RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List

Feb 15, 20173 likes3,021 views

If there is a weakness in your IT security system, wouldn’t it be better to find it before someone else does? As long as we are aware about the value of the resources to be protected, why don’t we put ourselves into the hacker’s role and perform like they do? You will become familiar with the mandatory tasks that are performed by hackers to check for misconfigurations and vulnerabilities.

SESSION ID:SESSION ID:
#RSAC
Paula Januszkiewicz
Hacker’s Perspective on Your Windows
Infrastructure: Mandatory Check List
TECH-W10
CEO, Security Expert, Penetration Tester & Trainer, MVP
CQURE
@paulacqure | paula@cqure.us

#RSAC
Session Goal
Be familiar with the possibilities of the operating
system
From the user mode and kernel mode
We are NOT talking about the forensics!
… just doing a little hacking + conclusions
My goal: See one of the ways hacker can act

#RSAC
Attack Users
Users
Users rarely have software up to date
Awareness issues
... But for hacker it may be not enough
Administrators
Local account
Password reuse for workstations
Different password for workstations
Domain account
Domain user being local administrator
Domain administrator

#RSAC
Make your backdoor persistent
Services
DLLs
Startup (Menu Start)
Task Scheduler
LSA Providers
Run, Run Once
GPO
Notification Package
Winlogon
Image Hijacking
Drivers
Etc.

#RSAC
Stay undetected
If you are not ready to
attack: stay stealth and do
not change the system
behavior
Hide your traces
Processes
Files
Infrastructure performance
Network traffic
Server / Client Platform Performance

#RSAC
Use victims to attack more targets
Create the remotely
controlled network
Automate next scans
Create your own botnet
What can be the hacker’s goal
in your infrastructure?

#RSAC
Apply
Offline access protection, implementation of solutions like BitLocker.
Implementation of the process execution prevention (AppLocker etc.)
Log centralization, log reviews - searching for the anomalies, certain log error
codes. Performing the regular audits of code running on the servers (fe.
Autoruns).
Maintenance: Backup implementation and regular updating.
Review of the services running on the accounts that are not built in. Change them
to gMSAs where possible, set up SPNs.
Get rid of NETBIOS. Try to avoid NTLMv2, especially if you do not have AppLocker
in place or SMB Signing.
Client protection: Implement of the anti-exploit solutions.

#RSAC
Apply What You Have Learned Today
Next week you should:
Implement Local Admin Password Management or other password management solution
Build the plan of the periodical configuration reviews and penetration tests (security checks)
In the first three months following this presentation you should:
Implement the Security Awareness Program among employees and technical training for
administrators
Review the configuration of client-side firewall and enabling the programs that can
communicate through the network
Limit of the amount of services running on the servers (SCW and manual activities)
Within six month you should:
Implement scoping (role management) for permissions and employee roles (SQL Admins,
Server Admins etc.)
Review network segmentation (+ IPSec Isolation, DNSSec etc.)

The document outlines the key skills needed for advanced Windows security in 2017 according to experts from CQURE. It identifies 12 crucial skills: 1) machine learning for threat protection, 2) incident response planning, 3) malware analysis sandboxes, 4) whitelisting, 5) privileged access management, 6) hardware-based credential protection, 7) PowerShell mastery, 8) communicating security to managers, 9) event tracing, 10) log centralization, 11) mastering Windows Server 2016, and 12) self-testing. It then describes CQURE's advanced online Windows security course for 2017 which will cover these skills over 12 sessions.

The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz

12 Crucial Windows Security Skills for 2018Paula Januszkiewicz

The document outlines 12 crucial Windows security skills for 2018 according to security experts at CQURE. The skills are organized into 12 groups: 1) Platform Security & Internals, 2) Attacks On Credentials & Prevention Solutions, 3) PowerShell As A Hacking Tool, 4) Office 365 Security, 5) Raising the bar for malware, 6) Microsoft SQL Server Security, 7) Improving security with Azure, 8) Virtualization based security, 9) Machine Learning for Security, 10) Windows 2016 security and infrastructure improvements, 11) Practical Public Key Infrastructure, and 12) Advanced Monitoring and Auditing. The document provides brief descriptions of the types of skills covered in each group.

rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz

[CQURE] Top 10 ways to make hackers excited: All about the shortcuts not worth taking Designing a secure architecture can always be more expensive, time-consuming, and complicated. But does it make sense to cut corners when hackers invent new attacks every day? Taking shortcuts will sooner or later translate to more harm and backfire. Learn what mistakes we eliminated when working with our customers.

Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz

This document contains summaries from a presentation on various cybersecurity topics: 1) Windows Firewall configuration is often misconfigured and does not provide detailed logging or filtering capabilities. Firewalls are best used to segment networks and control which processes can communicate internally or externally. 2) Password reuse is common, with variants of company names and numbers often used. Continuous security awareness is needed to mitigate weak passwords. 3) Privileged accounts and service accounts pose risks as their passwords are stored in the registry and accessible offline. User privileges can be higher than expected, allowing access to sensitive system hives. 4) Third-party security tools also contain weaknesses that must be understood to ensure effective security. Configuration management

30 Cybersecurity Skills You Need To Become a Windows Security Pro Paula Januszkiewicz

Did you miss the webinar: How To Hack Your Way to Windows Security Proficiency? Its replay is not available anymore but — due to high demand — we decided to give you access to its slideshare. It was our first ever webinar for cyber Newbies… and the house was on fire! You guys have so much passion for this field, it’s really heartwarming to see. Looking forward to doing it again, very soon!

Top 10 Ways To Make Hackers Excited: All About The Shortcuts Not Worth TakingPaula Januszkiewicz

Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz

Antivirus is dead-long live the antivirus! In the proverbial cat-and-mouse game of cybersecurity neither the attacker nor the defender can maintain their advantage for very long. But the bad guys don’t exactly take this challenge – they respond with their own bypass ideas. During this session we strive to understand if antivirus is really dead and if it has reached the status where it should not be the only protection used. I demonstrated techniques of bypassing the antivirus mechanisms and show tactics used today by malware that allow it to run and what are the prevention methods to avoid being attacked by the newest innovations.

Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz

Cybercrime is a very lucrative business not just because of the potential financial return, but because it quite easy to get away with. Sometimes hackers get caught, but most of the time they still run free. When it comes to operating system and after-attack traces, it is not that bad as all traces are gathered in one place – your infrastructure. Even though hackers use techniques to remain on the loose, it is possible by using forensic techniques to gather evidence in order to demonstrate what actually happened. During this super intense session, I demonstrated techniques used by hackers to hide traces and forensic techniques that indicate how these activities were performed.

RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz

RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...Paula Januszkiewicz

Cybercrime is a very lucrative business not just because of the potential financial return, but because it’s quite easy to get away with it. Sometimes hackers get caught, but most of the time they still run free. When it comes to operating systems and after-attack traces, it is not that bad as all traces are gathered in one place—your infrastructure. Even though hackers use techniques to remain on the loose, it is possible by using forensic techniques to gather evidence in order to demonstrate what actually happened. During this super intense session, Paula demonstrated techniques used by hackers to hide traces and forensic techniques that indicate how these activities were performed. Extremely technical session!

Gartner Security & Risk Management Summit 2018Paula Januszkiewicz

Fatal signs: 10 symptoms when you think you’ve been hackedPaula Januszkiewicz

Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz

Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm

The document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.

Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault

Due to the recent, well-publicized events involving celebrities and their private photos, the phrase “brute-force attack” has become the web’s newest buzzword. As an IT professional, it’s vital that you detect brute force attacks as quickly as possible so you can shut them down before the damage is done. Join us for a live demo, where we’ll demonstrate a brute force attack (simulated, of course!) and show how AlienVault USM can help you detect an (attempted) intruder and investigate the attack. You'll learn: How attackers can use brute force attacks to gain access to your network Measures you can take to better secure your environment and prevent these attacks How AlienVault USM alerts you immediately of brute force attack attempts, giving you valuable time to shut it down How to use AlienVault USM to investigate an attack and identify compromised assets

Hardening Database ServerFahri Firdausillah

BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference

Matt Nelson, SpecterOps A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context. Some examples include: UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory. AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript. Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected. I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.

BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference

This document discusses Windows Credential Manager and how attackers can target it. It provides an overview of Credential Manager, how it stores login credentials, and how applications interface with it. It then outlines how the Windows Defender ATP security solution protects credentials by collecting Windows event logs and other telemetry, using its cloud-based machine learning to detect anomalies and known threat patterns that could indicate credential theft.

