00:00:05 Hi, welcome back, this isPart III of our first module,
00:00:09 Defending Active DirectoryAgainst Cyberattacks.
00:00:13 In this part, we're going tofocus on strategic defense and 00:00:17 how to help organizationsadopt a strategic mindset. 00:00:20 >> Yep, and strategic defenseis what we would like our 00:00:25 customers, and the audiencein general, to have. 00:00:30 Because the traditional defensethat we've been following 00:00:35 is not up-to-date withthe change in the threat, right? 00:00:40 When you see the news andhere all these successful cyber 00:00:44 attacks, it's very easy to getdesperate, right, and say, 00:00:47 hey they're winning. 00:00:49 But the truth is,you can win, right? 00:00:53 It's all about those littlemistakes that we make 00:00:56 that lead to all thesemajor compromises. 00:00:59 And if we change thingsstarting with our mindset. 00:01:02 And this is why we have thisaround strategic defense, 00:01:06 it's a mindset. 00:01:08 Starting with the mindset andthen changing those small 00:01:11 mistakes, that we're gonna talkabout throughout the series, 00:01:14 you can definitely win. 00:01:15 You can definitely raisethe cost of a campaign to 00:01:20 an adversary to the point whereit's too hard to sustain for 00:01:23 them especially ona larger scale. 00:01:27 So, let's talk aboutstrategic defense. 00:01:31 And Sun Tzu shows up again andsays, the soldier works out 00:01:36 his victory in relation to thefoe whom he is facing, right? 00:01:42 And our adversaries are notthe typical adversaries that 00:01:46 we've been defending againstthe 90s and early 2000s and 00:01:51 even late 2000s. 00:01:53 They're more adaptive, andthey are more sophisticated. 00:01:57 So we have to finetune our strategy and 00:02:00 our mindset in order toaddress that, right? 00:02:06 Okay, so strategic defenders. 00:02:10 This is you, and me, andeveryone who's interested 00:02:13 in defending their organization,right? 00:02:17 First of all,you have to be adaptive. 00:02:20 You need to understandthe current threat. 00:02:24 That previous session aboutdetermining human adversaries, 00:02:28 this gives you the tipof the iceberg. 00:02:30 But we provided a lot ofresources towards the end 00:02:33 of this session for you to readmore on how they operate, and 00:02:37 what are they after and what aretheir tools and techniques, to 00:02:41 be able to adapt your defensesagainst them because traditional 00:02:45 defense simply does not work andwill keep us behind. 00:02:49 You need to remain vigilant andadjust as necessary. 00:02:53 The main strength thatadversaries have is that 00:02:57 they have a humanbehind the back door, 00:03:00 controlling how it behaves. 00:03:01 They're adaptive, they changewhen they see a roadblock. 00:03:04 And this exactly howwe should be, right? 00:03:07 We need to remain vigilant and 00:03:08 adjust our defenses to the typeof threat that we have. 00:03:14 They are disciplined, right? 00:03:18 Sorry, strategic defenders donot make those little mistakes 00:03:23 that lead to a very easy goodday for the adversaries, right. 00:03:28 Things like configuringa service account with domain 00:03:32 admins. 00:03:33 Membership in domain admins. 00:03:34 That's somethingwe see very often. 00:03:36 And it's definitely somethingthat will land the adversary 00:03:41 in tier-0 on day one on thecampaign, which is really bad. 00:03:44 So we wanna avoid makingthose mistakes by being very 00:03:47 disciplined. 00:03:49 And you need toquestion requests that 00:03:54 reduce the integrityof your environment. 00:03:56 When somebody comes up to you,and by the way, 00:03:58 not in a confrontational way,don't yell at people. 00:04:01 Just in a way where youeducate them about the reason 00:04:06 you cannot accommodate certainrequests to your environment. 00:04:11 And folks, you can showthis to your bosses, 00:04:13 it'll give you more leverageto say no to certain requests. 