00:00:05 Hi, welcome back, this isPart III of our first module,

00:00:09 Defending Active DirectoryAgainst Cyberattacks.

00:00:13 In this part, we're going tofocus on strategic defense and
00:00:17 how to help organizationsadopt a strategic mindset.
00:00:20 >> Yep, and strategic defenseis what we would like our
00:00:25 customers, and the audiencein general, to have.
00:00:30 Because the traditional defensethat we've been following
00:00:35 is not up-to-date withthe change in the threat, right?
00:00:40 When you see the news andhere all these successful cyber
00:00:44 attacks, it's very easy to getdesperate, right, and say,
00:00:47 hey they're winning.
00:00:49 But the truth is,you can win, right?
00:00:53 It's all about those littlemistakes that we make
00:00:56 that lead to all thesemajor compromises.
00:00:59 And if we change thingsstarting with our mindset.
00:01:02 And this is why we have thisaround strategic defense,
00:01:06 it's a mindset.
00:01:08 Starting with the mindset andthen changing those small
00:01:11 mistakes, that we're gonna talkabout throughout the series,
00:01:14 you can definitely win.
00:01:15 You can definitely raisethe cost of a campaign to
00:01:20 an adversary to the point whereit's too hard to sustain for
00:01:23 them especially ona larger scale.
00:01:27 So, let's talk aboutstrategic defense.
00:01:31 And Sun Tzu shows up again andsays, the soldier works out
00:01:36 his victory in relation to thefoe whom he is facing, right?
00:01:42 And our adversaries are notthe typical adversaries that
00:01:46 we've been defending againstthe 90s and early 2000s and
00:01:51 even late 2000s.
00:01:53 They're more adaptive, andthey are more sophisticated.
00:01:57 So we have to finetune our strategy and
00:02:00 our mindset in order toaddress that, right?
00:02:06 Okay, so strategic defenders.
00:02:10 This is you, and me, andeveryone who's interested
00:02:13 in defending their organization,right?
00:02:17 First of all,you have to be adaptive.
00:02:20 You need to understandthe current threat.
00:02:24 That previous session aboutdetermining human adversaries,
00:02:28 this gives you the tipof the iceberg.
00:02:30 But we provided a lot ofresources towards the end
00:02:33 of this session for you to readmore on how they operate, and
00:02:37 what are they after and what aretheir tools and techniques, to
00:02:41 be able to adapt your defensesagainst them because traditional
00:02:45 defense simply does not work andwill keep us behind.
00:02:49 You need to remain vigilant andadjust as necessary.
00:02:53 The main strength thatadversaries have is that
00:02:57 they have a humanbehind the back door,
00:03:00 controlling how it behaves.
00:03:01 They're adaptive, they changewhen they see a roadblock.
00:03:04 And this exactly howwe should be, right?
00:03:07 We need to remain vigilant and
00:03:08 adjust our defenses to the typeof threat that we have.
00:03:14 They are disciplined, right?
00:03:18 Sorry, strategic defenders donot make those little mistakes
00:03:23 that lead to a very easy goodday for the adversaries, right.
00:03:28 Things like configuringa service account with domain
00:03:32 admins.
00:03:33 Membership in domain admins.
00:03:34 That's somethingwe see very often.
00:03:36 And it's definitely somethingthat will land the adversary
00:03:41 in tier-0 on day one on thecampaign, which is really bad.
00:03:44 So we wanna avoid makingthose mistakes by being very
00:03:47 disciplined.
00:03:49 And you need toquestion requests that
00:03:54 reduce the integrityof your environment.
00:03:56 When somebody comes up to you,and by the way,
00:03:58 not in a confrontational way,don't yell at people.
00:04:01 Just in a way where youeducate them about the reason
00:04:06 you cannot accommodate certainrequests to your environment.
00:04:11 And folks, you can showthis to your bosses,
00:04:13 it'll give you more leverageto say no to certain requests.
