Defending Advanced Attacks with IAM Best Practices

it is 2 o'clock so our next speaker is Andy Thompson Andy a the man has great taste I got to say 90s grunge music aficionado which is of course the finest music ever made by man hacker InfoSec consultant works with Fortune 500 companies to improve their security posture and yeah so he is either traveling or sleeping when he is not working and he'll tell you more about himself so yeah our two o'clock speaker Andy Thompson oh all right hello everyone thank you so much for sticking around and listen to me talk today about Kerberos attacks in particular the golden ticket I just wanted to demonstrate that I do listen to people on Twitter so asking you shall

receive so I'm going to start off our talk with a little bit of a story okay imagine February 2016 in Manila Philippines gentleman walks up to a very crowded casinos counter makes a withdrawal request they take a look at the data you know all checks out it's a large amount but you know it's legit they end up loading up the suitcase full of a large large sum of money and then the gentleman just disappears in the night never to be seen again over 6,000 miles away in the Bangladesh the Central Bank of Bangladesh has just been robbed for 81 million dollars to date this is the largest bank heist in the history of the world and this was

all done via the internet and unfortunately this gentleman right here a to Rahman central governor of the Bank of Bangladesh ended up having to take the fall for it due to his lack of cybersecurity controls his bank was the victim of again the largest bank heist in history this is just one of many different cyber attacks against the Swift Network this is just the one that had the biggest notoriety what actually happened in the course of this attack was pretty interesting it was a large amount of bank transactions 26 to be exact totally 951 million dollars 26 were actually in transit at the time in which these yes I believe this transaction going to the Federal Reserve

Bank in York was caught what happened was is there was a typo the words foundation was actually misspelled it was misspelled like fun dancing and that's what the visual typo detection that human being was the one that detected this sort of circumstance so with that let me introduce myself my name is Andy Thompson I probably have the coolest job in the entire world I'm the strategic advisor for cyber-ark software what I get to do is I get to help customers leverage the product that they already bought and just use it to the fullest extent so it's a really great job I get to help people right I have a degree from the University of Texas at

Arlington and management information systems comp TIAA plus security plus SSCP and CISSP from is e squared and I recently got my GG pen I'm a member of their advisory board and I'm now one of the Stan's mentors so very excited about that I'm happily married and I have two little girls at home and I come from Dallas Texas and so I'm really active in the information security community out there right now I'm a member of the shadow systems hacker collective as well as one of the members of the Dallas hackers Association most people think you know Andy you're the hacker in the family well honestly it couldn't be further from the truth the real hacker in my family is my wife

she's what's called a travel hacker okay she does some really cool stuff what she does is she goes in and finds like price variations on websites and things like that and if they are within a certain deviation then she'll send like push notifications to get updates on error fares this is us in Alaska on some glacier just got back from the laughs I know Australia last year the four of us went there for like 1,200 bucks and I think in a couple of weeks were going to Easter Island all four of us for life with 900 bucks it's so awesome Adam to travel travel hacker in the family and then we've got her little doppelganger this is kindling

she's exactly like her mom she likes to run just like her mom she's an artist just like her mom she likes to bug her dad about doing the dishes just like her mom so yeah that's that's Kinley and then I've got my little doppelganger Charlotte now you know how a lot of kids like go to sleep with like a teddy bear no not you Charlotte the typing or keyboard just a chip off the old block so before I go into further detail want to give a little couple shout out first off doll taxes association DC 24 or 2-1 for North Texas cybersecurity group in the North Texas is essay chapters all great people specifically mr. TJ Adams and when know from

cyber-ark TJ's here the building today and just my team customer success and then most importantly we couldn't be doing this administration without the people that developed the PowerShell Empire exploitation framework so harm Joyce sixth of enigma reverse shell Killswitch and warrior all these guys are contributors of this PowerShell I have Empire framework we can do this again without them so we're going to give you a rundown of what this talk is today I'm really excited about this talk because it's really kind of a purple ok we're going to start it off with the red team side we're going to actually demonstrate from soup to nuts an entire golden ticket attack then we're going to follow it up with the second part the

blue side of this talk and then that way we're going to talk about identity access management best practices and demonstrate how each one of the controls could be put in to fort the attack that we previously demonstrated then we're going to open it up to Q&A and then whatever you choose to do after that is up to you so we're going to talk about a golden ticket attack okay what this whole get thing in is again a principle concept I did in my lab and with open source PowerShell Empire mimic ATS what not were able to do this golden ticket attack it would look realistically about six minutes it would have been a lot faster if I used to have autocomplete on

the terrible violence so some more warnings ahead of time here using the disclaimers one the attack that I'm actually going to demonstrate my lab didn't actually happen like this in real life in reality that we actually determine there were three different apt players in the Central Bank in Bangladesh when this went down not only was that this particular Asian crime syndicate but the North Koreans and the Iranians were both in the same network at the same time just the fact that the Asian crime syndicate was the first one to pull the trigger is what made it so notable the second part is is there's more than one way to skin a cat here in this attack I use PowerShell empire