00:04:16 So basically, if anyonecomes to you and says hey, 00:04:20 we want enterprise admin fora certain 00:04:25 task or a certain service orsomething along those lines, 00:04:29 you need to start questioningthose requests and take a more 00:04:34 educational approach aboutwhy you cannot do that. 00:04:39 Strategic defendersare effective. 00:04:43 Their prioritiesare guided by impact 00:04:45 to the organization, right? 00:04:47 They don't make investments orask for investments randomly. 00:04:52 Their investmentsare based on impact, right? 00:04:55 So by awareness of yourhigh value assets and 00:04:59 awareness of AD and the otherdependencies, you should be 00:05:03 able to know where to investmost of your effort and 00:05:07 other resources,including money. 00:05:09 >> So, one thing to focuson looking at the different 00:05:13 characteristics of whatis a strategic defender, 00:05:16 what makes up a strategicdefender, is to question, 00:05:20 does your current strategy, doesyour current defensive strategy, 00:05:24 allow you to bethese three things? 00:05:26 Does it allow youto be adoptive? 00:05:27 Does it allow youto be disciplined? 00:05:30 And does it allowyou to be effective? 00:05:32 If the current strategy orthe current mindset 00:05:35 is getting in the way of any oneof these three things, that's 00:05:38 when it's time to take a stepback and rethink that strategy. 00:05:41 >> Absolutely, and 00:05:42 literally this is something youcan take back as is, all right? 00:05:48 To your leadership, orto the direct boss, or whoever 00:05:53 who's helping you make thosedecisions, and tell them that 00:05:58 if the adversaries have changedtheir threat tactics, how are we 00:06:02 changing to adapt and how are webeing effective and disciplined? 00:06:06 Let's whiteboard, let's thinkabout what we're doing today and 00:06:09 what we should be doing next. 00:06:13 Another thing abouteffectiveness is solving 00:06:16 the right problems, right? 00:06:18 In many cases,people would invest a lot of 00:06:22 time in solvingproblems that do exist, 00:06:26 but are not necessarily of muchsignificance, while the real 00:06:30 problem would be something thatdoes not require any investment, 00:06:34 but requires a changein behavior. 00:06:35 >> Right, so it might be goodinitiatives, good efforts, but 00:06:39 not be the right ones toaddress the right problem. 00:06:42 >> You don't wannamake more investments, 00:06:44 you wanna makebetter investments, 00:06:46 right, whether that's time,resources or anything. 00:06:50 And they understandsecurity dependencies. 00:06:53 That's the stuff we spoke aboutearlier, the attack graph. 00:06:57 In order foryou to think like an attacker, 00:07:01 that's a way to beat them,think like them, 00:07:04 you need to understanddependencies and attack graphs. 00:07:07 And this is something we alludedto earlier in the show in one of 00:07:10 the slides. 00:07:12 Okay, so let's talk aboutthe relationship dynamics. 00:07:15 We talked aboutunderstanding ourselves. 00:07:17 We talked aboutunderstanding the adversary. 00:07:20 What about the relationshipdynamics that 00:07:23 govern how we interactwith each other and 00:07:26 give one of the two partiesleverage over the other? 00:07:30 You can only 00:07:31 overcome adaptivenesswith adaptiveness, right? 00:07:34 If they're able to adapt and 00:07:35 you're not, you cannotwin this battle, right? 00:07:39 You have to be able tounderstand where they're going 00:07:43 today and where they'regoing next in order for 00:07:46 you to change your tactics. 00:07:48 Back in the days, credentialtheft were not as prevalent, 00:07:51 possibly because ofthe lack of tools. 00:07:53 But today, it has become moreprevalent for example, and 00:07:56 this is why you need tochange your tactics. 00:08:00 Some of the more recent attacks,well, they're not more recent in 00:08:06 a theoretical standpoint, theyhave been there for a long time. 00:08:10 But they evolved andbecame more widespread 00:08:13 because of the new toolsthat enabled them. 00:08:15 There's things like the goldenticket attack, right? 00:08:18 And this is something thatsurfaced more popularly lately 00:08:22 and has been used in a few ofthese longer term campaigns 00:08:26 directed by the determinedhuman adversaries. 