S E C U R I T Y K P I S by: steven aiello ver: 2.0.1 - - PowerPoint PPT Presentation

by: steven aiello ver: 2.0.1

S E C U R I T Y K P I S

Steven Aiello

Introduction.

Security & Compliance Solutions Principal SANS GCIH License 29615 – Mentor Status SANS GSEC License 353652 – Mentor Status OSCP – (In Progress) CISSP CISA VCAP - DCA VCAP - DCD VCP

This is where I’ve been

It’s been a long road…

Compliance I.R. A.D. Web Development Network Logging Systems Admin. Endpoint

• Marcus Lemonis

Performance is the best way to shut people up.”

The Data

What does the data say about our efforts in cyber security?

the results

20

the change

4

the money

101.6

the activity

6

$

2020

In 2020, these organizations are expected to spend $101.6 billion

• n cybersecurity software,

services, and hardware, according to research released Wednesday by the International Data

• Corporation. This equates to a

38% increase from the $73.7 billion that IDC projects

• rganizations will spend on

cybersecurity in 2016.”

Oct 12th 2016

fortune.com

$101.6B

38% 2016

“

2016

Employee notifications were the most common internal discovery method for the second straight year and there was also an uptick identification through internal financial audits, associated with business email compromise (BEC). Third-party disclosure is up due to an increase in numbers

• f breaches disclosed by the

affected customer or an external threat actor bragging or extorting their victims.”

DBIR 2017

verizon

law

“

“disclosed by the affected customer or an external threat actor bragging or extorting their victims.”

Accommodation 93% Healthcare 65% Finance 47% Manufacturing 20% Information 16% Professional 4% Public 1%

Broken down by industry

How likely you are to be breached if you’ve had an event

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Email & Email Attachments 43% Backdoor or C2 (Hacking) 24% Web Application 19% Direct Install 6% LAN Access 4% Partner Facility 4%

Attack vectors of confirmed breaches:

Top attack vectors of known breaches

Backdoor or C2 (Hacking) Email & Email Attachments Web Application Direct Install LAN Access Partner Facility

Top six actions by threat actors

that follow the well-traveled path of phishing users to install C2 and keylogging software in order to capture credentials that are used to authenticate into, and exfiltrate data out of, organizations.”

The top six

threat action varieties

“

DBIR 2017

verizon

To recap what’s happening

81%

• f breaches leveraged

weak or stolen passwords, this includes password hashes…

66%

• f malware was

installed via malicous email attachments

24%

• f breaches involved

backdoors or “hacking”

Top 6

actions threat actors use involve valid passwords to move laterally through the network

Top 6

actions threat actors use involve valid passwords to access data and exfiltrate it [within days] …

Four security KPIs

Data monitored for anomalous access

What data is important to the business? What are “normal” data access patterns by user account? How does the

• rganization monitor for changes in data

access patterns?

Minimization and monitoring

• f lateral movement

What percentage of systems have unilateral access to other hosts? What policies and technologies can organizations put in place to gain visibility?

Confidence in system control

What are our patch times for operating systems, CotS applications, internally developed applications? How do we reduce patching cycles? For systems that cannot be patched, leverage application white listing.

Confidence in account validity

What level of confidence does the

• rganization have that user accounts

authenticating to systems are being properly used?

Confidence in account validity

KPI number one:

Account validity is possibly the most difficult KPI to score well in. No, your two factor authentication will not protect you…

Four security KPIs

Protection from Kerberos Golden Ticket Mitigating pass the ticket on Active Directory CERT-EU Security 2014-07

KPI one: confidence in account validity

SMB is the problem

Protection from PTH attacks

• psexec bypasses 2FA

02

Kerberos is the problem

Creating the Golden Ticket

• KRBTGT password hash
• Domain admin. username
• Domain name
• Domain SID

03

2FA == local logon only

Two-factor authentication only protects user logon attempts from the Windows console or RDP

01

KPI one: confidence in account validity

If not possible…

For mobile users: \Security Settings \Local Policies \Security Options Interactive Logon: Number of previous logons to cache (in case domain controller is not available)

02

Kerberos is still the problem

Protection from the Golden Ticket

• KRBTGT password hash
• Domain admin. username
• Domain name
• Domain SID

If a golden ticket is created the

• nly way to invalidate the ticket is

to reset the KRBTGT two times

03

Disable cached creds

Within Active Directory Group Policy: \Computer Configuration \Windows Settings \Security Settings \Local Policies \Security Options Do not allow storage of passwords and credentials for network authentication

