In the first blogpost, we outlined six fundamental capabilities that provide critical coverage to reduce the risk of the most common types of attacks, ease incident response, and mitigate damage. We chose these items based on their outsized importance, particularly for organizations that are starting from scratch.
In this blog post, we present five additional capabilities that round out the list of security basics that all organizations should implement.
Active Directory: Reduce administrator privileges and enhance security settings.
Microsoft provides myriad features to harden Active Directory. Many of these require planning to minimize disruptions to legacy applications and configurations. Near-term, however, there are enhancements that can make it more difficult for an attacker to move within the environment, including the below activities:
In many environments, there are numerous accounts configured with privileged access. Each of these accounts can be viewed as having a “skeleton key” across a large part of the environment. Pruning this list reduces that risk. For accounts that do require privileges, where possible, their scope should be reduced. For example, if an account that runs a service related to a key application must be privileged, it should only be allowed to operate on the limited number of servers related to that application. This configuration reduces the chance that an attacker will obtain this account’s password, and if the attacker succeeds in doing so, reduces the impact.
For organizations with limited security staff and simple IT environments, one of the most impactful measures to harden AD can be shifting to Azure AD and engaging a competent managed services provider to administer it.
Harden Privileged Access Management (PAM): Protect and automatically rotate privileged accounts’ passwords, requiring MFA to use the accounts to authenticate to resources.
Near-term, place 90% or more of privileged accounts’ passwords under management of a tool that requires MFA to access them and automatically rotates them regularly. LAPS, which is a limited solution to part of this problem for a subset of important accounts, is a Tier 1 recommendation because of its ease of implementation when compared to a full-featured PAM tool.
For accounts that cannot immediately be placed under PAM management (typically service accounts), implement Active Directory security policies to restrict where those accounts can be used and monitoring rules to identify where they are used abnormally. Then create a process to rapidly react to alerts; attackers will gravitate towards these accounts.
Authentication – how users prove they are who they claim to be – is a mechanism often subverted by attackers. Most significant intrusions where an attacker obtains widespread internal access involve an attacker exploiting an authentication-related vulnerability at some point. A major contributing factor is that authentication typically depends on passwords, and passwords can be stolen. Viewed from a post-mortem perspective, the point at which an attacker succeeds in leveraging stolen privileged credentials while inside the network is usually the point after which complexity, business impact, and cost to recover increase rapidly.
Vulnerability and Patch Management: Scan frequently, secure settings to commonly vulnerable applications, patch quickly.
With systems management tooling in place (Tier 1), the goal of this effort is to implement processes to identify and quickly mitigate operating system and application vulnerabilities. This includes:
Attackers look for vulnerabilities to exploit as a means of entering a network, and once inside, to easily escalate their privileges. These measures reduce the available attack surface. IT projects can have unintended consequences, including systems, applications, or network ports exposed where they should not be. Vulnerability scanning is a means of verifying that only intended services are exposed, and that they are patched. Patching operating systems and applications is a “table stakes” activity in today’s environment; systems missing one critical patch can represent immediate entry points for attackers.
Monitor, Hunt & Respond: Operationalize incident identification and response, proactively seek indications of malicious activity undetected by in-place tooling.
With EDR tooling in place (Tier 1), implement processes to effectively leverage a variety of data sources to identify indications of an intrusion early in its timeline. Going beyond reactive approaches, implement processes to proactively “hunt” for indications that otherwise undetected malicious activity may have been missed. Finally, implement and test incident response playbooks, both programmatic and technical.
Technology is only part of the resilience equation; it must be coupled with effective processes executed by knowledgeable people. Whether handled by an in-house team, an outside service provider, or a combination of the two, organizations should strive to have clear answers to the questions below. Going through this exercise may also result in identifying additional data sources that are needed for monitoring.
Security Awareness & Phishing Simulations: Provide ongoing awareness training on security risks.
Like the “buckle up for safety” campaigns that raise awareness of a critical physical safety measure, security awareness campaigns should provide digestible and actionable information to employees, contractors and others that have a stake in the organization’s security posture. The most effective security awareness programs couple a variety of types of content, including periodic reminder emails, banners on internal company websites, and points made by leadership as part of team meetings. Periodically test employees’ behavior with simulated phishing emails as an educational tool to reinforce the awareness messages.
While it is inevitable that some users will “click the link,” well-constructed security awareness programs reduce risk by lowering that number. Additionally, vigilant employees are more prone to question suspicious emails enticing them to transfer funds without authorization – helping to reduce the risk of business email compromise (BEC) attacks.
Jim is a leader experienced in a variety of cybersecurity domains and adept at aligning diverse stakeholders ranging from technical specialists to executive leadership with business objectives. His pragmatic perspectives on IT and cybersecurity result from years of in-the-trenches experience attacking networks as a penetration tester and responding to targeted security breaches as an incident responder.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.