Vous êtes sur la page 1sur 22

Zero Trust Networks

• What is a Zero Trust Network?


• Let’s talk about what it is *NOT* first.
• If you create an “IP FENCE” in Office 365 to trust anything that originates from your on-
premises LAN network, then you do not have a zero trust network because you trust
anything that comes from it.
• This is a problem because if people bring their personal devices into work (smart phones,
tablets, laptops) that are infected with malware, then that could get into your Office 365
tenant.
• So a zero trust network may take into consideration that the source IP is originating from a
trusted location, that’s great, but we are going to also check for a 2nd factor.
• Extra Authentication against User Identity
• Extra Authentication against Machine Identity AND Machine Health
Zero Trust
Zero Trust Presentation at RSA

• Speaker: Matt Soseman from Microsoft


• Watch the full recorded video presentation: https://bit.ly/2HLMKgW
• Password: WatchRSAC2019
• Download the PowerPoint slide presentation: https://bit.ly/2CLm7V9
Azure Sentinel
(Microsoft’s new SIEM)
Is Sentinel right for me?

• Do you already have a SIEM today?


• Is it fully integrated with Office 365?
• Are the events relevant? Helpful? False Positives?
• How much are you paying for your SIEM? Could Sentinel save you $$?
• If you have a SIEM today, and its not integrated or not producing good
results, perhaps try Sentinel out for free and see how it works. Free to try.
• Go to http://portal.azure.com and add a resource and select Azure Sentinel
Microsoft Threat Experts

• What is it? Microsoft becomes your Managed Security Service Provider,


responding to alerts generated by Defender ATP
• To experience the full Microsoft Threat Experts preview capability in Windows
Defender ATP, you need to have a valid Premier customer service and support
account. However, Premier charges will not be incurred during the preview.
• You also need to ensure that you have Windows Defender ATP deployed in your
environment with machines enrolled, and not just on a laboratory set-up.
Learn More here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-
defender-atp/configure-microsoft-threat-experts
and
https://www.microsoft.com/security/blog/2019/02/28/announcing-microsoft-threat-
experts/
Block on upload or download: You can block the upload or download of sensitive documents. For example, on
unmanaged devices.
Protect on download: Instead of blocking the download of sensitive documents, you can require documents to be
protected via encryption on download. This ensures that the document is protected, and user access is
authenticated, if the data is downloaded to an untrusted device.
Monitor low-trust user sessions: Risky users are monitored when they sign into apps and their actions are logged
from within the session. You can investigate and analyze user behavior to understand where, and under what
conditions, session policies should be applied in the future.
Block access: You can completely block access to specific apps for users coming from unmanaged devices or from
non-corporate networks. For example: Block if you are not domain joined, or not Intune managed, or if you do not
have a client certificate.
Create read-only mode: By monitoring and blocking custom in-app activities you can create a read-only mode to
specific apps for specific users.
Restrict user sessions from non-corporate networks: Users accessing a protected app from a location that is not
part of your corporate network, are allowed restricted access and the download of sensitive materials is blocked or
protected.
New (March 2019) – Block Copy/Paste
New (March 2019) – Ensures that PII data (or passwords) are not sent in Slack, Facebook for Work, or Teams
POST RSA Announcements
Re-Introducing Microsoft Defender ATP
(formerly Windows Defender)
- Mac OSX support added 3/21/2019
- Threat Experts added 2/28/2019 (Microsoft-provided Managed Services to monitor your security alerts) – currently in private preview
- Threat and Vulnerability Management (TVM) added 3/21/19 (Correlation between poor patch management and risks/active threats)
•Azure Advanced Threat Protection identifies on-premises attacks targeting Active Directory
•Azure Identity Protection detects and proactively prevents user and sign-in risks to identities in the cloud
•Microsoft Cloud App Security (MCAS) identifies attacks within a cloud session, covering 3rd party SaaS + O365
RSA Notes