01

Confidence in system control

Whitelist what you can’t rapidly patch

If systems are so sensitive they cannot be patched, by that merit they should not change. Application whitelisting should be used on systems that change infrequently

Document patch cycles

Not all systems can be patched, however, you should understand what those limitations are and seek to improve on them

2 1

Four security KPIs

Isolate what you can’t patch or whitelist 3

2019 2020 2017 2018

Are you patching your applications as fast as you patch your OS? 3/5 If your application vendors wont let you patch, whitelist. Use it where needed – don’t

• verextend.

Understanding your current state and making progress towards your goal is key “You can't manage what you can't measure." Peter Drucker. Can you patch 90% in 30 days? 90% Whitelist fixed use systems Measure your progress

KPI two: confidence in system control

KPI two: confidence in system control

Patch: step 1 Rebuild web applications: step 2 Potentially change code that calls Struts: step 3 Before someone with Metasploit attacks…

https://github.com/rapid7/metasploit-framework/pull/8924

Apache Struts 2 is the perfect example…

https://arstechnica.com/information-technology/2017/09/exploit- goes-public-for-severe-bug-affecting-high-impact-sites/

Sometimes isolation is your

• nly option…

Four security KPIs

Minimize lateral movement

[and monitor]

Minimizing lateral movement includes defining normal traffic patterns in the user LAN segment, and monitoring for policy violations.

KPI three: minimize and monitor lateral movement

If you implement the recommendations from KPI 1, the amount of credentials available will be greatly limited. The user will have to move across the network, this is your

• pportunity to discover their
• actions. Understanding valid

network traffic is critical. Users WILL open office documents, it’s part of their job. Security needs to protect users while they are doing their job.

Second Third First Harvesting Credentials Lateral Movement Attacking the User

81% 66% 100%

KPI three: minimize and monitor lateral movement

TCP/UDP port scans

Policy: don’t allow it on user LANs

PING scans

Policy: don’t allow it on user LANs

No SMB shares

All file sharing should go back to the datacenter

John Doe

Users should know company policy… The brunt of attacks will be focused on your users; this ends up being a “good thing” because it makes lateral movement easier to detect…

Attacks WILL come from the user LAN

KPI three: minimize and monitor lateral movement

Visibility is key

There are open source and commercially available packages for netflow monitoring; select

• ne and master it.

Netflow monitoring

Investment required

If you’re operating at a larger scale, you may require an investment in software to help you manage micro-segmentation

LAN & data center micro-segmentation

Our starting point

pVLANs with post ACLs require zero capital investment as long as your switches are sized properly

pVLANs & ACLs Every company I’ve worked for has used pVLANs

I was shocked when I realized most companies were NOT using pVLANs in their user LANs.

ADP 2003

SaaS Provider

OnlineTech 2012

Iaas Provider

Four security KPIs

Data monitored for anomalous access

Data is the new gold” Mark Cuban

“

KPI four: data monitored for anomalous access

most data is pyrite [fool’s gold] some... data is gold

90%

[most] of your data is probably fool’s gold

Good security doesn’t protect bad data…

Understanding what data you have, where it lives, and who can access it will be critical to successful GDPR compliance Focus is what you say no to, let the 90% go… 10%

90% of focus should be applied here!

The effort

To do this well you will most likely need a commercial product [unfortunately]…

KPI four: data monitored for anomalous access

data center options

Some options are focused in the datacenter and are loaded on your SMB, NFS, shares. They have access analysis capabilities but let endpoint options

endpoint options

Endpoint options generally are provided from backup

• vendors. They don’t have

analysis capabilities, but can identify and encrypt sensitive data at rest on endpoints

choices

There are some primitive tools within Microsoft’s ecosystem, but no analysis of access patterns. Only access auditing, but it’s better than nothing

Four security KPIs

Confidence in system control

02

Data monitored for anomalous access

04

Minimize & Monitor lateral movement

03

Confidence in account validity

01

Four security KPIs

https://www.ted.com/talks/bruce_schneier

Contact me

linkedin.com/in/stevenaiello/

• verworkedadmin.com

twitter.com/smaiello steven.aiello@thinkahead.com