Content Security Policy - Lessons learned at YahooBinu Ramakrishnan

Windows networkJithesh Nair

This document discusses securing Windows networks. It begins with discussing hacker personas and common security mistakes made. It then covers securing Windows networks by discussing system administrator personas, threats like password attacks and remote code execution vulnerabilities, and countermeasures. It also discusses the Microsoft Secure Windows Initiative and staying secure through awareness, vulnerability assessment, and responding to security events. The focus is on implementing security through practices like strong passwords, keeping systems patched, and using tools like the Microsoft Baseline Security Analyzer.

Shields up - improving web application securityKonstantin Mirin

Hacker techniques for bypassing existing antivirus solutions & how to build a...BeyondTrust

For a long time, many organizations could make a safe enough bet relying on antivirus and firewall to protect against threats. However, today’s sophisticated attackers and malware are adept at evading those defenses. In this presentation from her on-demand webinar, enterprise security MVP, Paula Januszkiewicz, puts on her hacker cap and walks you through: - Techniques of bypassing the antivirus mechanisms - Tactics used today by malware that allows it to run - Prevention methods to avoid being attacked by the newest cybercriminals’ innovations - Why least privilege security is essential for defending against hackers BeyondTrust’s PowerBroker for Windows Product Manager, Jason Silva, caps off this webinar by showing attendees how eliminating admin rights and elevating rights to secure applications only, can help augment traditional antivirus solutions and keep you protected against more sophisticated threats. You can find the full webinar recording here: https://www.beyondtrust.com/resources/webinar/hacker-techniques-bypassing-existing-antivirus-solutions-build-defense-least-privilege/

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault

With a focus on simplifying asset management, OSSIM v5.0 (available 4/20) makes it faster and easier than ever to get the insights you need. Join us for this user training to learn how to get the most out of these new enhancements: Assign custom labels for assets, groups and networks Search, filter and group assets by OS, IP address, device type, custom labels and more Run vulnerability and asset scans on custom asset groups with one click Filter by asset groups in alarms, security events and raw logs Update configuration, sensor assignment, asset value and more on multiple assets and groups of assets at once ...and more!

Virtual Networking Security - Network SecurityEng Teong Cheah

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference

Alban Diquet, Data Theorem Thomas Sileo, Data Theorem Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS. We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings. First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are. Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found. Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.

BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference

The document discusses open source software (OSS) security issues and strategies for addressing vulnerabilities. It notes that while open development allows many eyeballs to find bugs, in reality most don't know what to look for and vulnerabilities are still regularly found. It then provides data on vulnerabilities reported over time for several major OSS projects. The document advocates applying a secure development lifecycle and vulnerability management process to address issues early. It also discusses automating scanning of code and binaries for vulnerabilities and integrating these tools into developer workflows.

The RIPE ExperienceDigital Bond

Windows Service HardeningDigital Bond

More Related Content

What's hot (20)

Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz

RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz

RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...Paula Januszkiewicz

Gartner Security & Risk Management Summit 2018Paula Januszkiewicz

Fatal signs: 10 symptoms when you think you’ve been hackedPaula Januszkiewicz

Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz

Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm

Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault

Hardening Database ServerFahri Firdausillah

BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference

BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference

Content Security Policy - Lessons learned at YahooBinu Ramakrishnan

Windows networkJithesh Nair

Shields up - improving web application securityKonstantin Mirin

Hacker techniques for bypassing existing antivirus solutions & how to build a...BeyondTrust

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault

Virtual Networking Security - Network SecurityEng Teong Cheah

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference

BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference

Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz

RSA Conference 2017 session: What System Stores on the Disk Without Telling YouPaula Januszkiewicz

RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...Paula Januszkiewicz

Gartner Security & Risk Management Summit 2018Paula Januszkiewicz

Fatal signs: 10 symptoms when you think you’ve been hackedPaula Januszkiewicz

Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz

Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm

Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault

Hardening Database ServerFahri Firdausillah

BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference

BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference

Content Security Policy - Lessons learned at YahooBinu Ramakrishnan

Windows networkJithesh Nair

Shields up - improving web application securityKonstantin Mirin

Hacker techniques for bypassing existing antivirus solutions & how to build a...BeyondTrust

New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault

Virtual Networking Security - Network SecurityEng Teong Cheah

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference

BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference

Viewers also liked (20)

The RIPE ExperienceDigital Bond

Windows Service HardeningDigital Bond

Accelerating OT - A Case StudyDigital Bond

This document summarizes a presentation given by Craig Heilmann of IBM Security Services at the S4 ICS Security Conference in January 2015. The presentation discussed accelerating cyber security for operational technology (OT) using a case study. The case study involved a large manufacturer that wanted to transform its security operations over 5 years but faced constraints. The solution was to focus first on operations using an "elastic and agile" model with processes, operations, and technology improvements to quickly detect, respond, and disrupt attacks. This included enterprise-wide password changes and a security program framework to continuously adapt and mature capabilities over time. Cost modeling was also introduced to better plan and rationalize security spending.

