Welcome 日防夜防,家賊難防 陳健亮 Eric Chan 如何防止內部攻擊與資料失竊 System Consultant Hong Kong, Macau and Taiwan
Hybrid Active Directory Environment • Office 365 requires an Azure AD instance • Azure AD provides the Directory Service for Office 365 applications • Azure AD integrates with On- premise AD creating a Hybrid Directory environment
What does AD have to do with Office 365 Security? 90% 10 Billion 95 Million Of companies use on- On-prem AD authentications per AD authentications are under premises AD day attack daily 1 Million 70% 75% Subscribers a month YoY growth for Office 365 adoption Of enterprises with more moving to Office 365 than 500 employees sync on prem. AD to Azure AD 700 Million 1.3 Billion 10 Million Azure AD accounts MS cloud login attempts per day Daily MS Cloud logins are cyber-attacks
Active Directory Security is Critical On-premises AD remains the core of security even in a 1 cloud/hybrid environment On-prem is authoritative source and will replicate to Azure AD & 2 Office 365 3 With security, you are only as secure as your weakest link
We have invested a lot on preventing attacks from outside, but usually the most harmful one is from INSIDE……
Who is Hank the Hacker?
Who is Hank? • Organized criminal groups • State-affiliated actors • Disgruntled employees • Rouge administrators • Contractors • Etc.
How Hank Gets In? • Malware • Ransomware • Pass-the-hash • Weak passwords • Social engineering • Authorization creep • Spear Phishing • Etc.
What will Hank do? • Try to logon to your critical systems • Snooping your data: • File servers • Databases • PCs • Pretend the VIP users • Change your important AD settings: • Elevate privileges • Deploy malware via GPO • Execute PowerShell attacks (e.g. Mimikatz)
How Quest Stops Hank?
Detect and Alert
Challenges – On Premises • No comprehensive view of all changes from all native log sources • Very difficult to consolidate native audit logs and avoid loss of historical data • No protection exists to prevent unwanted changes to the most sensitive objects, even from privileged users • No proactive alerting on suspicious events
Challenges – On Azure • Alerting is not real time • Audit data only retained for 7 days or 30 days depending on platform • Difficult to interpret events – Audit data is very raw (contains SIDs, GUIDs and other IDs), lacks friendly display names and format is constantly changing
Change Auditor • Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key configuration, user and administrator changes. Who Where Made the change? Was the change made from? What Why Object was Was the change Real-time changed? made (comment)? smart alerts to any device When Workstation Was the change Where the change made? originated from
Change Auditor – Supported Platforms • Active Directory / LDS • Exchange • Azure Active Directory • O365 Exchange Online • Active Directory Queries • SQL Server • Logon, Logoff, User Sessions • SharePoint • O365 SharePoint Online • Skype for Business • Windows File Servers • Quest Active Roles • EMC Celerra, Isilon • Quest Authentication Services • NetApp • Quest Defender • Dell Fluid File System • One Drive Object protection
Hybrid Directory Management • With Change Auditor, you can: Consolidates event data from on premises and from cloud targets Correlates identities across on premises and cloud Searching and reporting in simple ways Proactive protect important objects and settings
Easy to read, normalized 5W events
Change Auditor for Active Directory: GPO Settings
Protect Important Objects and Settings • Protect your important AD, Exchange and Windows File Servers objects and settings • Prevent operation mistakes • Last protection shield even admin credentials have been stolen
How can you identify THREATS in millions of events?
User Threat Detection for your Windows environment
Behavior Analysis • Unsupervised machine learning models individual user behavior on multiple vectors: – Time based modeling (e.g. logon at an abnormal time for that user) – Categorical modeling (e.g. accessed a machine they don’t typically access) – Continuous modeling (e.g. accessed an abnormal number of files) • Multivariate risk scoring ensures that only a suspicious combination of activities raises an alert • Comparison with global activity reduces false positives on new events 22 quest.com | confidential
A pattern of suspicious activity leads to higher user risk scores
User Threat Detection Alerts 80,600 users Analysis over 60 days 387 Million Raw events 1,153* Threat indicators (from 109,600 raw events) That’s 304 5 alerts SMART alerts a day! 180 Risky users *Tens of thousands of additional indicators were discarded as they were not scored high or correlated 24 Confidential with related suspicious behavior
Change Auditor Threat Detection • Identifies real-time risk level of user activity • Drastically consolidates potential incidents • Automates alert prioritization • Reduces false positives • Highlights actionable alerts in context for accelerated investigation
Why Change Auditor Threat Detection? • Optimized for Change Auditor modules out-of-the-box – Plug-and-play AD and Windows security solution for AD admins • Does not rely on native Windows logs – No gaps in critical AD changes and file activity • Reduces the sea of noise from false positive alerts – By using dynamically adapting unsupervised machine learning • No configuration required – Administrator input, alert definition and model tuning is unnecessary • Minimal infrastructure for existing Change Auditor customers – Existing customers only require a single, additional server 26 quest.com | confidential
Use Cases
Use Cases Brute force attack Data exfiltration Snooping user Abnormal AD Malware activity Abnormal system Scripted account Privilege elevation Lateral movement access use 28 quest.com | confidential
Abnormal AD activity First-level helpdesk representative normally is only responsible for Use Case unlocking disabled user accounts • Attempting to exploit compromised and resetting their passwords but who has suddenly begun creating credentials new user accounts in AD • Compromised account is being used to corrupt or destroy critical directory data • Interactive privileged account being used to run scripts Abnormal activity in Active Indicators Directory puts your entire forest at risk. • Spike in the volume of changes to AD • User performing actions that are not part of their standard routine • Users making membership changes to privileged AD groups • Abnormal number of failed AD changes CATD License 29 quest.com | confidential
Abnormal AD Activity • Abnormal AD activity
Snooping User An internal user who is inappropriately curious might attempt to browse Use Case servers and folders that they shouldn’t be • A user accessing resources and files accessing, such as salary that aren’t appropriate for their role, information or reorg plans. even though permissions aren’t necessarily locked down • Could be a user that is not actively malicious but inappropriately curious Change Auditor Threat Detection alerts you to users Indicators attempting to access data they shouldn’t access. • A high number of file access attempts in a short period of time • A high number of failed file access events • Attempts to access file servers and folders the user has never, or rarely, accessed in the past CATD License 31 quest.com | confidential
Snooping User
Data exfiltration or destruction Use Case Could be perpetrated by • Unauthorized copying or transfer of cybercriminals or rogue employees data from a computer using any of multiple techniques • User is attempting the malicious destruction of data Indicators Change Auditor Threat Detection identifies users • who might be attempting to An excessive number of file access steal or destroy your data. or file move events • An excessive number of file delete events CATD License 33 quest.com | confidential
Data exfiltration or destruction • Data exfiltration
Brute-force attack By correlating failed logons with other user actions, Change Auditor Threat Use Case Detection can alert you to true brute-force attacks • Attackers repeatedly try to guess a without drowning you in user’s password false positives. • Worms or other malware designed to identify user accounts and attempt to crack their passwords using password dictionaries Indicators Traditionally, 44% of alerts go unexplored • Abnormal failed authentication attempts Too many alerts CATD License 35 quest.com | confidential
Brute-force attack • Brute force authentication
Malware example from Quest
Malware example from Quest
Malware example from Quest
Malware example from Quest
Malware example from Quest
Recommend
More recommend