Metasploit it's a great exploitation framework and it does the exact same thing but even deeper there are so many functions that we could have run even just in the same exploitation framework that could have done things in a little bit better manner user hunter for example is an amazingly powerful function in PowerShell Empire however it didn't work in my lab so again there's more than one way to go about accomplishing the end goal here and then lastly I'm sorry to tell you if we're not dropping any zero-days there's no tax going on this is all simple simple stuff I guarantee there's a YouTube video with no pad and crappy techno music that's going to demonstrate the

same thing I'm talking with you guys about today in fact I've often joked that this is so easy you can be a 400-pound hacker in your parents baseball to do this ok alright so we're going to talk today about Kerberos attacks all right I'm going to need some volunteers today to demonstrate what this golden ticket attack actually looks like so can I have a raise of hands otherwise I'm going to pick you okay you're in the front row I'm sorry if you're gonna have to be one of them if you don't mind all I need you to do is just read this really really loud okay you are let's see the client don't we here you go here's another one and it

passed it back there all right Oh who's the user but our domain controller raise your hand if you're the domain controller all right so I got some tickets for you alright you are going to be responsible for Daddy giving these out all right so go ahead this is the regular user should be highlighted all right go ahead

all right so the domain controller has authenticated the user and is giving him a ticket and that ticket is the key thing here that's the implied trust all right go ahead

all right all right good give ever those on my hand thank you guys appreciate it all right so you guys saw what the Kerberos is and it's like pure essence okay we're about to do again a golden ticket attack and it's going to look something like this that's right Thank You TJ so we're going to hijack the Kerberos process that's what we're going to do today what this is is just part of the advanced targeted attack well what is an advanced targeted attack us well it's actually kind of simple it just means that they have a targeted attack in which they've got in your organization for a long extensive period of time these attackers know your

networks better than your systems do that's how long they've been in your organization this is in direct contrast to the other types of attacks that we see in our play field today there's a standard attack that we're seeing most often are denial of service attacks standard DDoS followed by opportunistic ran a in point attack that they contain malware and ransomware and then followed by what we call our quick targeted attacks these are the gentlemen calling from Microsoft with very thick accents trying to you know do something on your computer those are the quick target attacks they go in they attack they get out and they're done they move on to the next guy we're going to talk now about

the phases of this advanced target attack what you're going to notice here is something very very similar to well standard penetration test just about everything the only difference between an apt targeted tax pays versus anything else is just the length of runway again a pen test engagement red team they may be doing their engagement for two three weeks well an advanced re attack may be doing this for two three years okay so again because phases are still the same and this is like pen tester 101 stuff first base open source intelligence gathering external ringing on okay followed by the actual breach the actual foothold into the network and we'll demonstrate that as part of the demo the

next phase is the internal reconnaissance we'll go into this in a bit of detail further they're really kind of learning more about the network learning more about the users and how far you can extend your attitude the next phase is the lateral movement phase this is the part we're trying to extend the breadth of our access okay so what we're going to do is we're going to find out who has the access we need to get we go laterally move to that machine and then we extend our control by getting those credentials the next phase is really where the golden ticket attack comes up this is the domain compromise this is where we establish permanent

persistence on the network the last thing is once we've established our hold in the entire organization we can do anything we want time to move to our inking and depending on what your motives are will depend on what your endgame actually is we could be corrupting data we could be causing a complete denial of service it just depends on again what's your endgame is so oh what is that oh crap anybody have any Bitcoin okay all right so let's start off with the breach okay this is what we're going to do we're going to move over to our demo again I flew in from Dallas last night and TSA really hates sacrificial animals in your

carry-on so this is a recorded demo let's see here so again what we're using today is just PowerShell Empire it's got the built-in functions with mini cats that load it into memory that's all we need so what we were able to do is we were able to create a malicious excel document with a macro a standard user with local admin permissions opens up to an excel document and away we go what you'll see on the c2 server is an agent has connected now we have shell access as that user pretty cool anything you want to do you can do it from this shell here so now what we need to do is elevate our privileges and there's a