Incubation of ICS Malware (English)Digital Bond

This document discusses SCADA honeypots, which are devices or systems placed on a network with no operational purpose in order to detect attacks. Honeypots can detect attacks since anything accessing them is suspicious as they have no legitimate use. While some debate their effectiveness, honeypots can provide valuable information by allowing researchers to learn how attackers work when they interact with the honeypot. The level of interaction and visibility of the honeypot must be considered to balance obtaining useful data with security risks.

Internet Accessible ICS in Japan (English)Digital Bond

S4xJapan Closing KeynoteDigital Bond

Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond

This document discusses security issues related to accessing and controlling vehicles via OBD-II ports, drawing comparisons to struggles securing industrial control systems. It notes that accessing these systems often means compromising them, as protocols were designed without security. While an analysis of a Progressive Snapshot dongle found no security precautions, lessons from securing critical infrastructure suggest restricting access and implementing least privilege. The document advocates learning from past ICS mistakes to develop secure vehicle protocols and modules.

Vulnerability Inheritance in ICS (English)Digital Bond

This document discusses vulnerability inheritance in programmable logic controllers (PLCs) from third-party libraries and software. It provides a specific example of vulnerabilities found in the CoDeSys runtime and engineering software used by hundreds of industrial control system vendors. The document outlines how two major Japanese PLC vendors were found to be affected by these vulnerabilities due to their use of CoDeSys, and concludes that vendors need to implement secure development practices like security testing to prevent inheriting vulnerabilities from third-party components.

Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond

Remote Control Automobiles at ESCAR US 2015Digital Bond

KerberosSutanu Paul

This document provides an overview of Kerberos, including: - Kerberos is an authentication protocol that uses symmetric encryption and timestamps to allow nodes communicating over an insecure network to verify each other's identity securely. - It works by having a client first authenticate with an authentication server to obtain a ticket-granting ticket, then uses that ticket to obtain additional tickets for access to other services. - Kerberos addresses the need for secure authentication in distributed network environments where the workstations themselves cannot be fully trusted.

The Stuxnet Worm creation processAjay Ohri

Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond

Hacker Halted 2016 - How to get into ICS securityChris Sistrunk

ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond

Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy

This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy

This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

PT - Siemens WinCC Flexible Security Hardening Guideqqlan

This document provides guidance on hardening the security of Siemens Simatic WinCC Flexible 2008 human-machine interface (HMI) software. It outlines configuration steps to strengthen the operating system, database management system, additional protection measures, WinCC Flexible system parameters, runtime security settings, access settings, Sm@rtServer security, MiniWeb security, OPC server security, web service security, and SMTP security. The document contains over 10 sections with over 100 specific configuration recommendations to lock down the WinCC Flexible 2008 system and protect industrial assets.

Golden ticket, pass the ticket mi tm kerberos attacks explainedPeter Swedin

This document discusses Kerberos attacks and defenses against them. It describes how Kerberos single sign-on authentication works and some common attacks such as man-in-the-middle attacks, downgrade attacks, pass-the-ticket attacks, and creating a "golden ticket". It recommends ways to harden Kerberos security, such as using newer domain controllers, AES encryption, strict KDC validation, separate client networks, and changing the KRBTGT password regularly. Detecting pass-the-ticket attacks is difficult but a SIEM solution may help determine if tickets are being used inappropriately.

DEF CON 23 - NSM 101 for ICSChris Sistrunk

Chris Sistrunk discussed implementing network security monitoring (NSM) on industrial control systems (ICS). NSM involves collecting network data through tools like Security Onion, analyzing the data to detect anomalies, and investigating anomalies to identify potential threats. While ICS networks pose different challenges than typical IT networks, the same NSM methodology of collection, detection, and analysis can be applied. Free and open source tools like Security Onion allow implementing NSM on ICS to hunt for threats without disrupting operations. The most important part of NSM is having knowledgeable people to interpret data and identify what is normal versus potentially malicious activity on the network.

