Antivirus AppLocker in “Deny” Mode AppLocker in “Allow” Mode Auditing of Protections Forensic capture of host-based artifacts Forensic capture of memory-based.

Slides:

Advertisements

Similar presentations

Presented by Nikita Shah 5th IT ( )

Advertisements

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

By Hiranmayi Pai Neeraj Jain

CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

CSUF Chapter CSUF Operating Systems Security 2.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

David Flournoy Bit9 Mid-Atlantic Regional Manager

Chapter 7 HARDENING SERVERS.

Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Microsoft SharePoint 2013 SharePoint 2013 as a Developer Platform

Maintaining and Updating Windows Server 2008

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Department Of Computer Engineering

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Microsoft ® Official Course Module 9 Configuring Applications.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Antivirus Technology in State Government Kym Patterson State Chief Cyber Security Officer Department of Information Systems.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Hands-On Microsoft Windows Server 2008

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Troubleshooting Windows Vista Security Chapter 4.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Chapter 3.2: Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as.

Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Using Event Viewer Event Levels Creating Custom Views Windows Logs Monitoring Performance.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Paul Cooke - CISSP Director Microsoft Session Code: CLI322.

Cryptography and Network Security Sixth Edition by William Stallings.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Role Of Network IDS in Network Perimeter Defense.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Zoltán Balázs MRG Effitas A ransomware jelenség mellet nem lehet elmenni.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Device Guard and AppLocker Better Together Troy L. Martin 1E.com/blogs/author/troymartin/ Technical Architect 1E.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Ilija Jovičić Sophos Consultant.

Intercept X for Server Early Access Program Sophos Tester

Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-

TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.

Bethesda Cybersecurity Club

Presentation transcript:

Antivirus AppLocker in “Deny” Mode AppLocker in “Allow” Mode Auditing of Protections Forensic capture of host-based artifacts Forensic capture of memory-based artifacts Maslow’s Hierarchy of Security Controls

ControlBenefitImpact Without ControlLimitations Antivirus / Antimalware Can limit the execution of malware known to the AV industry. Attacker can write and run any code, custom C++ applications, internet tools, etc. Can be disabled by administrators. AV signatures can be evaded if the attacker is capable of recompiling or modifying an application. Applocker in Deny Mode Can limit the execution of malware known to your organization. Attacker can write and run any code, custom C++ applications, etc., as long as they aren’t well known attack tools or exploits. Can be disabled by administrators. Only blocks known evil / undesirable malware, can be bypassed with only minor application changes. Applocker in Allow Mode Can prevent the execution of unknown / unapproved applications. Attacker can write arbitrary custom applicatons, as long as they are not detected by AV or Applocker Deny rules. Can be disabled by administrators. Attacker can still leverage in-box tools like VBScript, Office macros, HTA applications, local web pages, PowerShell, etc. Maslow’s Hierarchy of Security Controls

ControlBenefitImpact Without ControlLimitations Auditing of protections (AppLocker registry keys, AV settings, etc.) By implementing and watching for registry / filesystem audit events generated when an attacker disables protections like AppLocker, attackers become more visible. Attacker can disable most built-in controls, and then compromise a system without being impacted by that control. Auditing is a reactive technology, not a preventative technology. An attack might still be successful, but proper audit monitoring can help you detect it. Forensic capture / examination of host- based artifacts Can help detect attacks based on in- box applications that modify the system in some way (such as putting a.VBS /.HTA file on disk). Attacks that leverage in-box tools may not be detected. Requires significant expertise and custom tooling to capture and forward all “interesting” forensic artifacts. Can be avoided by in-box components (such as Internet Explorer, VBScript “stagers”, PowerShell, and debuggers) that have the ability to invoke in-memory commands. Memory forensics / application-specific logging Can detect forensic artifacts that do not touch disk. Memory-only attacks may go undetected. Not all components that have the ability to invoke in-memory commands expose application-specific logging. Memory-only forensics require significant expertise and custom tooling.