SlideShare ist ein Scribd-Unternehmen logo

rsa-usa-2019-keynote-paula-januszkiewicz

Paula Januszkiewicz
Paula Januszkiewicz

[CQURE] Top 10 ways to make hackers excited: All about the shortcuts not worth taking Designing a secure architecture can always be more expensive, time-consuming, and complicated. But does it make sense to cut corners when hackers invent new attacks every day? Taking shortcuts will sooner or later translate to more harm and backfire. Learn what mistakes we eliminated when working with our customers.

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
#RSAC SESSION ID: Paula Januszkiewicz Top 10 ways to make hackers excited: All about the shortcuts not worth taking KEY-T06S CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Microsoft Regional Director Contact: paula@cqure.us | http://cqure.us @paulacqure @CQUREAcademy
#RSAC
#RSAC Technical systems are: Reviewed Scanned Penetration Tested So? Technical systems are: Reviewed Scanned Penetration Tested So?
#RSAC
#RSAC 1st Way: Disabling firewall / misconfigured network access Key learning points: ✓ Windows Firewall is often misconfigured ✓ Firewall is a great segmentation tool ✓ You can allow only certain processes to communicate with the Internet or locally ✓ No need to know processes to block them, you can operate on the services list In Windows Firewall there are couple of things missing: x Filtering by the group of computers x Detailed logging for network traffic x Expandability – there are not many options x No correlation in between process and network traffic – whose role is this?
#RSAC Demo: File download + DNS Exfiltration
#RSAC 2nd Way: Overly simple passwords and security questions Key learning points: ✓ Almost always there are passwords reused ✓ Almost always (ekhm… always) there is some variant of company name and some number (year, month etc.) ✓ It makes sense to check for obvious passwords and continuously deliver security awareness campaigns Typical password locations NTDS.dit, SAM Configuration files Registry Memory dumps, Hiberfil.sys Databases (DPAPI ?)
#RSAC Demo: Simple checks needed
#RSAC 3rd Way: No network segmentation Key learning points: ✓ ✓ ✓ ✓ ✓ x x x No-brainer or unseen network security threat?
#RSAC Demo: ARP Spoofing on Windows
#RSAC 4th Way: Lack of SMB Signing (or alternative) Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
#RSAC Demo: SMB Relay
#RSAC 5th Way: Allowing unusual code execution Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
#RSAC Demo: Sneaky code runs
#RSAC 6th Way: No whitelisting on board Key learning points: ✓ Code execution prevention implementation is a must ✓ PowerShell is an ultimate hacking tool, possible solutions: block it for users, use Just Enough Administration etc. ✓ Verify where users have write access to: accesschk.exe –w .users c:windows ✓ AppLocker can run in the audit mode x AppLocker is great but not with the default configuration Machine learning for threat protection: ✓ Modern solutions are capable of machine learning but it takes time ✓ Modern solutions are quire easy to implement bur require a lot of understanding of what do they actually do – your call
#RSAC Demo: Shares under pressure
#RSAC 7th Way: Old protocols or their default settings
#RSAC Demo: Injection for TDS
#RSAC 8th Way: Trusting solutions without knowing how to break them Key learning points: ✓ The best operators won't use a component until they know how it breaks. ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
#RSAC Demo: Sysmon Under Pressure
#RSAC 9th Way: Misusing service accounts + privileged accounts Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
#RSAC Demo: Service Accounts + Passwords
#RSAC 10th Way: Falling for hipster tools Key learning points: ✓ Worldwide spending on information security is expected to reach $90 billion in 2017, an increase of 7.6 percent over 2016, and to top $113 billion by 2020, according to advisory firm Gartner ✓ With increasing budget the risk of possessing hipster tools increases too – do we know where these tools come from and what are their security practices? ✓ Lots of solutions where not created according to the good security practices (backup software running as Domain Admin etc.) ✓ Each app running in the user’s context has access to secrets of other apps – Data Protection API ✓ Case of CCleaner
#RSAC Demo: KeePass Under Pressure
#RSAC Summary: 10 ways to make hackers happy Short term Isolate infrastructure components so that in case of attack they prevent spreading Engage with the network security guys Review servers’ and workstations’ configuration periodically Medium term Put on the Hacker’s Shoes External + Internal + Web Penetration tests Configuration reviews Long term Prevention and Vulnerability Management Start implementing the monitoring and execution prevention
Thank you! Paula Januszkiewicz paula@cqure.us http://cqure.us @paulacqure @CQUREAcademy

Empfohlen

Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hacked
Paula Januszkiewicz
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Paula Januszkiewicz
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
Paula Januszkiewicz
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
Paula Januszkiewicz
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
Paula Januszkiewicz
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 

Empfohlen

Fatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hackedFatal signs: 10 symptoms when you think you’ve been hacked
Fatal signs: 10 symptoms when you think you’ve been hacked
Paula Januszkiewicz
 
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingTop 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth Taking
Paula Januszkiewicz
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
Paula Januszkiewicz
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Paula Januszkiewicz
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
Paula Januszkiewicz
 
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...
Paula Januszkiewicz
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
Paula Januszkiewicz
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Paula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Paula Januszkiewicz
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Paula Januszkiewicz
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
Naoya Nakazawa
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
Windows network
Windows networkWindows network
Windows network
Jithesh Nair
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 

Weitere ähnliche Inhalte

Was ist angesagt?

Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Paula Januszkiewicz
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Paula Januszkiewicz
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 

Was ist angesagt? (20)

12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
Windows network
Windows networkWindows network
Windows network
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
 

Ähnlich wie rsa-usa-2019-keynote-paula-januszkiewicz

Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS Presentation
Dan Barr
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PowerShell: The increased use of PowerShell in cyber attacks
PowerShell: The increased use of PowerShell in cyber attacksPowerShell: The increased use of PowerShell in cyber attacks
PowerShell: The increased use of PowerShell in cyber attacks
Symantec Security Response
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
Greg Swedosh
 

Ähnlich wie rsa-usa-2019-keynote-paula-januszkiewicz (20)

Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
PSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS PresentationPSU Security Conference 2015 - LAPS Presentation
PSU Security Conference 2015 - LAPS Presentation
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsIDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
PowerShell: The increased use of PowerShell in cyber attacks
PowerShell: The increased use of PowerShell in cyber attacksPowerShell: The increased use of PowerShell in cyber attacks
PowerShell: The increased use of PowerShell in cyber attacks
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security Program
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 

Kürzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Kürzlich hochgeladen (20)

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

rsa-usa-2019-keynote-paula-januszkiewicz

  • 1. #RSAC SESSION ID: Paula Januszkiewicz Top 10 ways to make hackers excited: All about the shortcuts not worth taking KEY-T06S CQURE: CEO, Penetration Tester / Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT Microsoft Regional Director Contact: paula@cqure.us | http://cqure.us @paulacqure @CQUREAcademy
  • 3. #RSAC Technical systems are: Reviewed Scanned Penetration Tested So? Technical systems are: Reviewed Scanned Penetration Tested So?
  • 5. #RSAC 1st Way: Disabling firewall / misconfigured network access Key learning points: ✓ Windows Firewall is often misconfigured ✓ Firewall is a great segmentation tool ✓ You can allow only certain processes to communicate with the Internet or locally ✓ No need to know processes to block them, you can operate on the services list In Windows Firewall there are couple of things missing: x Filtering by the group of computers x Detailed logging for network traffic x Expandability – there are not many options x No correlation in between process and network traffic – whose role is this?
  • 6. #RSAC Demo: File download + DNS Exfiltration
  • 7. #RSAC 2nd Way: Overly simple passwords and security questions Key learning points: ✓ Almost always there are passwords reused ✓ Almost always (ekhm… always) there is some variant of company name and some number (year, month etc.) ✓ It makes sense to check for obvious passwords and continuously deliver security awareness campaigns Typical password locations NTDS.dit, SAM Configuration files Registry Memory dumps, Hiberfil.sys Databases (DPAPI ?)
  • 9. #RSAC 3rd Way: No network segmentation Key learning points: ✓ ✓ ✓ ✓ ✓ x x x No-brainer or unseen network security threat?
  • 11. #RSAC 4th Way: Lack of SMB Signing (or alternative) Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
  • 13. #RSAC 5th Way: Allowing unusual code execution Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
  • 15. #RSAC 6th Way: No whitelisting on board Key learning points: ✓ Code execution prevention implementation is a must ✓ PowerShell is an ultimate hacking tool, possible solutions: block it for users, use Just Enough Administration etc. ✓ Verify where users have write access to: accesschk.exe –w .users c:windows ✓ AppLocker can run in the audit mode x AppLocker is great but not with the default configuration Machine learning for threat protection: ✓ Modern solutions are capable of machine learning but it takes time ✓ Modern solutions are quire easy to implement bur require a lot of understanding of what do they actually do – your call
  • 17. #RSAC 7th Way: Old protocols or their default settings
  • 19. #RSAC 8th Way: Trusting solutions without knowing how to break them Key learning points: ✓ The best operators won't use a component until they know how it breaks. ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
  • 21. #RSAC 9th Way: Misusing service accounts + privileged accounts Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
  • 23. #RSAC 10th Way: Falling for hipster tools Key learning points: ✓ Worldwide spending on information security is expected to reach $90 billion in 2017, an increase of 7.6 percent over 2016, and to top $113 billion by 2020, according to advisory firm Gartner ✓ With increasing budget the risk of possessing hipster tools increases too – do we know where these tools come from and what are their security practices? ✓ Lots of solutions where not created according to the good security practices (backup software running as Domain Admin etc.) ✓ Each app running in the user’s context has access to secrets of other apps – Data Protection API ✓ Case of CCleaner
  • 25. #RSAC Summary: 10 ways to make hackers happy Short term Isolate infrastructure components so that in case of attack they prevent spreading Engage with the network security guys Review servers’ and workstations’ configuration periodically Medium term Put on the Hacker’s Shoes External + Internal + Web Penetration tests Configuration reviews Long term Prevention and Vulnerability Management Start implementing the monitoring and execution prevention