Architecting a Modern Defense using Device Guard

March 22, 2017 (at 2:30 p.m.) in Defense and Management

With the relentless proliferation of compiled and script-based malware, trusting prevention and detection to antivirus solutions alone simply won't cut it. The only ideal method of effectively blocking binaries and scripts on a host is with a robust whitelisting solution. Device Guard is one such solution provided my Microsoft for Windows 10 and Server 2016 and if implemented properly, can eliminate an entire suite of attacks your organization may face.

Device Guard, like any other whitelisting solution, will never be impervious to bypasses, however. A robust solution will, however, provide mechanisms to block known bypasses. Device Guard provides such functionality in addition to providing features that can effectively block rogue administrators from altering policies or disabling the service.

In this talk, we will discuss configuration and deployment of an aggressive whitelisting policy, bypasses to the policy through exploitation of trusted applications, and mitigation strategies for effectively blocking such bypasses. We will also explain our methodology for uncovering bypass techniques to help better prepare your organization.

Matt Graeber

Matt Graeber (@mattifestation) is the Manager of Research with Veris Group’s Adaptive Threat Division. He has a passion for reverse engineering, PowerShell, and advocating the “living off the land” philosophy – tradecraft that makes heavy use of built-in, trusted applications.

Casey Smith

Casey Smith (@subtee) is a researcher with Veris Group Adaptive Threat Division. He has a passion for understanding and testing the limits of defensive systems.

Previous Talks & Publications: ShmooCon 2015 Simple Application Whitelisting Evasion https://youtu.be/85M1Rw6mh4U https://github.com/subTee/ShmooCon-2015

DerbyCon 2014 SSL MITM - PowerShell https://www.youtube.com/watch?v=Mii0BTglOBM

OWASP 2013 How Malware Attacks Web Applications https://www.youtube.com/watch?v=Mii0BTglOBM