The RIPE ExperienceDigital Bond

Windows Service HardeningDigital Bond

Accelerating OT - A Case StudyDigital Bond

Incubation of ICS Malware (English)Digital Bond

Internet Accessible ICS in Japan (English)Digital Bond

S4xJapan Closing KeynoteDigital Bond

Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond

Vulnerability Inheritance in ICS (English)Digital Bond

Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond

Remote Control Automobiles at ESCAR US 2015Digital Bond

KerberosSutanu Paul

The Stuxnet Worm creation processAjay Ohri

Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond

Hacker Halted 2016 - How to get into ICS securityChris Sistrunk

ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond

Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy

PT - Siemens WinCC Flexible Security Hardening Guideqqlan

Golden ticket, pass the ticket mi tm kerberos attacks explainedPeter Swedin

DEF CON 23 - NSM 101 for ICSChris Sistrunk

Similar to RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List (20)

Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash

The document discusses security gaps in serverless architectures and tactics that red teams use to exploit them. It provides examples of abusing undocumented APIs, extracting keys from mobile apps, and discovering non-production infrastructure. Solutions proposed include implementing key protections, restricting API access, scoping assessments, and properly securing cloud storage layers and development environments.

Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust

Watch the full webinar recording here: https://www.beyondtrust.com/resources/webinar/vulnerability-management-how-to-think-like-a-hacker-to-reduce-risk/ This is the presentation from Security MVP, and CEO at CQURE, Paula Januszkiewicz's thought-provoking webinar on how to get inside the mind of a hacker to better manage risk and shore up organizational cyber-defenses. Pen testing is not enough! And, while identifying, classifying, remediating, and mitigating vulnerabilities are all cornerstones of effective vulnerability management, in practice, they are often inadequately implemented. Often, the best-designed strategies and VM implementations rely on experience. Check out the presentation to get a taste of the webinar: - Learn how to improve vulnerability identification and strengthen your systems - Look over the shoulder of an expert, as Paula a demo of how to exploit systems and how (from the hacker perspective) you can learn to defuse such exploits! Watch the webinar: https://www.beyondtrust.com/resources/webinar/vulnerability-management-how-to-think-like-a-hacker-to-reduce-risk/

Cloud security : Automate or diePriyanka Aash

Much has been said about DevOps and SecDevOps for security automation and integration. However, to many in the security community, this is still a buzzword. There are many practical applications of automation in cloud security controls, however, across all security-related disciplines. This talk will delve into concrete examples of security automation in the cloud, with metrics examples, as well. (Source : RSA Conference USA 2017)

Pragmatic Security Automation for CloudPriyanka Aash

Everything in cloud computing is automated and API-enabled, giving security teams a big opportunity to build and embed security into infrastructures. From continuous guardrails to automated "afterburners" to speed up complex processes, this advanced session leverages the latest software-defined security techniques and shows how to integrate automation. Be prepared for demos, design patterns and a little code. (Source: RSA Conference USA 2018)

Building an Enterprise-scale DevSecOps Infrastructure: Lessons LearnedPrateek Mishra

The DevSecOps concept is widely accepted yet its implementation at enterprise-scale presents challenges. This session will describe three challenges and software solutions that address them: 1) dozens of autonomous teams using varied tooling to build applications; 2) use of many different scanning tools and security information sources; and 3) Identity and context aware security guidance to development teams.

Corpsec: “What Happened to Corpses A and B?”Priyanka Aash

Living BeyondCorp comes with its own challenges. This talk will dive into how Duo gets our hands around difficult problems regarding the security and management of cloud services and endpoints internally. This session will cover technical details of our security orchestration and automation approach, cloud service monitoring, and chatops-driven endpoint application whitelisting strategies. (Source: RSA Conference USA 2018)

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash

Tips to Remediate your Vulnerability Management ProgramBeyondTrust

In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers: - The key phases and activities of the vulnerability management lifecycle - The tools you need for an effective vulnerability management program - How to prioritize your VM needs - How an effective VM program can help you measurably reduce risk and meet compliance objectives You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program

DevSecOps in Baby StepsPriyanka Aash

The document discusses moving from traditional security practices to a DevSecOps model where security is integrated into the development lifecycle. It encourages making DevOps the security team's job, hardening the development toolchain, planning security epics and user stories, and sprinting to automate security practices. Specific examples provided include building an AWS Lambda function to respond to CloudTrail events and using AWS CodeDeploy for security tasks like imaging instance memory.