00:08:30 And so a lot of organizationstarted to do this as part of 00:08:34 their recoveries, because nowit's a more known tactic, right? 00:08:38 Second, investingin detection and 00:08:40 containment is no less importantthan investing in prevention. 00:08:45 A lot of organizationsare very interested in, and 00:08:49 solely interested forthe most part, in prevention. 00:08:53 You cannot fullyprevent compromise. 00:08:56 Think of it like the human body,right? 00:08:59 You will always get a flu orI don't know, a cough or 00:09:04 something like that, right? 00:09:05 That's unavoidable. 00:09:07 Chances are it willgo away by itself or 00:09:10 you'll take care of itwith some doctor advice. 00:09:15 However, what you shouldbe worrying about is, 00:09:19 illnesses that go on for longand can be devastating to your 00:09:23 high value assets, which isthe rest of your body, right? 00:09:26 And this is where detection,early detection, right, 00:09:31 such as in the case of cancer,God forbid. 00:09:34 And containment, making sure youadverse it at a very early stage 00:09:38 when it's contained isthe right approach to take. 00:09:43 And this is exactly the wayit is with adversaries. 00:09:46 You'll never be able tofully prevent them from 00:09:48 compromising parts of thenetwork, but you wanna make sure 00:09:52 that those are the lesssignificant part and 00:09:54 those detected and containedvery early on in the process 00:09:57 One thing to highlight as wellon that is, going back to when 00:10:00 we were talking aboutthe strategic mindset. 00:10:04 What is your organizationallowing you to do today 00:10:06 versus where should you be? 00:10:09 Prevention and detection, itmight not always be carried out 00:10:13 by the same group orteam within a company, right? 00:10:16 So that exposes maybecommunication issues, 00:10:19 issues where the two teams don'twork together as effectively. 00:10:26 So another thing to consider is,what are your roadblocks? 00:10:29 What are your issues todaythat's preventing you from being 00:10:33 able to be both preventive,as well as enable the detection 00:10:37 side andwork very well together? 00:10:39 Because as Zade was justmentioning, you need both, 00:10:43 right? 00:10:43 You can't just depend on one orthe other. 00:10:45 >> Absolutely, and this is wherebusiness leaders can come in. 00:10:49 And in order for them toprotect their digital assets, 00:10:52 they need to bring thoseteams together and 00:10:55 align them under a certainstrategy that aligns 00:10:58 with the type of threatthat they're facing, right? 00:11:02 So basically a smart leader,when it comes to risk management 00:11:06 especially in the informationassets scope of work, 00:11:10 would have to align all theteams under a certain objective 00:11:15 just like the adversaries doalign on their campaigns, right? 00:11:20 And bring them all together. 00:11:22 Technology is a means,not an end, 00:11:24 right, is a mean, not an end. 00:11:27 So basically, what we're sayinghere is do not be married to 00:11:31 a certain technology because ofa preference, or because you're 00:11:35 certified in it, or whateverreason there is out there. 00:11:40 Adversaries change theirtactics to achieve objects, 00:11:44 and so should you, right? 00:11:47 If you have existinginvestments, this is great, but 00:11:50 in the future keep yourtechnology investments focused 00:11:54 on objects, whateverachieves your objectives. 00:12:00 So more onrelationship dynamics. 00:12:02 Adding security gadgetsto solve a security gap 00:12:05 is often the wrong answer. 00:12:08 Normally, a lot of organizationswill just throw some 00:12:13 investment in a certain newflashy security product. 00:12:17 But normally, the answer isin change in behavior and 00:12:20 changing the way youapproach the problem, right? 00:12:23 And in things that are basicallybuilt into the operating system 00:12:27 that you can leverage, right,without even having to invest. 