SECURITY KPIS · Disable cached creds Within Active Directory Group Policy: \Computer Configuration...
Transcript of SECURITY KPIS · Disable cached creds Within Active Directory Group Policy: \Computer Configuration...
by: steven aiellover: 2.0.1
S E C U R I T Y K P I S
Steven Aiello
Introduction.Security & Compliance Solutions Principal
SANS GCIH License 29615 – Mentor StatusSANS GSEC License 353652 – Mentor StatusOSCP – (In Progress)CISSP
CISAVCAP - DCAVCAP - DCDVCP
This is where I’ve beenIt’s been a long road…
Compliance I.R. A.D.Web Development
Network Logging Systems Admin.Endpoint
- Marcus Lemonis
Performance is the best way to
shut people up.”
The DataWhat does the data say about our efforts in cyber security?
the results
20the change
4the money
101.6the activity
6$
2020In 2020, these organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research released Wednesday by the International Data Corporation. This equates to a 38% increase from the $73.7 billion that IDC projects organizations will spend on cybersecurity in 2016.”
Oct 12th 2016fortune.com
$101.6B
38% 2016
“
2016Employee notifications were the most common internal discovery method for the second straight year and there was also an uptick identification through internal financial audits, associated with business email compromise (BEC). Third-party disclosure is up due to an increase in numbers of breaches disclosed by the affected customer or an external threat actor bragging or extorting their victims.”
DBIR 2017verizon
law“
“disclosed by the affected customer or an external threat actor bragging or extorting their victims.”
Accommodation 93%Healthcare 65%Finance 47%Manufacturing 20%Information 16%Professional 4%Public 1%
Broken down by industry
How likely you are to be breached if you’ve had an event
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Email & Email Attachments 43%Backdoor or C2 (Hacking) 24%Web Application 19%Direct Install 6%LAN Access 4%Partner Facility 4%
Attack vectors of confirmed breaches:
Top attack vectors of known breaches
Backdoor or C2 (Hacking) Email & Email AttachmentsWeb Application Direct InstallLAN Access Partner Facility
Top six actions by threat actors
that follow the well-traveled path of phishing users to install C2 and keylogging software in order to capture credentials that are used to authenticate into, and exfiltrate data out of, organizations.”
Thetop sixthreat action varieties
“
DBIR 2017verizon
To recap what’s happening
81%of breaches leveraged
weak or stolen passwords, this
includes password hashes…
66%of malware was
installed via malicousemail attachments
24%of breaches involved
backdoors or “hacking”
Top 6actions threat actors
use involve valid passwords to move laterally through the
network
Top 6actions threat actors use
involve valid passwords to access data and exfiltrate
it [within days] …
Four security KPIs
Data monitored for anomalous accessWhat data is important to the business? What are “normal” data access patterns by user account? How does the organization monitor for changes in data access patterns?
Minimization and monitoring of lateral movement What percentage of systems have unilateral access to other hosts? What policies and technologies can organizations put in place to gain visibility?
Confidence in system controlWhat are our patch times for operating systems, CotS applications, internally developed applications? How do we reduce patching cycles? For systems that cannot be patched, leverage application white listing.
Confidence in account validityWhat level of confidence does the organization have that user accounts authenticating to systems are being properly used?
Confidence in account validity
KPI number one:
Account validity is possibly the most difficult KPI to score well in. No,your two factor authentication will not protect you…
Four security KPIs
Protection from Kerberos Golden TicketMitigating pass the ticket on Active Directory
CERT-EU Security 2014-07
KPI one: confidence in account validity
SMB is the problemProtection from PTH attacks• psexec bypasses 2FA
02Kerberos is the problemCreating the Golden Ticket• KRBTGT password hash• Domain admin. username• Domain name• Domain SID
032FA == local logon onlyTwo-factor authentication only protects user logon attempts from the Windows console or RDP
01
KPI one: confidence in account validity
If not possible… For mobile users:\Security Settings
\Local Policies\Security Options
Interactive Logon: Number of previous logons to cache (in case domain controller is not available)
02Kerberos is still the problemProtection from the Golden Ticket• KRBTGT password hash• Domain admin. username• Domain name• Domain SIDIf a golden ticket is created the only way to invalidate the ticket is to reset the KRBTGT two times
03Disable cached credsWithin Active Directory Group Policy:\Computer Configuration
\Windows Settings\Security Settings
\Local Policies\Security Options
Do not allow storage of passwords and credentials for network authentication
01
Confidence in system control
Whitelist what you can’t rapidly patchIf systems are so sensitive they cannot be patched, by that meritthey should not change. Application whitelisting should be used onsystems that change infrequently
Document patch cyclesNot all systems can be patched, however, you should understandwhat those limitations are and seek to improve on them
2
1
Four security KPIs
Isolate what you can’t patch or whitelist3
2019 20202017 2018
Are you patching your applications as fast as you patch your OS?
