Many businesses rely on corporate-owned Windows 10 devices for securing corporate endpoints. In an attempt to keep cyberattackers at bay, they may try to lock down Windows 10 with a variety of security features, such as Windows Defender (or a third-party EPP/EDR/NGAV solution), Credential Guard (to prevent pass-the-hash attacks), Device Guard (to enforce code signing and app whitelisting) and App Guard (to sandbox the Edge browser in a virtual machine). However, in the real world, these security measures are sometimes impractical to apply and only cover a subset of the attack surface.
In this post, we’ll examine 3 perspectives on how sophisticated attackers, as well as users and IT administrators, view this strategy.
ATTACKER
A Win10 endpoint in which all of these security features are turned on does present some challenges for the attacker. It can definitely prevent common pass-the-hash attacks, in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network. Other basic attacks that leverage known malware or explicit malicious behavior can be thwarted by using EPP/EDR/NGAV solutions.
However, Win10 still leaves an enormous attack surface to prod and vulnerabilities to exploit. The attacker is likely to target unpatched vulnerabilities or leverage legitimate apps with design flaws that live on the Win10 operating system (OS). Just think of an attacker who fools a user into silently installing a legitimate remote control application like Webex on the user’s laptop. From that point on, the attacker sees everything the user sees and has full control over all of his apps.
USERS
End users are very familiar with th ..
Support the originator by clicking the read the rest link below.
