Presentation is loading. Please wait.

Presentation is loading. Please wait.

Antivirus AppLocker in “Deny” Mode AppLocker in “Allow” Mode Auditing of Protections Forensic capture of host-based artifacts Forensic capture of memory-based.

Published byMelvin Dustin Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "Antivirus AppLocker in “Deny” Mode AppLocker in “Allow” Mode Auditing of Protections Forensic capture of host-based artifacts Forensic capture of memory-based."— Presentation transcript:

1 Antivirus AppLocker in “Deny” Mode AppLocker in “Allow” Mode Auditing of Protections Forensic capture of host-based artifacts Forensic capture of memory-based artifacts Maslow’s Hierarchy of Security Controls

2 ControlBenefitImpact Without ControlLimitations Antivirus / Antimalware Can limit the execution of malware known to the AV industry. Attacker can write and run any code, custom C++ applications, internet tools, etc. Can be disabled by administrators. AV signatures can be evaded if the attacker is capable of recompiling or modifying an application. Applocker in Deny Mode Can limit the execution of malware known to your organization. Attacker can write and run any code, custom C++ applications, etc., as long as they aren’t well known attack tools or exploits. Can be disabled by administrators. Only blocks known evil / undesirable malware, can be bypassed with only minor application changes. Applocker in Allow Mode Can prevent the execution of unknown / unapproved applications. Attacker can write arbitrary custom applicatons, as long as they are not detected by AV or Applocker Deny rules. Can be disabled by administrators. Attacker can still leverage in-box tools like VBScript, Office macros, HTA applications, local web pages, PowerShell, etc. Maslow’s Hierarchy of Security Controls

3 ControlBenefitImpact Without ControlLimitations Auditing of protections (AppLocker registry keys, AV settings, etc.) By implementing and watching for registry / filesystem audit events generated when an attacker disables protections like AppLocker, attackers become more visible. Attacker can disable most built-in controls, and then compromise a system without being impacted by that control. Auditing is a reactive technology, not a preventative technology. An attack might still be successful, but proper audit monitoring can help you detect it. Forensic capture / examination of host- based artifacts Can help detect attacks based on in- box applications that modify the system in some way (such as putting a.VBS /.HTA file on disk). Attacks that leverage in-box tools may not be detected. Requires significant expertise and custom tooling to capture and forward all “interesting” forensic artifacts. Can be avoided by in-box components (such as Internet Explorer, VBScript “stagers”, PowerShell, and debuggers) that have the ability to invoke in-memory commands. Memory forensics / application-specific logging Can detect forensic artifacts that do not touch disk. Memory-only attacks may go undetected. Not all components that have the ability to invoke in-memory commands expose application-specific logging. Memory-only forensics require significant expertise and custom tooling.

Download ppt "Antivirus AppLocker in “Deny” Mode AppLocker in “Allow” Mode Auditing of Protections Forensic capture of host-based artifacts Forensic capture of memory-based."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
CSUF Chapter 3.2 1. CSUF Operating Systems Security 2.

CSUF Chapter CSUF Operating Systems Security 2.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.

Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Microsoft SharePoint 2013 SharePoint 2013 as a Developer Platform

Microsoft SharePoint 2013 SharePoint 2013 as a Developer Platform
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google