00:04:16 So basically, if anyonecomes to you and says hey,
00:04:20 we want enterprise admin fora certain
00:04:25 task or a certain service orsomething along those lines,
00:04:29 you need to start questioningthose requests and take a more
00:04:34 educational approach aboutwhy you cannot do that.
00:04:39 Strategic defendersare effective.
00:04:43 Their prioritiesare guided by impact
00:04:45 to the organization, right?
00:04:47 They don't make investments orask for investments randomly.
00:04:52 Their investmentsare based on impact, right?
00:04:55 So by awareness of yourhigh value assets and
00:04:59 awareness of AD and the otherdependencies, you should be
00:05:03 able to know where to investmost of your effort and
00:05:07 other resources,including money.
00:05:09 >> So, one thing to focuson looking at the different
00:05:13 characteristics of whatis a strategic defender,
00:05:16 what makes up a strategicdefender, is to question,
00:05:20 does your current strategy, doesyour current defensive strategy,
00:05:24 allow you to bethese three things?
00:05:26 Does it allow youto be adoptive?
00:05:27 Does it allow youto be disciplined?
00:05:30 And does it allowyou to be effective?
00:05:32 If the current strategy orthe current mindset
00:05:35 is getting in the way of any oneof these three things, that's
00:05:38 when it's time to take a stepback and rethink that strategy.
00:05:41 >> Absolutely, and
00:05:42 literally this is something youcan take back as is, all right?
00:05:48 To your leadership, orto the direct boss, or whoever
00:05:53 who's helping you make thosedecisions, and tell them that
00:05:58 if the adversaries have changedtheir threat tactics, how are we
00:06:02 changing to adapt and how are webeing effective and disciplined?
00:06:06 Let's whiteboard, let's thinkabout what we're doing today and
00:06:09 what we should be doing next.
00:06:13 Another thing abouteffectiveness is solving
00:06:16 the right problems, right?
00:06:18 In many cases,people would invest a lot of
00:06:22 time in solvingproblems that do exist,
00:06:26 but are not necessarily of muchsignificance, while the real
00:06:30 problem would be something thatdoes not require any investment,
00:06:34 but requires a changein behavior.
00:06:35 >> Right, so it might be goodinitiatives, good efforts, but
00:06:39 not be the right ones toaddress the right problem.
00:06:42 >> You don't wannamake more investments,
00:06:44 you wanna makebetter investments,
00:06:46 right, whether that's time,resources or anything.
00:06:50 And they understandsecurity dependencies.
00:06:53 That's the stuff we spoke aboutearlier, the attack graph.
00:06:57 In order foryou to think like an attacker,
00:07:01 that's a way to beat them,think like them,
00:07:04 you need to understanddependencies and attack graphs.
00:07:07 And this is something we alludedto earlier in the show in one of
00:07:10 the slides.
00:07:12 Okay, so let's talk aboutthe relationship dynamics.
00:07:15 We talked aboutunderstanding ourselves.
00:07:17 We talked aboutunderstanding the adversary.
00:07:20 What about the relationshipdynamics that
00:07:23 govern how we interactwith each other and
00:07:26 give one of the two partiesleverage over the other?
00:07:30 You can only
00:07:31 overcome adaptivenesswith adaptiveness, right?
00:07:34 If they're able to adapt and
00:07:35 you're not, you cannotwin this battle, right?
00:07:39 You have to be able tounderstand where they're going
00:07:43 today and where they'regoing next in order for
00:07:46 you to change your tactics.
00:07:48 Back in the days, credentialtheft were not as prevalent,
00:07:51 possibly because ofthe lack of tools.
00:07:53 But today, it has become moreprevalent for example, and
00:07:56 this is why you need tochange your tactics.
00:08:00 Some of the more recent attacks,well, they're not more recent in
00:08:06 a theoretical standpoint, theyhave been there for a long time.
00:08:10 But they evolved andbecame more widespread
00:08:13 because of the new toolsthat enabled them.
00:08:15 There's things like the goldenticket attack, right?