3/5
If your application vendors wont let you patch, whitelist. Use it where needed – don’t overextend.
Understanding your current state and making progress towards your goal is key
“You can't manage what you can't measure." Peter Drucker.
Can you patch 90% in30 days?
90%Whitelist fixed use systems
Measure your progress
KPI two: confidence in system control
KPI two: confidence in system control
Patch: step 1Rebuild web applications: step 2
Potentially change code that calls Struts: step 3
Before someone with Metasploit attacks…https://github.com/rapid7/metasploit-framework/pull/8924
Apache Struts 2 is the perfect example…
https://arstechnica.com/information-technology/2017/09/exploit-goes-public-for-severe-bug-affecting-high-impact-sites/
Sometimes isolation is your only option…
Four security KPIs
Minimize lateral movement
[and monitor]
Minimizing lateral movement includes defining normal traffic patterns in the user LAN segment, and monitoring for policy violations.
KPI three: minimize and monitor lateral movement
If you implement the recommendations from KPI 1,
the amount of credentials available will be greatly limited.
The user will have to move across the network, this is your
opportunity to discover their actions. Understanding valid
network traffic is critical.
Users WILL open office documents, it’s part of their job. Security needs to protect users while they are doing their job.
Second ThirdFirst
Harvesting Credentials Lateral MovementAttacking the User
81%66% 100%
KPI three: minimize and monitor lateral movement
TCP/UDP port scansPolicy: don’t allow it on userLANs
PING scansPolicy: don’t allow it on userLANs
No SMB sharesAll file sharing should go back to the datacenter
John DoeUsers should know company policy…
The brunt of attacks will be focused on your users; this ends up being a “good thing” because it makes lateral movement easier to detect…
Attacks WILL come from the user LAN
KPI three: minimize and monitor lateral movement
Visibility is keyThere are open source and commercially available packages for netflow monitoring; select one and master it.
Netflow monitoring
Investment requiredIf you’re operating at a larger scale, you may require an investment in software to help you manage micro-segmentation
LAN & data center micro-segmentation
Our starting pointpVLANs with post ACLs require zero capital investment as long as your switches are sized properly
pVLANs & ACLs Every company I’ve worked for has used pVLANsI was shocked when I realized most companies were NOT using pVLANs in their user LANs.
ADP 2003SaaS Provider
OnlineTech2012Iaas Provider
Four security KPIs
Data monitored for anomalous accessData is the new gold” Mark Cuban “
KPI four: data monitored for anomalous access
most data is pyrite [fool’s gold]
some... data is gold
90%[most] of your data is probably fool’s gold
Good security doesn’t protect bad data…
Understanding what data you have, where it lives, and who can access it will be critical to successful GDPR compliance
Focus is what you say no to,let the 90% go…
10%
90% of focus should be applied here!
The effort To do this well you will most likely need a commercial product [unfortunately]…
KPI four: data monitored for anomalous access
data center options
Some options are focused in the datacenter and are loaded on your SMB, NFS, shares. They
have access analysis capabilities but let endpoint options
endpoint options
Endpoint options generally are provided from backup vendors. They don’t have
analysis capabilities, but can identify and encrypt sensitive
data at rest on endpoints
choices
There are some primitive tools within Microsoft’s ecosystem, but no analysis of access patterns. Only access auditing, but it’s
better than nothing
Four security KPIs
Confidence in system control02
Data monitored for anomalous access04 Minimize & Monitor
lateral movement03
Confidence in account validity01
Four security KPIs
https://www.ted.com/talks/bruce_schneier