by: steven aiellover: 2.0.1

S E C U R I T Y K P I S

Steven Aiello

Introduction.Security & Compliance Solutions Principal

SANS GCIH License 29615 – Mentor StatusSANS GSEC License 353652 – Mentor StatusOSCP – (In Progress)CISSP

CISAVCAP - DCAVCAP - DCDVCP

This is where I’ve beenIt’s been a long road…

Compliance I.R. A.D.Web Development

Network Logging Systems Admin.Endpoint

- Marcus Lemonis

Performance is the best way to

shut people up.”

The DataWhat does the data say about our efforts in cyber security?

the results

20the change

4the money

101.6the activity

6$

2020In 2020, these organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research released Wednesday by the International Data Corporation. This equates to a 38% increase from the $73.7 billion that IDC projects organizations will spend on cybersecurity in 2016.”

Oct 12th 2016fortune.com

$101.6B

38% 2016

“

2016Employee notifications were the most common internal discovery method for the second straight year and there was also an uptick identification through internal financial audits, associated with business email compromise (BEC). Third-party disclosure is up due to an increase in numbers of breaches disclosed by the affected customer or an external threat actor bragging or extorting their victims.”

DBIR 2017verizon

law“

“disclosed by the affected customer or an external threat actor bragging or extorting their victims.”

Accommodation 93%Healthcare 65%Finance 47%Manufacturing 20%Information 16%Professional 4%Public 1%

Broken down by industry

How likely you are to be breached if you’ve had an event

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Email & Email Attachments 43%Backdoor or C2 (Hacking) 24%Web Application 19%Direct Install 6%LAN Access 4%Partner Facility 4%

Attack vectors of confirmed breaches:

Top attack vectors of known breaches

Backdoor or C2 (Hacking) Email & Email AttachmentsWeb Application Direct InstallLAN Access Partner Facility

Top six actions by threat actors

that follow the well-traveled path of phishing users to install C2 and keylogging software in order to capture credentials that are used to authenticate into, and exfiltrate data out of, organizations.”

Thetop sixthreat action varieties

“

DBIR 2017verizon

To recap what’s happening

81%of breaches leveraged

weak or stolen passwords, this

includes password hashes…

66%of malware was

installed via malicousemail attachments

24%of breaches involved

backdoors or “hacking”

Top 6actions threat actors

use involve valid passwords to move laterally through the

network

Top 6actions threat actors use

involve valid passwords to access data and exfiltrate

it [within days] …

Four security KPIs

Data monitored for anomalous accessWhat data is important to the business? What are “normal” data access patterns by user account? How does the organization monitor for changes in data access patterns?

Minimization and monitoring of lateral movement What percentage of systems have unilateral access to other hosts? What policies and technologies can organizations put in place to gain visibility?

Confidence in system controlWhat are our patch times for operating systems, CotS applications, internally developed applications? How do we reduce patching cycles? For systems that cannot be patched, leverage application white listing.

Confidence in account validityWhat level of confidence does the organization have that user accounts authenticating to systems are being properly used?

Confidence in account validity

KPI number one:

Account validity is possibly the most difficult KPI to score well in. No,your two factor authentication will not protect you…

Four security KPIs

Protection from Kerberos Golden TicketMitigating pass the ticket on Active Directory

CERT-EU Security 2014-07

KPI one: confidence in account validity

SMB is the problemProtection from PTH attacks• psexec bypasses 2FA

02Kerberos is the problemCreating the Golden Ticket• KRBTGT password hash• Domain admin. username• Domain name• Domain SID

032FA == local logon onlyTwo-factor authentication only protects user logon attempts from the Windows console or RDP

01

KPI one: confidence in account validity

If not possible… For mobile users:\Security Settings

\Local Policies\Security Options

Interactive Logon: Number of previous logons to cache (in case domain controller is not available)

02Kerberos is still the problemProtection from the Golden Ticket• KRBTGT password hash• Domain admin. username• Domain name• Domain SIDIf a golden ticket is created the only way to invalidate the ticket is to reset the KRBTGT two times

03Disable cached credsWithin Active Directory Group Policy:\Computer Configuration

\Windows Settings\Security Settings

\Local Policies\Security Options

Do not allow storage of passwords and credentials for network authentication

01

Confidence in system control

Whitelist what you can’t rapidly patchIf systems are so sensitive they cannot be patched, by that meritthey should not change. Application whitelisting should be used onsystems that change infrequently

Document patch cyclesNot all systems can be patched, however, you should understandwhat those limitations are and seek to improve on them

2

1

Four security KPIs

Isolate what you can’t patch or whitelist3

2019 20202017 2018

Are you patching your applications as fast as you patch your OS?

