Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into the context of typical hygiene of any IT environment.
Let's try to understand, where we stand today. Contrary to a few years back, we unfortunately see more skilled people in the space looking for either fast money or information. The criminals are more skilled and I guess we see the state actors attacking infrastructures as well. The big change, however, is that these attacks are not what they used to be. Today, they are targeted, executed by highly-skilled people with a clear goal and time. There is no rush but you want to get a bang for the buck. They want to make sure that once they penetrate a network, the probability for getting discovered is low and they want to stay in there as long as possible. This often leads to the fact that customers do not know that they are compromised and once they figure it out, they cannot assess the impact as the attacker is on the network longer than the backups of the logs last…
To be clear, this is not to scare anybody, this is the reality we have seen in many, many customer networks across the globe in the last one to two years.
If we look at a typical attack, it often follows similar patterns:
This describes a fairly typically attack leveraging Pass the Hash. The paper Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques describes this very well. If we look at the mitigations described in this paper and the mitigations, which come from the above mentioned attack pattern, they are actually not too hard to implement – they are in a major part natural for a good network hygiene:
These are kind of the key mitigations, however there are some key recommendations in this paper, which should be implemented:
That's not too hard to do, isn't it? It should be part of your natural, everyday maintenance of you network, shouldn't it?
One point, which is not mentioned so far is monitoring. This is all about finding the needle in the haystack but it can be done – we (at Microsoft) do it. Why should a machine all of a sudden connect to another country, when it never did it before? There might be reasons for this, but sometimes, there are none. If you read my latest post, you see one of these examples: An Attack via VPN – Really?
Let me add a few final comments:
Therefore, if you think about network hygiene in 2013, look at the points above and get started. It is basically just normal maintenance of your network. Just do it
"I have two slides showing the evolution of the Internet and the evolution of the threat landscape as well as the evolution of security in Windows since Windows 95. If you are interested, I am happy to share." -> I would be really interrested, can you post it? Thanks you, kind regards, MMF
Sorry, it took me a bit longer - I am on vacation. I just posted it: www.halbheer.ch/.../windows-security-evolution
Nice slides :) Thank you for making them available so fast. Have a nice vacation!
Kind regards, MMF