00:08:18 And this is something thatsurfaced more popularly lately
00:08:22 and has been used in a few ofthese longer term campaigns
00:08:26 directed by the determinedhuman adversaries.
00:08:30 And so a lot of organizationstarted to do this as part of
00:08:34 their recoveries, because nowit's a more known tactic, right?
00:08:38 Second, investingin detection and
00:08:40 containment is no less importantthan investing in prevention.
00:08:45 A lot of organizationsare very interested in, and
00:08:49 solely interested forthe most part, in prevention.
00:08:53 You cannot fullyprevent compromise.
00:08:56 Think of it like the human body,right?
00:08:59 You will always get a flu orI don't know, a cough or
00:09:04 something like that, right?
00:09:05 That's unavoidable.
00:09:07 Chances are it willgo away by itself or
00:09:10 you'll take care of itwith some doctor advice.
00:09:15 However, what you shouldbe worrying about is,
00:09:19 illnesses that go on for longand can be devastating to your
00:09:23 high value assets, which isthe rest of your body, right?
00:09:26 And this is where detection,early detection, right,
00:09:31 such as in the case of cancer,God forbid.
00:09:34 And containment, making sure youadverse it at a very early stage
00:09:38 when it's contained isthe right approach to take.
00:09:43 And this is exactly the wayit is with adversaries.
00:09:46 You'll never be able tofully prevent them from
00:09:48 compromising parts of thenetwork, but you wanna make sure
00:09:52 that those are the lesssignificant part and
00:09:54 those detected and containedvery early on in the process
00:09:57 One thing to highlight as wellon that is, going back to when
00:10:00 we were talking aboutthe strategic mindset.
00:10:04 What is your organizationallowing you to do today
00:10:06 versus where should you be?
00:10:09 Prevention and detection, itmight not always be carried out
00:10:13 by the same group orteam within a company, right?
00:10:16 So that exposes maybecommunication issues,
00:10:19 issues where the two teams don'twork together as effectively.
00:10:26 So another thing to consider is,what are your roadblocks?
00:10:29 What are your issues todaythat's preventing you from being
00:10:33 able to be both preventive,as well as enable the detection
00:10:37 side andwork very well together?
00:10:39 Because as Zade was justmentioning, you need both,
00:10:43 right?
00:10:43 You can't just depend on one orthe other.
00:10:45 >> Absolutely, and this is wherebusiness leaders can come in.
00:10:49 And in order for them toprotect their digital assets,
00:10:52 they need to bring thoseteams together and
00:10:55 align them under a certainstrategy that aligns
00:10:58 with the type of threatthat they're facing, right?
00:11:02 So basically a smart leader,when it comes to risk management
00:11:06 especially in the informationassets scope of work,
00:11:10 would have to align all theteams under a certain objective
00:11:15 just like the adversaries doalign on their campaigns, right?
00:11:20 And bring them all together.
00:11:22 Technology is a means,not an end,
00:11:24 right, is a mean, not an end.
00:11:27 So basically, what we're sayinghere is do not be married to
00:11:31 a certain technology because ofa preference, or because you're
00:11:35 certified in it, or whateverreason there is out there.
00:11:40 Adversaries change theirtactics to achieve objects,
00:11:44 and so should you, right?
00:11:47 If you have existinginvestments, this is great, but
00:11:50 in the future keep yourtechnology investments focused
00:11:54 on objects, whateverachieves your objectives.
00:12:00 So more onrelationship dynamics.
00:12:02 Adding security gadgetsto solve a security gap
00:12:05 is often the wrong answer.
00:12:08 Normally, a lot of organizationswill just throw some
00:12:13 investment in a certain newflashy security product.
00:12:17 But normally, the answer isin change in behavior and
00:12:20 changing the way youapproach the problem, right?
00:12:23 And in things that are basicallybuilt into the operating system
00:12:27 that you can leverage, right,without even having to invest.
00:12:31 >> Right, in multiple studiesit shows that companies tend to
00:12:36 use actually less than a half oftheir existing IT investments.