3/5

If your application vendors wont let you patch, whitelist. Use it where needed – don’t overextend.

Understanding your current state and making progress towards your goal is key

“You can't manage what you can't measure." Peter Drucker.

Can you patch 90% in30 days?

90%Whitelist fixed use systems

Measure your progress

KPI two: confidence in system control

KPI two: confidence in system control

Patch: step 1Rebuild web applications: step 2

Potentially change code that calls Struts: step 3

Before someone with Metasploit attacks…https://github.com/rapid7/metasploit-framework/pull/8924

Apache Struts 2 is the perfect example…

https://arstechnica.com/information-technology/2017/09/exploit-goes-public-for-severe-bug-affecting-high-impact-sites/

Sometimes isolation is your only option…

Four security KPIs

Minimize lateral movement

[and monitor]

Minimizing lateral movement includes defining normal traffic patterns in the user LAN segment, and monitoring for policy violations.

KPI three: minimize and monitor lateral movement

If you implement the recommendations from KPI 1,

the amount of credentials available will be greatly limited.

The user will have to move across the network, this is your

opportunity to discover their actions. Understanding valid

network traffic is critical.

Users WILL open office documents, it’s part of their job. Security needs to protect users while they are doing their job.

Second ThirdFirst

Harvesting Credentials Lateral MovementAttacking the User

81%66% 100%

KPI three: minimize and monitor lateral movement

TCP/UDP port scansPolicy: don’t allow it on userLANs

PING scansPolicy: don’t allow it on userLANs

No SMB sharesAll file sharing should go back to the datacenter

John DoeUsers should know company policy…

The brunt of attacks will be focused on your users; this ends up being a “good thing” because it makes lateral movement easier to detect…

Attacks WILL come from the user LAN

KPI three: minimize and monitor lateral movement

Visibility is keyThere are open source and commercially available packages for netflow monitoring; select one and master it.

Netflow monitoring

Investment requiredIf you’re operating at a larger scale, you may require an investment in software to help you manage micro-segmentation

LAN & data center micro-segmentation

Our starting pointpVLANs with post ACLs require zero capital investment as long as your switches are sized properly

pVLANs & ACLs Every company I’ve worked for has used pVLANsI was shocked when I realized most companies were NOT using pVLANs in their user LANs.

ADP 2003SaaS Provider

OnlineTech2012Iaas Provider

Four security KPIs

Data monitored for anomalous accessData is the new gold” Mark Cuban “

KPI four: data monitored for anomalous access

most data is pyrite [fool’s gold]

some... data is gold

90%[most] of your data is probably fool’s gold

Good security doesn’t protect bad data…

Understanding what data you have, where it lives, and who can access it will be critical to successful GDPR compliance

Focus is what you say no to,let the 90% go…

10%

90% of focus should be applied here!

The effort To do this well you will most likely need a commercial product [unfortunately]…

KPI four: data monitored for anomalous access

data center options

Some options are focused in the datacenter and are loaded on your SMB, NFS, shares. They

have access analysis capabilities but let endpoint options

endpoint options

Endpoint options generally are provided from backup vendors. They don’t have

analysis capabilities, but can identify and encrypt sensitive

data at rest on endpoints

choices

There are some primitive tools within Microsoft’s ecosystem, but no analysis of access patterns. Only access auditing, but it’s

better than nothing

Four security KPIs

Confidence in system control02

Data monitored for anomalous access04 Minimize & Monitor

lateral movement03

Confidence in account validity01

Four security KPIs

https://www.ted.com/talks/bruce_schneier

Contact melinkedin.com/in/stevenaiello/

overworkedadmin.com

twitter.com/smaiello

steven.aiello@thinkahead.com