights Management & Data Loss Prevention

• Azure AD Multi-Factor Authentication

• Windows Hello / Microsoft Passport

• Cloud App Security

• Etc.


What to do next?

• Channel 9 - https://channel9.msdn.com/– Ignite 2015 BRK2482 - Platform Vision and Strategy: Security and Assurance Overview

– Ignite 2015 BRK3870 - Microsoft Advanced Threat Analytics

– Ignite 2015 BRK2325 - A New Era of Threat Resistance for the Windows 10 Platform

– AzureCon 2015 ACON205 - New Azure Security Center helps you prevent, detect, and respond to threats

– Ignite New Zealand 2015 M235 - Automating Operational and Management Tasks in Microsoft

Operations Management Suite and Azure

– Build 2016 B890 – Windows Defender ATA

– … & others

• Microsoft Virtual Academy - http://www.microsoftvirtualacademy.com/

• Try out & look at Windows Server 2016 TP5 & System Center 2016

• Look into the latest Azure/Cloud improvements

• Keep up with Security changes in the industry

https://channel9.msdn.com/

http://www.microsoftvirtualacademy.com/


THANK YOU!

Contact: [email protected] / @tudydamian / tudy.tel

mailto:[email protected]

https://twitter.com/tudydamian

http://www.tudy.tel/

Technology

2016, A New Era of OS and Cloud Security - Tudor Damian