real great command called bypass UIC and it does just that bypasses the UAC we click that we press execute and a new shell connects this is a new shell that has that bypass UAC permissions and we can extend our command functionality so we can do more with that shell which really kind of leads to the next phase of the attack and yeah the next phase and we're now interfacing with that noodle and that leads us to move on to the next phase of this attack and that's really internal reconnaissance here what we want to do is we want to find what computer's exist on the network who's logged onto those machines and what kind of privileges I can get I know this is a

bit of a side note but if you get a chance finneus Fisher did a write-up on his breach of hacking team and he explicitly said that this admin the people with the access or the people that he goes after and that's what pentesters blackcats they all want to go after the people with the keys to the kingdom and so that's what we're going to do in this attack we're going to go try to find a domain admin and see what we can do and how come what we can do with their Krebs ok so let's jump back into the show

so this reconnaissance phase is consisting of just a few commands and again there's multiple ways different commands that we could have run here but the first thing that we're going to do is we want to see who those privileged users are ok there's a function very simple it's called get group members so again I'm a terrible typer tab autocomplete save meter find policy get group members one of the properties we can define is what security group we can take any security group we want and press execute and we're provided with a list I decided we want to see who the domain admins were ok so you press execute and then you're provided with a list any user with read-only permissions

to Active Directory can facilitate this level of reconnaissance you don't have to be a domain admin to just read these sort of objects so we find there's two domain admins on this very small demo the next command that we're going to run is simply put get computer we want to find the computer object there Ln Active Directory again this is a very small demo but you can see that there are just a handful of servers here what we're going to be interested in is two servers the Swift server which is completely locked down nobody can get into it but there's no other one this is a lile server from a pen testers perspective file servers print servers

tend to have deviated permissions as compared to other application servers so that one will be an interesting one we want to check out so let's do that let's find the get loop get local group define that particular file server and say let's find out who the local admins are on that box okay again we press execute and we're presented with a list of the local administrators on that file server and all with read-only rights just happen the standard user that we originally compromised happens to be also a local admin on that box how convenient right that means that conceivably we can pivot to that box using the account when we already have the next thing that we're going to run

is a command called get logged on what do you think that does right we find out who's actually logged onto that files their route so again we defined that we want to know who's logged onto that file server right now we press execute and we're provided with a list hey look at that a domain admin happens to be logged onto that machine meaning that if we're able to dump cred to offer that trial server we can get that domain admins creds pretty interesting huh that leads us to the next phase of this attack this is the lateral movement phase what we're going to do here is we're going to move now that we think that we have access to

we're going to move over that vile server then we're going to use mini cats to load into memory it's not going to write on disk so signature-based AV is not to be able to detect this and we're going to be able to dump the creds off that file server okay once we do that all it gets okay it gets fun after that so let's jump back over to the show and get that domain admin cred

all right so what we're going to do is we're going to interface with the elevated UAC command we're going to do this we're going to insert some command line code it's encoded there's different ways to do this WM IPS exec PL remoting you name is but I just chose to do the invoke command with some encoded strings it sends that command to the profile server we press execute or enter and then what you'll see right here is a new shell is going to connect to our system that is the new shell on our print server so now we've total successfully completed the lateral movement we're going to jump on to that particular shell and demonstrate that we are

actually that machine so we're going to do a hostname and we're going to see that we are indeed on the file server great but we were on it who am i we still see hey we're this still the standard user we haven't become that domain admin right so that leaves it with the next base we're on the Preds command and just demonstrate that oh we got to get back into our shell sorry we're going to jump back on to the file server run the creds command to demonstrate there's no passwords in this file right here however we were on mini cat puts it into memory and we're provided with hashes and clear text of all our passwords let

me in 1 is our domain admin password but we also have the patch so now what we're going to do is we're going to pass the hash and we're going to do this all again within PowerShell we steal that token of the pit from cmd.exe running as the domain admin and we have officially passed the hash we have become the domain administrator anything that domain admins can do we now have the capacity to do which leads us to the next phase we've established the level of permissions that we want to execute our in game let's now establish permanent persistency that's such a hard word to say permanent or persistency try it so here's the one caveat to this that