DevSecOps in Baby StepsPriyanka Aash

13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting

Neville Varnham discusses various cyber security threats related to PeopleSoft systems. He notes that ransomware schemes now allow technically illiterate criminals to conduct cyber attacks. Password cracking software can crack simple passwords in under a minute. The document also discusses a past university data breach involving PeopleSoft after a student was able to access a database with Social Security numbers. Varnham provides an overview of steps organizations can take to harden their PeopleSoft security, such as enabling encryption, implementing password policies, and ensuring proper logging and auditing.

Abhishek-New (1)Abhishek Sa

Abhishek Narasimhan is a security analyst with over 5 years of experience in SIEM, security management, and incident response. He is currently working as a senior analyst at Accenture responsible for monitoring SIEM solutions and isolating infected hosts. Previously he worked as a senior security engineer and team lead at HCL Technologies where he implemented and managed SIEM tools like RSA Envision. He has expertise in network security, penetration testing, and forensics.

Brochure Swascan OverviewSara Colnago

The document describes SWASCAN, an all-in-one cloud security suite platform that offers web application scanning, network scanning, and code review services. The suite provides automated security testing and vulnerability identification for web applications, networks, and source codes. It allows customization of service length and number of targets analyzed. The platform aims to help users comply with regulations, identify security issues, and reduce risks through an integrated SaaS model.

Swascan Pierguido Iezzi

IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsLance Peterman

The threat landscape for exploiting privileged credentials is changing rapidly. How is your privileged access management program keeping up? The central challenge in any PAM effort is a confluence of adapting to changing threat vectors and technology upheaval in the enterprise. This talk will review how PAM has evolved, how the threats have changed and some new tactics to reduce risk in this area.

Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash

The SDLC has been the model for web application security over the last decade. However, the SDLC was originally designed in a Waterfall world and often causes more problems than it solves in the shift to agile, DevOps and CI/CD. This talk will share actionable tips on the most effective application security techniques in today’s increasingly rapid environment of application creation and delivery. (Source : RSA Conference USA 2017)

OWASP Secure Coding Quick Reference GuideAryan G

This document provides a checklist of secure coding practices for software developers. It covers topics such as input validation, output encoding, authentication, session management, access control, cryptography, error handling, data protection, and general coding practices. Implementing the practices in this checklist can help mitigate common software vulnerabilities and security issues. The document recommends defining security roles and responsibilities, providing training, and following a secure software development lifecycle model.

Securing your web applications a pragmatic approachAntonio Parata

Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash

Moving critical workloads into the cloud can be unnerving for security professionals. In reality, though, the cloud offers a whole new set of opportunities for the security team to do things even better than in their on-premises environment. Two seasoned cloud experts will explore the latest real-world, practical tools and techniques for becoming demonstrably more secure as you move to the cloud. (Source: RSA USA 2016-San Francisco)

AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling

The document discusses securing modern applications in AWS. It begins with an overview of the risk profile of modern applications, noting that they often incorporate a large amount of open source code and are deployed rapidly using containers and infrastructure as code. It then demonstrates how to "live hack" an application running on AWS. Next, it discusses how Snyk can help prevent such exploits by empowering developers, automating fixes, and providing security throughout the entire codebase. It also outlines additional security practices like minimizing container footprints, using secrets safely, and implementing network policies. Finally, it promotes attending additional security sessions and provides references for further reading.

Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash

Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust

Cloud security : Automate or diePriyanka Aash

Pragmatic Security Automation for CloudPriyanka Aash

Building an Enterprise-scale DevSecOps Infrastructure: Lessons LearnedPrateek Mishra

Corpsec: “What Happened to Corpses A and B?”Priyanka Aash

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash

Tips to Remediate your Vulnerability Management ProgramBeyondTrust

DevSecOps in Baby StepsPriyanka Aash

13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting

Abhishek-New (1)Abhishek Sa

Brochure Swascan OverviewSara Colnago

Swascan Pierguido Iezzi

IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsLance Peterman

Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash

OWASP Secure Coding Quick Reference GuideAryan G

Securing your web applications a pragmatic approachAntonio Parata

Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash

AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling

Recently uploaded (20)

Handling Multiple Choice Responses: Fortune Effiong.pptxAuthorAIDNationalRes

Biophysics Chapter 3 Methods of Studying Macromolecules.pdfPKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan.