00:12:41 So back to the point of youdon't need to necessarily
00:12:44 add more.
00:12:45 You may just need to be focusedon using what you have or
00:12:48 using it better than the waythat you're using it today.
00:12:52 So, such as enablingcertain sorts of features,
00:12:57 configuring those featuresto achieve your objective,
00:12:59 to achieve whatyou're looking for.
00:13:01 As well as enabling yourteam to really be able
00:13:04 to use that in an operationalstate so that your existing
00:13:08 technology investmentscan be used effectively.
00:13:10 >> Right, and those are thetypes of investments that
00:13:13 strategic defenders make.
00:13:15 They fit the purposeof their organization.
00:13:21 Yes, your organizationis a target.
00:13:23 So if you have any,this is a very common question,
00:13:28 is my organization a target?
00:13:30 Well, we don't have thatmuch on the network, right?
00:13:32 If you have anythingthat's not public,
00:13:34 they need to make it public,so they will target you.
00:13:37 So, I guess it varies from oneorganization to the other.
00:13:43 But if you have anything, anyinformation that's of value and
00:13:47 is not public,
00:13:48 then chances are if you'renot already under attack or
00:13:51 have sustained attack inthe past, you will be attacked.
00:13:56 All assets are notcreated equal,
00:13:58 don't treat them as such, right?
00:14:02 If you protect your paperclipsand diamonds to the same extent.
00:14:07 >> [LAUGH]>> You will end up with a lot of
00:14:09 paperclips andno diamonds, right.
00:14:13 Somebody said that,I don't know who it was.
00:14:15 >> I've never heard that one.
00:14:17 [LAUGH] More onrelationship dynamics,
00:14:22 monitoring outgoing traffic andtraffic within the network is
00:14:26 just as important asmonitoring incoming traffic.
00:14:30 Traditionally, we've beenfocused on thinking that attacks
00:14:33 will always come tous from the outside.
00:14:35 They will attackthe perimeter and come in.
00:14:38 But the truth is theywill leverage a weakness
00:14:42 at the internal network inorder to exfiltrate data
00:14:46 external to the outside,an egress mode, right?
00:14:50 Or to move around within thenetwork and be able to basically
00:14:54 achieve their objective byfinding the right assets, right?
00:14:58 >> Right,
00:14:59 and one thing to highlight thereis when they're outgoing, right,
00:15:03 say they're in the network andthey're moving out.
00:15:07 It's to move out data, right,
00:15:08 to exfiltrate datafrom the network.
00:15:11 The data that's valuable to themthat aligns to their strategic
00:15:14 objectives.
00:15:15 So really they benefitwhen they actually egress,
00:15:20 right, when they leave.
00:15:22 More so, even sometimes thanthat one point of entry to get
00:15:26 into the network.
00:15:26 >> Right, and egress is a lotmore firewall friendly.
00:15:31 Connections initiatedat the internal network
00:15:34 are likely to be less restrictedthan, well, most of the time,
00:15:38 less restricted than onescoming in from outside.
00:15:41 >> And we just were talking,the last part of the series,
00:15:46 that they can also usetechnology made for good,
00:15:49 like encryption, for bad, right,for covering their steps and
00:15:54 not being detected whenthey do leave the network.
00:15:58 >> Yep, well, not finally yet.
00:16:04 Victory over DHAs,
00:16:06 over determined humanadversaries, is in continuously
00:16:09 disrupting their attempts atcompromising critical assets.
00:16:13 If you are aiming for a decisivevictory where you will wipe
00:16:19 them off the network and havethem never, ever come back and
00:16:23 compromise any of your assets atall, you're not being realistic.
00:16:27 They'll always havethe analogous of a flu or
00:16:32 a cough, right?
00:16:33 Something that happens at thatperimeter of the network or
00:16:36 on a certain machine onthe network or somebody clicked.
00:16:39 What you don't wanna haveis something that persists
00:16:41 on the long term that's notcontained and detected early.