I found out that they there is a way to recover from a golden ticket event it is extremely extremely difficult to do in most enterprise organizations it's almost so difficult that you really can't do it due to the fact you have to have you have to have everything lined up perfectly you have to have the synchronization between Active Directory domain controllers in a particular way that you don't cause a storm once you do it's called a double tap but it's again it's nearly impossible to do but we're going to go ahead and execute this golden ticket attack the whole key to this is dealing remember how we got those tickets in our little demo earlier we want to take

control of the ticket generation once we take control to ticket generation that is the golden ticket attack so what we're going to do is get this KBR TGT hash and once we do that then we'll start issuing our own tickets okay and then we're going to go execute our end game we're going to go player out with that Swiss sir all right so let's go back to the demo and show you how it works so the first thing we want to do is get back into that shell we're running as the domain admin and we're going to do what's called a DC sync this is a command that's run when new domain controllers are stood up they reach out

to another domain controller and say hey I'm a new domain admin I need you to send me the hatches we're only concerned about the kdr TGT hash so we say let's apply that so again we do the DC sync and now now we're provided with the KBR TD T hash there it is right there now we can do anything with that KBR T V T hash with in PowerShell Empire there's a very simple function called golden ticket now that we have the KBR TGT hash we define a couple values we can define how long we want to have access that the life of that golden ticket the name of it you name it so again I'm going to create one called

hack the planet yes watching an old movie that night and you press execute and then we're provided with a golden ticket single golden ticket that has ten years of life that can do anything it wants to do on that network at this point we've officially owned the network so now it's a matter of actually executing or in-game remember that machine that we couldn't get to that Swift server I told you about well there's just all the file contents right there now it's time to move forward to the in game okay what we're going to do is again we're going to access the Swift server and rather than to shut it down or do something like that we're going to corrupt the

data well we're not going to corrupt it to the point where it becomes in you well we're just going to corrupt it to the point where I get about $50,000 richer so this is what it looks like we go back to the demo we're going to take a look at the windows side of this alright so the we switch server maybe a windows box you can just see all the jobs that are queued up in that particular folder every 5 minutes the transactions will then be processed so we're going to go in and manipulate some of that data so instead of you know sending you know $100,000 someplace we're gonna send $50,000 to the Shadow

Systems Group just a matter of uploading file we've circumvented any sort of manual controls any visible oversight we have a legitimate file in the system it's going to process just as in any any other batch job would so again the attack is completed and there we are we've got a transaction file in the system for 50,000 congratulations the golden ticket attack has been completed in-game is done we are all set that is the entire golden ticket attack there's just one last thing that we have to do it's a profit so that is the golden ticket attack in its purest form that's the red team side of this talk let's kind of go flip it upside down and talk about how

we can go in and prevent these sort of attacks okay we're going to talk about it from a perspective identity access management and how we can go about correcting all the mistakes that we saw as part of this previous demo the first thing we want to talk about is in point privilege okay lease privilege is critical in preventing this entire situation if we were unable to get that UAC elevated access none of the reconnaissance none of the loop activity none of the additional payloads would have been able to be injected into the system so again what we need to do is remove local administrator rights from the end user the next thing that we want

to do is allow applications to run that need access to run local administrator so again we want to revoke local administrator access from all of our end users but again allow certain applications I used to be in the medical industry and applications like Cerner and Meditec they had to be local admin to run but I didn't want to give the nurses or anybody else admin access to run on the entire operating system so with least privileged applications we can elevate just those particular binaries believe the underlying operating and running at a standard user state the next thing we want to do is application control manage application access we want to block unauthorized applications and we talked earlier about AB ecto and

some of the other different products out there one that I work for cyber-ark so we have one is called endpoint privilege management that does a very good job at this but we again we want to block unauthorized applications but again allow others through this is a nightmare if you're actually trying to manage this if you have just two buckets to run from I am basically the bullets that allow an explicit deny that's very difficult to actually do so we've started a concept of a relisting have a third bucket that will allow unknown caches unknown binaries to run and it can be trained away so for example let's say want to cry you know let's say it or any other

ransomware for that matter we can say well first off that binary can't run but we can say well let's let it run but you can't reach back out to the internet that prevents the encryption key exchange it prevents on your location it's very powerful but then we could say okay you can reach out to the Internet it may be a legitimate application but you can't write to the file system or we can say you can write to the file system but you can only write to disk directory or this particular virus file extension really cool stuff that's which you can do that now this isn't really a identity access management control but I figured I would be remiss if I didn't bring it

