If there is a weakness in your IT security system, wouldn’t it be better to find it before someone else does? As long as we are aware about the value of the resources to be protected, why don’t we put ourselves into the hacker’s role and perform like they do? You will become familiar with the mandatory tasks that are performed by hackers to check for misconfigurations and vulnerabilities.
5. #RSAC
Session Goal
Be familiar with the possibilities of the operating
system
From the user mode and kernel mode
We are NOT talking about the forensics!
… just doing a little hacking + conclusions
My goal: See one of the ways hacker can act
9. #RSAC
Attack Users
Users
Users rarely have software up to date
Awareness issues
... But for hacker it may be not enough
Administrators
Local account
Password reuse for workstations
Different password for workstations
Domain account
Domain user being local administrator
Domain administrator
13. #RSAC
Stay undetected
If you are not ready to
attack: stay stealth and do
not change the system
behavior
Hide your traces
Processes
Files
Infrastructure performance
Network traffic
Server / Client Platform Performance
17. #RSAC
Use victims to attack more targets
Create the remotely
controlled network
Automate next scans
Create your own botnet
What can be the hacker’s goal
in your infrastructure?
19. #RSAC
Apply
Offline access protection, implementation of solutions like BitLocker.
Implementation of the process execution prevention (AppLocker etc.)
Log centralization, log reviews - searching for the anomalies, certain log error
codes. Performing the regular audits of code running on the servers (fe.
Autoruns).
Maintenance: Backup implementation and regular updating.
Review of the services running on the accounts that are not built in. Change them
to gMSAs where possible, set up SPNs.
Get rid of NETBIOS. Try to avoid NTLMv2, especially if you do not have AppLocker
in place or SMB Signing.
Client protection: Implement of the anti-exploit solutions.
20. #RSAC
Apply What You Have Learned Today
Next week you should:
Implement Local Admin Password Management or other password management solution
Build the plan of the periodical configuration reviews and penetration tests (security checks)
In the first three months following this presentation you should:
Implement the Security Awareness Program among employees and technical training for
administrators
Review the configuration of client-side firewall and enabling the programs that can
communicate through the network
Limit of the amount of services running on the servers (SCW and manual activities)
Within six month you should:
Implement scoping (role management) for permissions and employee roles (SQL Admins,
Server Admins etc.)
Review network segmentation (+ IPSec Isolation, DNSSec etc.)
21. #RSAC
Apply What You Have Learned Today
Next week you should:
Implement Local Admin Password Management or other password management solution
Build the plan of the periodical configuration reviews and penetration tests (security checks)
In the first three months following this presentation you should:
Implement the Security Awareness Program among employees and technical training for
administrators
Review the configuration of client-side firewall and enabling the programs that can
communicate through the network
Limit of the amount of services running on the servers (SCW and manual activities)
Within six month you should:
Implement scoping (role management) for permissions and employee roles (SQL Admins,
Server Admins etc.)
Review network segmentation (+ IPSec Isolation, DNSSec etc.)