ASSUME BREACH PREVENT BREACH +

Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker Undetected) months Attack Discovered Typical Attack Timeline & Observations

1.Get in with Phishing Attack (or other) 2.Steal Credentials 3.Compromise more hosts & credentials (searching for Domain Admin) 4.Get Domain Admin credentials 5.Execute Attacker Mission (steal data, destroy systems, etc.) Modern Attack Tools are Easy/etc Hours Privilege Escalation with Credential Theft (Typical)

High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS LSAIso

High Level OS (HLOS) Hypervisor Isolated User Mode (IUM) LSASS NTLM Kerberos LSAIso NTLM support Kerberos support Boot Persistent Device Drivers “Clear” secrets Note: MS-CHAPv2 and NTLMv1 are blocked IUM secrets

1.Privilege escalation Credential Theft Application Agents Service Accounts 2.Lateral traversal Credential Theft Application Agents Service Accounts Tier 0 Tier 2 Tier 1

Do these NOW!

IT Service Management Administrative Forest Domain and Forest Administration Production Domain(s) Domain and Forest Security Alerting Servers, Apps, and Cloud Services Hardened Hosts and Accounts Privileged Account Management (PAM) Admin Roles & Delegation Admin Forest Maintenance PAM Maintenance Lateral Traversal Mitigations (Admin Process, Technology) Domain and DC Hardening OS, App, & Service Hardening User, Workstations, and Devices Integrate People, Process, and Technology RDP w/Restricted Admin Protected Users Auth Policies and Silos Admin Workstations

Good/Minimum Separate Admin Desktops and associated IT Admin process changes Separate Admin Accounts Remove accounts from Tier 0 Service Accounts Personnel - Only DC Maintenance, Delegation, and Forest Maintenance Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Administrative Forest (for AD admin roles in current releases) Isolated User Mode (IUM) Microsoft Passport and Windows Hello

Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello

Good/Minimum Separate Admin Accounts Separate Admin Desktops Associated IT Admin process changes Enforce use of RDP RestrictedAdmin Mode Local Administrator Password Solution (LAPS) Or alternate from PTHv1 Better Best Detection - Advanced Threat Analytics Multi-factor Authentication (Smartcards, One Time Passwords, etc.) Just in Time (JIT) Privileges - Privileged Access Management Extensive overhaul of IT Process and Privilege Delegation Isolated User Mode (IUM) Microsoft Passport and Windows Hello

37 Implement Mitigations Now! 1 Revamp your culture and support processes 2 3 Plan to adopt Windows 10 Features

Cloud service provider responsibility Tenant responsibility

Private Cloud Fabric Identity Infrastructure as a Service On Premises Infrastructure Federation and Synchronization Single Identity