up I think Network segmentation is huge ok it's really kind of isolates your keys to the kingdom of your tier 0 active the real things that you value if you can segment them and make them difficult to pivot to then attackers have that much of a harder time so again if we had network segmentation in the previous demo we wouldn't have been easily able to pivot using standard protocols so again network segmentation prevents lateral movie but how do you use your systems in a segmented environment well this is where I think privileged jump servers or bastion host come into play Microsoft has a white paper called the red forest that talks about how this should be done with basically a second

laptop or second system to be used for just administrative use well that's kind of pricey you know so this is why I think jump servers are very valuable and that you can route all your privileged access through that particular type of server but at the same time think about it this way you can't have to hash in get mash okay so if you're on a machine you are logging in your hash are the privileged hash exists on that machine see how we would condemn any fats and we're able to dump the creds of the people that were logged on well if we're out all our traffic through a jump host it doesn't matter that jump host doesn't go home on

the weekend and get you know ransomware or you know trojan eyes minecraft from your kids you have a very lockdown bash you knows and all those privileged hashes will be stored on that machine rather than on your in point that you can't vouch for 100% of the time and what it also does is allows for accounting and auditing if we have a video or a session recording session of what will all happening on that jump box not only do you know who use that credential and when but you knew is that are you know exactly what's being done with that account and I'll go into that in a little bit more detail let's move forward on another a control

that I highly recommend the credentials no duh right well there's three main tenets to a really really strong credential and what I recommend is locking that down you want to secure and manage all your privileged credentials in your organization so it's not just you know the local administrator account Microsoft has done a very good job trying to prevent pass the hash from local systems but domain accounts are still easily a bit available to abuse for pass the hash so again Microsoft has been able to lock down passing the hash just to local accounts with the exception of the rid 500 that local administrator accounts so that local admin account can still be used for pass

the hash any domain account will still be used for fast the hash so here's three recommendations for a secure password there's three main tenants to it the first one is unique passwords okay you can't pass the hash at the pass the Hat is different on each individual system okay very simple very easy enough to do if you've got some sort of automated process for that the next thing you want is a complex password well the then for that is fairly simple to defeat brute-forcing okay so which leads me to the next tenant okay so let's say hypothetically we have a password it takes about one month to brute-force and crack okay well with ever changing

frequently rotating passwords that circumvent that so for example if I have a password that's set to change once a week automatically and it takes one month to brute-force by the time that account is brute-force crack that password is only changed three times so that's why I want to have those three main components to a secure password but in addition to credentials what I recommend is a second form of credential multi-factor multi-factor is critical to truly tie the person using the credential to the credential that's actually being used and then what we're going to talk about is what can do with these credentials this is a concept that I like to call credential boundaries and again Microsoft has a white paper on how

to prevent credential theft using this particular concept okay it's very much so what I call the horizontal tiered boundary it'll look something like this all right so what you have here you've got your tier 0 asset this is what correlates to your first phase of your disaster recovery program these are the end things that your organization truly values so forest admins domain controllers DNS ESXi hosts really the critical components to your infrastructure so if you have like a sim that can monitor credential use today all right the domain admin accounts can only operate within this particular tier it's found in the subsequent lower tiers such as the tier 1 tier or application server tier you've got an issue you've

got an invitation of compromise and you know start your incident response program so in here's our tier 1 asset this is your standard application servers database servers really the core of your organization right fair enough again your server admins will only operate within that horizontal boundary if you ever find a server admin up here or down below on your tier 2 tier you've got an indicator ok leads me to tier 2 these are your workstation either your in point this is where help desk operates this is where you kind of have your lower access you don't find a lot of privileged accounts in your tier zero outside of local administrators and maybe a helpdesk account so again if you

find a helpdesk account existing up on tier one I'm going to look into so here's a key concept I want you guys to write this down if you can because this is about major takeaway from this entire talk ok identities identities are flesh and blood you need everybody in this room ok these are passwords accounts they're just hexadecimal that defines permission these are not one of the thing you don't have to have a one-to-one relationship till the delineate permission okay think about it like this a construction site any construction site you go to you've got a ton of people right but does every single person have a hammer maybe what about a skill saw maybe not what about a

bulldozer should everybody in a construction site need a bulldozer because they might need at any given point right now that's just not cost-effective what you have instead is a toolbox what you have is somebody is assigning somebody to do a job then go to the chest will check out the tool to do their job they do their job and then they put the tool back in because at the end of the day somebody goes in and accounts for all the tools to make sure they're all still in the box that is a way to run a very shipshape construction site and I recommend trying to do something similar to that in your IT organization so think about it like this

ok here are five sysadmin standard users ok what we've seen is a lot of organizations have moved in this program of creating a second account the second ATM or bank account or whatever you call it that separates the permission allit ok how many people raised show of hands have something like this in your organization currently there's a lot of people ok so what you've just done is you've done a really good thing by breaking out the privilege from your standard regular user account but what you just did also in double your footprint of accounts in your organization so look at it from this perspective somebody may be a sysadmin goes rogue they get let go