00:12:31 >> Right, in multiple studiesit shows that companies tend to 00:12:36 use actually less than a half oftheir existing IT investments. 00:12:41 So back to the point of youdon't need to necessarily 00:12:44 add more. 00:12:45 You may just need to be focusedon using what you have or 00:12:48 using it better than the waythat you're using it today. 00:12:52 So, such as enablingcertain sorts of features, 00:12:57 configuring those featuresto achieve your objective, 00:12:59 to achieve whatyou're looking for. 00:13:01 As well as enabling yourteam to really be able 00:13:04 to use that in an operationalstate so that your existing 00:13:08 technology investmentscan be used effectively. 00:13:10 >> Right, and those are thetypes of investments that 00:13:13 strategic defenders make. 00:13:15 They fit the purposeof their organization. 00:13:21 Yes, your organizationis a target. 00:13:23 So if you have any,this is a very common question, 00:13:28 is my organization a target? 00:13:30 Well, we don't have thatmuch on the network, right? 00:13:32 If you have anythingthat's not public, 00:13:34 they need to make it public,so they will target you. 00:13:37 So, I guess it varies from oneorganization to the other. 00:13:43 But if you have anything, anyinformation that's of value and 00:13:47 is not public, 00:13:48 then chances are if you'renot already under attack or 00:13:51 have sustained attack inthe past, you will be attacked. 00:13:56 All assets are notcreated equal, 00:13:58 don't treat them as such, right? 00:14:02 If you protect your paperclipsand diamonds to the same extent. 00:14:07 >> [LAUGH]>> You will end up with a lot of 00:14:09 paperclips andno diamonds, right. 00:14:13 Somebody said that,I don't know who it was. 00:14:15 >> I've never heard that one. 00:14:17 [LAUGH] More onrelationship dynamics, 00:14:22 monitoring outgoing traffic andtraffic within the network is 00:14:26 just as important asmonitoring incoming traffic. 00:14:30 Traditionally, we've beenfocused on thinking that attacks 00:14:33 will always come tous from the outside. 00:14:35 They will attackthe perimeter and come in. 00:14:38 But the truth is theywill leverage a weakness 00:14:42 at the internal network inorder to exfiltrate data 00:14:46 external to the outside,an egress mode, right? 00:14:50 Or to move around within thenetwork and be able to basically 00:14:54 achieve their objective byfinding the right assets, right? 00:14:58 >> Right, 00:14:59 and one thing to highlight thereis when they're outgoing, right, 00:15:03 say they're in the network andthey're moving out. 00:15:07 It's to move out data, right, 00:15:08 to exfiltrate datafrom the network. 00:15:11 The data that's valuable to themthat aligns to their strategic 00:15:14 objectives. 00:15:15 So really they benefitwhen they actually egress, 00:15:20 right, when they leave. 00:15:22 More so, even sometimes thanthat one point of entry to get 00:15:26 into the network. 00:15:26 >> Right, and egress is a lotmore firewall friendly. 00:15:31 Connections initiatedat the internal network 00:15:34 are likely to be less restrictedthan, well, most of the time, 00:15:38 less restricted than onescoming in from outside. 00:15:41 >> And we just were talking,the last part of the series, 00:15:46 that they can also usetechnology made for good, 00:15:49 like encryption, for bad, right,for covering their steps and 00:15:54 not being detected whenthey do leave the network. 00:15:58 >> Yep, well, not finally yet. 00:16:04 Victory over DHAs, 00:16:06 over determined humanadversaries, is in continuously 00:16:09 disrupting their attempts atcompromising critical assets. 00:16:13 If you are aiming for a decisivevictory where you will wipe 00:16:19 them off the network and havethem never, ever come back and 00:16:23 compromise any of your assets atall, you're not being realistic. 00:16:27 They'll always havethe analogous of a flu or 00:16:32 a cough, right? 00:16:33 Something that happens at thatperimeter of the network or 00:16:36 on a certain machine onthe network or somebody clicked. 00:16:39 What you don't wanna haveis something that persists 00:16:41 on the long term that's notcontained and detected early. 