This chapter provides an in-depth overview of the viscosity of macromolecules, an essential concept in biophysics and medical sciences, especially in understanding fluid behavior like blood flow in the human body. Key concepts covered include: ✅ Definition and Types of Viscosity: Dynamic vs. Kinematic viscosity, cohesion, and adhesion. ⚙️ Methods of Measuring Viscosity: Rotary Viscometer Vibrational Viscometer Falling Object Method Capillary Viscometer 🌡️ Factors Affecting Viscosity: Temperature, composition, flow rate. 🩺 Clinical Relevance: Impact of blood viscosity in cardiovascular health. 🌊 Fluid Dynamics: Laminar vs. turbulent flow, Reynolds number. 🔬 Extension Techniques: Chromatography (adsorption, partition, TLC, etc.) Electrophoresis (protein/DNA separation) Sedimentation and Centrifugation methods.

apa-style-referencing-visual-guide-2025.pdfIshika Ghosh

Title: A Quick and Illustrated Guide to APA Style Referencing (7th Edition) This visual and beginner-friendly guide simplifies the APA referencing style (7th edition) for academic writing. Designed especially for commerce students and research beginners, it includes: ✅ Real examples from original research papers ✅ Color-coded diagrams for clarity ✅ Key rules for in-text citation and reference list formatting ✅ Free citation tools like Mendeley & Zotero explained Whether you're writing a college assignment, dissertation, or academic article, this guide will help you cite your sources correctly, confidently, and consistent. Created by: Prof. Ishika Ghosh, Faculty. 📩 For queries or feedback: [email protected]

How to manage Multiple Warehouses for multiple floors in odoo point of saleCeline George

To study Digestive system of insect.pptxArshad Shaikh

Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...Library Association of Ireland

Ultimate VMware 2V0-11.25 Exam Dumps for Exam SuccessMark Soia

GDGLSPGCOER - Git and GitHub Workshop.pptxazeenhodekar

World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...larencebapu132

New Microsoft PowerPoint Presentation.pptxmilanasargsyan5

How to Subscribe Newsletter From Odoo 18 WebsiteCeline George

One Hot encoding a revolution in Machine learningmomer9505

How to Manage Opening & Closing Controls in Odoo 17 POSCeline George

Understanding P–N Junction Semiconductors: A Beginner’s GuideGS Virdi

Dive into the fundamentals of P–N junctions, the heart of every diode and semiconductor device. In this concise presentation, Dr. G.S. Virdi (Former Chief Scientist, CSIR-CEERI Pilani) covers: What Is a P–N Junction? Learn how P-type and N-type materials join to create a diode. Depletion Region & Biasing: See how forward and reverse bias shape the voltage–current behavior. V–I Characteristics: Understand the curve that defines diode operation. Real-World Uses: Discover common applications in rectifiers, signal clipping, and more. Ideal for electronics students, hobbyists, and engineers seeking a clear, practical introduction to P–N junction semiconductors.

K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schoolsdogden2

Algebra 1 is often described as a “gateway” class, a pivotal moment that can shape the rest of a student’s K–12 education. Early access is key: successfully completing Algebra 1 in middle school allows students to complete advanced math and science coursework in high school, which research shows lead to higher wages and lower rates of unemployment in adulthood. Learn how The Atlanta Public Schools is using their data to create a more equitable enrollment in middle school Algebra classes.

Anti-Depressants pharmacology 1slide.pptxMayuri Chavan

Unit 6_Introduction_Phishing_Password Cracking.pdfKanchanPatil34

The ever evoilving world of science /7th class science curiosity /samyans aca...Sandeep Swamy

The Ever-Evolving World of Science Welcome to Grade 7 Science4not just a textbook with facts, but an invitation to question, experiment, and explore the beautiful world we live in. From tiny cells inside a leaf to the movement of celestial bodies, from household materials to underground water flows, this journey will challenge your thinking and expand your knowledge. Notice something special about this book? The page numbers follow the playful flight of a butterfly and a soaring paper plane! Just as these objects take flight, learning soars when curiosity leads the way. Simple observations, like paper planes, have inspired scientific explorations throughout history.

Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Library Association of Ireland

Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Library Association of Ireland

Handling Multiple Choice Responses: Fortune Effiong.pptxAuthorAIDNationalRes

Biophysics Chapter 3 Methods of Studying Macromolecules.pdfPKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan.

apa-style-referencing-visual-guide-2025.pdfIshika Ghosh

How to manage Multiple Warehouses for multiple floors in odoo point of saleCeline George

To study Digestive system of insect.pptxArshad Shaikh

Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...Library Association of Ireland

Ultimate VMware 2V0-11.25 Exam Dumps for Exam SuccessMark Soia

GDGLSPGCOER - Git and GitHub Workshop.pptxazeenhodekar

World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...larencebapu132

New Microsoft PowerPoint Presentation.pptxmilanasargsyan5

How to Subscribe Newsletter From Odoo 18 WebsiteCeline George

One Hot encoding a revolution in Machine learningmomer9505

How to Manage Opening & Closing Controls in Odoo 17 POSCeline George

Understanding P–N Junction Semiconductors: A Beginner’s GuideGS Virdi

K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schoolsdogden2

Anti-Depressants pharmacology 1slide.pptxMayuri Chavan

Unit 6_Introduction_Phishing_Password Cracking.pdfKanchanPatil34

The ever evoilving world of science /7th class science curiosity /samyans aca...Sandeep Swamy

Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Library Association of Ireland

Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Library Association of Ireland

RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List

1. SESSION ID:SESSION ID: #RSAC Paula Januszkiewicz Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List TECH-W10 CEO, Security Expert, Penetration Tester & Trainer, MVP CQURE @paulacqure | [email protected]

2. #RSAC

3. #RSAC

4. #RSAC Agenda

5. #RSAC Session Goal Be familiar with the possibilities of the operating system From the user mode and kernel mode We are NOT talking about the forensics! … just doing a little hacking + conclusions My goal: See one of the ways hacker can act

6. #RSAC Agenda

7. #RSAC Know your victim

8. #RSAC Know the services

9. #RSAC Attack Users Users Users rarely have software up to date Awareness issues ... But for hacker it may be not enough Administrators Local account Password reuse for workstations Different password for workstations Domain account Domain user being local administrator Domain administrator

10. #RSAC The meaning of scripts

11. #RSAC Make your backdoor persistent Services DLLs Startup (Menu Start) Task Scheduler LSA Providers Run, Run Once GPO Notification Package Winlogon Image Hijacking Drivers Etc.

12. #RSAC Stay Persistent

13. #RSAC Stay undetected If you are not ready to attack: stay stealth and do not change the system behavior Hide your traces Processes Files Infrastructure performance Network traffic Server / Client Platform Performance

14. #RSAC Stay undetected

15. #RSAC Leverage your position

16. #RSAC Victim Recon

17. #RSAC Use victims to attack more targets Create the remotely controlled network Automate next scans Create your own botnet What can be the hacker’s goal in your infrastructure?

18. #RSAC Agenda

19. #RSAC Apply Offline access protection, implementation of solutions like BitLocker. Implementation of the process execution prevention (AppLocker etc.) Log centralization, log reviews - searching for the anomalies, certain log error codes. Performing the regular audits of code running on the servers (fe. Autoruns). Maintenance: Backup implementation and regular updating. Review of the services running on the accounts that are not built in. Change them to gMSAs where possible, set up SPNs. Get rid of NETBIOS. Try to avoid NTLMv2, especially if you do not have AppLocker in place or SMB Signing. Client protection: Implement of the anti-exploit solutions.

20. #RSAC Apply What You Have Learned Today Next week you should: Implement Local Admin Password Management or other password management solution Build the plan of the periodical configuration reviews and penetration tests (security checks) In the first three months following this presentation you should: Implement the Security Awareness Program among employees and technical training for administrators Review the configuration of client-side firewall and enabling the programs that can communicate through the network Limit of the amount of services running on the servers (SCW and manual activities) Within six month you should: Implement scoping (role management) for permissions and employee roles (SQL Admins, Server Admins etc.) Review network segmentation (+ IPSec Isolation, DNSSec etc.)

21. #RSAC Apply What You Have Learned Today Next week you should: Implement Local Admin Password Management or other password management solution Build the plan of the periodical configuration reviews and penetration tests (security checks) In the first three months following this presentation you should: Implement the Security Awareness Program among employees and technical training for administrators Review the configuration of client-side firewall and enabling the programs that can communicate through the network Limit of the amount of services running on the servers (SCW and manual activities) Within six month you should: Implement scoping (role management) for permissions and employee roles (SQL Admins, Server Admins etc.) Review network segmentation (+ IPSec Isolation, DNSSec etc.)

RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List (20)

Recently uploaded (20)

RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List