HR files of termination papers and their standard user accounts disabled well there's so many workflows and unless you have a really robust iam program that ATM account may still exist we actually saw this exact well something similar to this actually happened at Columbia of the sportswear companies someone was let go they were able to take an existing account elevate the permissions and create a backdoor and they were able to access the organization after they left over 700 times in order to get a competitive advantage that sort of thing just never happened but that case is currently in litigation currently here's what I recommend okay we're going to still have our same five standard users okay we got

two halves two segments right but rather than creating five separate accounts we're going to have one or maybe two if you have a certain use case for it but you want to have a lot down administrative functional account that's managed within some sort of automatic password system so what you're essentially doing is is you're taking going from five privileged accounts down to one lockdown solid rock and roll privilege out okay so that's what we try to recommend from a functional account model so this is kind of what the whole thing looks like when you put it all together this is what a standard network would look like very flat any credential could access any one of those machines

you know even though you've got clearly defined roles and functions on this whole network it also looks like a flat network from a networking perspective right well let's try like this not only are we implementing the horizontal boundary that I talked about earlier but we're also having those functional accounts so now you're dating them horizontally and vertically as well so this is what you see with credential boundaries and functional account you slap on from lease privilege and application control on top of it that is a secure stinking Network red hair so one of the latter things that we kind of touched on earlier was you know privilege jump boxes and where they can be a value in risk mitigation to your

organization part of that is also monitoring I think ma during is huge because you can monitor the privileged access and it's not just your sis admins it very well-made with third parties as well we know from the target breach it was a target that was initially compromised it was a third party HVAC vendor and if we were able to pour if they were able to provide some sort of section of their own organization and route the HVAC vendor through some sort of proxy server than they would have been able to inject their code into the network so again I think there's some value in that as well the other thing is is a learning if we are able to see

malicious activities go down on your network through like a network tab we could detect certain indicators we've seen that previously in some of our previous other talks but things like the defacing would be very easily picked up if you have any sort of alerting and then also just picking up on a behavior of anomalies well what is that well that's really heuristic behavior okay we can actually say you know standard users logging on Monday through Friday between the hours of 8:00 and 5:00 well there's another same user log um legitimately but they're coming in from a Chinese IP address coming from 10:00 p.m. to 2:00 a.m. on Monday through Saturday which correlates to a typical Chinese work day

by the way those sort of things even using legitimate credentials based on the heuristic behavior we can to tell Tet alerts on anomalies that may need investigation and that's really where I see value in sort of a monitoring of your users through heuristic behavior analysis and then all what this also does is work alert click win there are events outside of your identity access management control system so for example if you've got all your passwords locked down in a vault and you have to check them in and check them out and there's a logon event that happens on some application server but there's not a correlating event on your file or your password vault somebody's circumvented your controls we

can take immediate action and rotate that password like immediately so I think there's value in that as well so to kind of conclude there's really four main tiers of controls that I would recommend to lock down your organization from an identity access management perspective first is from the endpoint really removing local privilege and application control I can't speak highly enough on application control in these privileged you guys saw want to cry you guys seen all the stuff that's gone down on ransomware well if not me saying this okay it's us certain FBI the combination of least privilege and application control absolutely will see ransomware the next thing is really again not necessarily I am control but I

think network segmentation is a huge control that needs to be put into place routing access through jump servers I think again that's huge really kind of holding your users and your third party at third party and accountable is critical enforcing credential tiers remember this is not just horizontal but also vertical so the combination of credential boundaries and functional accounts is huge the three tenets again of a password unique frequently changing in complex passwords huge multi-factor authentication really kind of taking it up to the next level and I truly identifying the person is what is the one that your app authenticating not just some random person setting alerts monitoring behavior and monitoring privileged user access again all

critical components from identity access management perspective on preventing advanced targeted attacks well that concludes my talk I'm going to open this up to some Q&A if you have I will be here for in about the next couple hours and I gotta bounce back over to Dallas but again thank you so much for having me today thank you [Applause]