• KnowBe4 demonstrated 12 ways to Hack MFA


• PPT Download
https://www.rsaconference.com/writable/presentations/file_upload/idy-f02-12-ways-to-
hack-2fa.pdf
• Hackers have been refining their email phishing schemes to also nab the one-time
passcode from two-factor authentication security setups, Google warned at RSA. "We've
seen a big rise in the number of phishable 2FA attacks," Nicolas Lidzborski, a security
engineering lead for Gmail, said during a talk at RSA.
• This is why FIDO2 is so important, because if you can’t use Microsoft Authenticator or
Certificates or Domain Join, then the next best thing is a Fido2 key (for PC’s and Mac’s).
RSA Notes

Note: it’s crazy to me that MSWord.exe is able to launch PowerShell like this:

C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPower
Shell\v1.0\powershell.exe -encodedCommand $encodedcommand
RSA Notes

• McAfee – “only five organizations that paid the WannaCry ransom got their files back”

• McAfee – RDP credentials are on sale on the dark web for $10

• **Economics of the attacker are driving ransomware, botnets, AD Fraud ($250,000 per
week!)

• Speed of innovation from GrandCrab ransomware is crazy fast


RSA Notes

From the Cylance Presentation on Day 1 of RSA

They demonstrated using Kali Linux – TrevorC2.

“The use of DDE with PowerShell allows an attacker to execute arbitrary code on a
victim’s system regardless whether macros are enabled.”
Learn how to do this here:
https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/
RSA Notes

Supply Chain Attacks:


PDF software vendor compromised to install cryptojacker software (an unsigned MSI
file was redirected to a website in the Ukraine.
RSA Notes

From Paula Januszkiewicz (https://cqureacademy.com/)

• If a client can query an external DNS server, they can use nslookup to get base64 data
from a DNS text file for C2 communication
• Using powershell to convert it from base64 to ps1
• Then using powershell -ec to run a base64 encoded string
• CVE 2018-8440 using MSIEXEC to bypass AppLocker (required downloading executable
via DNS)
• Paula used certutil to download 7zip (but she showed how WDATP blocks this)
• Only 2 out of the 200 companies Paula has worked with have disabled NTLMv2 and
use Kerberos exclusively
• Paula recommends enabling SMB signing
• Paula ran cmdshell as system psexec -I -s so that she could dump service passwords
(services.msc)
RSA Notes

Paula’s Notes Continued

• Paula demonstrated a tool called chromepass.exe from Nirsoft that reveals Chrome
Passwords
• She showed how getting a certificate from AD allows you to decrypt end-users chrome
passwords
• The master keys are encrypted by MSDCC2 and the master keys are stored in a file, ex:
“BK-Cquire” (this is the public key for the AD domain stored on the local file, which
encrypts the chrome passwords) and the private key is in Active Directory.
• All the tools she used are downloadable from cqu.re/sessionrsa2019
pw:CQUREAcademy#123!
• She warned that Sharepoint’s profile service (and AAD Connect Service Account) both
have the ‘MS Directory Replicate All’ and therefore they have enough permission to get
the private key for DSAPI from AD.
RSA Notes

• MITRE presentation AIR-T07 slide 39 showed Read Team Tools


• I was really impressed with how MITRE’s controls matrix shows gaps and how to then use
hunting techniques around where you have the gaps.
• Then use Caldera and then see if your hunting techniques detect Caldera
RSA Notes

• What keeps me up at night?


• How to stop phishing emails when the attacker compromises a perfectly good account
that conforms to SPF/DKIM/DMARC?
• Detecting communications with Command and Control is getting harder because
attackers are hiding commands inside image files, with a technique known as
steganography.
• "Embedding multiple content types within a single file … has been a common
technique seen in many malware droppers for some time," Carbon Black stated in its
report. "This technique is used to evade detection on the network wire and on the
endpoint as well has hide content on disk in familiar file types such as images."

Vous aimerez peut-être aussi