00:16:45 >> Right, andby disrupting their attempts, we 00:16:49 are achieving what we're lookingto do by raising the cost 00:16:52 that it takes for them tosuccessfully have an attack. 00:16:57 As well as reducingthe likelihood 00:17:00 that they can successfullyget into the network. 00:17:03 >> Right, I mean think about it,there are a lot of people on 00:17:06 the payroll in order tosustain those campaigns. 00:17:09 The longer you makethem work on it and 00:17:12 the harder the technologiesthey require to overcome your 00:17:16 defenses, the more unsustainablethose campaigns become. 00:17:20 And when you think about it,they work on a large scale. 00:17:22 They wanna compromise a lotof companies in order to 00:17:25 get to the informationthey want. 00:17:27 So at that scale, theircampaigns become unsustainable 00:17:31 overhead and we'll basicallydefeat them that way. 00:17:38 Finally, inrelationship dynamics, 00:17:40 absence of evidence isnot evidence of absence. 00:17:44 If you have not detected,besides 00:17:48 a compromise using traditionalmethod, it could be that you're 00:17:53 not using the rightdetection tactics. 00:17:55 And actually, Josh, 00:17:57 who's gonna be talking aboutthis concept of detection, 00:18:02 deep detection in one ofthe upcoming episodes, I believe 00:18:07 it's episode six, or tactic sixor something along those lines. 00:18:13 >> And one thing aboutthe absence of evidence is not 00:18:16 evidence of absence. 00:18:18 A lot of times, and when we'reworking with our customers and 00:18:21 Microsoft cybersecurityservices, 00:18:24 we come in assuming compromise,right? 00:18:27 It's changing in the mindset, 00:18:29 being that strategic defender inwhich, if we assume compromise, 00:18:34 we take other formsof communication. 00:18:38 We're more secure. 00:18:39 We're careful with whatwe share over email. 00:18:42 We'll use external datarepositories for sharing our 00:18:46 project documentation, and kindof change the way we act and 00:18:50 behave because we'reassuming compromise. 00:18:53 And if there is no compromise,great, then we're good. 00:18:58 If there is compromise andmaybe we don't know it, 00:19:01 we are taking that extra stepof precautions so we're not 00:19:06 unintentionally exposingthe stuff that we're working on. 00:19:09 >> Yep. 00:19:13 All right, and this quoteby George Washington, and 00:19:17 a lot of these quotes are fromwar generals for a good reason. 00:19:22 What we're facing todayis cyber warfare, right? 00:19:26 That economic espionage thatwe're going through is all based 00:19:31 on cyber warfare. 00:19:33 And this is why a lot of thequotes that we have in here is 00:19:36 from generals andarmy members in general. 00:19:39 It is much easier to preventan enemy from posting themselves 00:19:44 than it is to dislodgethem after they have 00:19:47 gotten possession. 00:19:49 So what we're saying here isif you let the adversary own 00:19:55 your network fully, right, it'sjust a lot harder to evict them. 00:19:59 It's a lot costlier andharder and comes with sweat and 00:20:03 tears to evict them. 00:20:05 While if you detect andcontain at the very beginning 00:20:09 stages of the attack, of thevery first stages of the attack, 00:20:13 they're a lot morelikely to be successful. 00:20:16 >> Right.>> That applies to the cyber 00:20:17 security. 00:20:18 >> And drive down the cost. 00:20:18 >> Yep. 00:20:20 >> So finally, 00:20:21 we are wrapping up the firstmodule here with part three. 00:20:26 We have resources listed onthe page for different articles. 00:20:32 And then I wanna highlightthe very last bullet point there 00:20:36 is need help from MicrosoftServices Cybersecurity? 00:20:39 This is an email address whereyou can reach out to any of us 00:20:43 here presenting on this seriesat CyberRFI@microsoft.com, 00:20:47 if you're interested in knowingmore about our offerings and 00:20:51 what we're sharinghere in these modules. 00:20:54 >> Yep. 00:20:56 >> Thank you very much. 00:20:57 >> Thanks,I'll see you in episode two.