00:16:45 >> Right, andby disrupting their attempts, we
00:16:49 are achieving what we're lookingto do by raising the cost
00:16:52 that it takes for them tosuccessfully have an attack.
00:16:57 As well as reducingthe likelihood
00:17:00 that they can successfullyget into the network.
00:17:03 >> Right, I mean think about it,there are a lot of people on
00:17:06 the payroll in order tosustain those campaigns.
00:17:09 The longer you makethem work on it and
00:17:12 the harder the technologiesthey require to overcome your
00:17:16 defenses, the more unsustainablethose campaigns become.
00:17:20 And when you think about it,they work on a large scale.
00:17:22 They wanna compromise a lotof companies in order to
00:17:25 get to the informationthey want.
00:17:27 So at that scale, theircampaigns become unsustainable
00:17:31 overhead and we'll basicallydefeat them that way.
00:17:38 Finally, inrelationship dynamics,
00:17:40 absence of evidence isnot evidence of absence.
00:17:44 If you have not detected,besides
00:17:48 a compromise using traditionalmethod, it could be that you're
00:17:53 not using the rightdetection tactics.
00:17:55 And actually, Josh,
00:17:57 who's gonna be talking aboutthis concept of detection,
00:18:02 deep detection in one ofthe upcoming episodes, I believe
00:18:07 it's episode six, or tactic sixor something along those lines.
00:18:13 >> And one thing aboutthe absence of evidence is not
00:18:16 evidence of absence.
00:18:18 A lot of times, and when we'reworking with our customers and
00:18:21 Microsoft cybersecurityservices,
00:18:24 we come in assuming compromise,right?
00:18:27 It's changing in the mindset,
00:18:29 being that strategic defender inwhich, if we assume compromise,
00:18:34 we take other formsof communication.
00:18:38 We're more secure.
00:18:39 We're careful with whatwe share over email.
00:18:42 We'll use external datarepositories for sharing our
00:18:46 project documentation, and kindof change the way we act and
00:18:50 behave because we'reassuming compromise.
00:18:53 And if there is no compromise,great, then we're good.
00:18:58 If there is compromise andmaybe we don't know it,
00:19:01 we are taking that extra stepof precautions so we're not
00:19:06 unintentionally exposingthe stuff that we're working on.
00:19:09 >> Yep.
00:19:13 All right, and this quoteby George Washington, and
00:19:17 a lot of these quotes are fromwar generals for a good reason.
00:19:22 What we're facing todayis cyber warfare, right?
00:19:26 That economic espionage thatwe're going through is all based
00:19:31 on cyber warfare.
00:19:33 And this is why a lot of thequotes that we have in here is
00:19:36 from generals andarmy members in general.
00:19:39 It is much easier to preventan enemy from posting themselves
00:19:44 than it is to dislodgethem after they have
00:19:47 gotten possession.
00:19:49 So what we're saying here isif you let the adversary own
00:19:55 your network fully, right, it'sjust a lot harder to evict them.
00:19:59 It's a lot costlier andharder and comes with sweat and
00:20:03 tears to evict them.
00:20:05 While if you detect andcontain at the very beginning
00:20:09 stages of the attack, of thevery first stages of the attack,
00:20:13 they're a lot morelikely to be successful.
00:20:16 >> Right.>> That applies to the cyber
00:20:17 security.
00:20:18 >> And drive down the cost.
00:20:18 >> Yep.
00:20:20 >> So finally,
00:20:21 we are wrapping up the firstmodule here with part three.
00:20:26 We have resources listed onthe page for different articles.
00:20:32 And then I wanna highlightthe very last bullet point there
00:20:36 is need help from MicrosoftServices Cybersecurity?
00:20:39 This is an email address whereyou can reach out to any of us
00:20:43 here presenting on this seriesat CyberRFI@microsoft.com,
00:20:47 if you're interested in knowingmore about our offerings and
00:20:51 what we're sharinghere in these modules.
00:20:54 >> Yep.
00:20:56 >> Thank you very much.
00:20:57 >> Thanks,I'll see you in episode two.