Prior-service Army, Pre-WarBoth Private Sector and Defense experience
Man has used firewalls to protect our assets (our flock)Worked very well for a long time – only security strategyFlaming brick wall, good to goFirewalls became more advanced, so did attacksEvading firewall, going for weaker members of the flock
These days difficult to protect the flockIt can be so difficult, in part sheep don’t protect themselves
So what have we done?
Building fences to corral the sheep Intended boundaries – sheep don’t knowThis worked pretty wellThen what happened?
The pentesters come inAs soon as ASLR created, bypass naturally followed
Security Development Lifecycle Progress Report2004 – 2010 41 consumer apps, millions of usersDEP without ASLRLine-of-business apps
Two Drop Down listsSo what’s better than a fence?
Sheepdog
Version 4.0 released June 2013Version 1.0 released Oct 2009Both servers and workstationsFree utility from MS .net 4.0 – No other dependenciesNo signatures or updatingNo whitelist or blacklistNo guessingJust good programmingPart of Windows 8 STIG
Blacklisting is deadHBSS can’t provide good defaults
So let’s go through an EMET installation
One choice to makeService is installed and running, launch client
This is GUIBottom is the list of running processes
Sheepdog
Calls to external binary files go through the Import Address TableWorks for both static and dynamically linked dllRedirects call to windows to Shim addressWhat all this means – you don’t talk to Windows without EMET
All happen simultaneously
14 Default Trusted Roots – Necessary?
Sheepdog
Sheepdog
Some code so bad
Sheepdog
Whatever you’re using now
GPO or script through CLISupport with existing contract
Jonathan Ness from MSSupport with valid Support Contract or through forum