stop advanced adversaries: with the top 5 critical controls
TRANSCRIPT
Stop Advanced AdversariesWith the Top 5 Critical Controls
Travis SmithPrincipal Security ResearcherTripwire
2
Real World ExamplesOffice of Personnel Management (OPM) APT Style Attack
Loss of Confidentiality and SecurityUnplanned Change
21.5 million government employee records stolen
3
What Happened?
BlueprintsSecurityClearancePersonnelRecords
FingerprintRecords
opmlearning.org
wdc-news-post.com
Mar 2014
Jun 2014
Jul 2014
Jul-Aug2014
Dec 2014
Mar 2015
Mar 2015
Apr 2015
Apr 2015
4
Lessons Learned
Blueprints SecurityClearance
PersonnelRecords
FingerprintRecords
opmlearning.org
wdc-news-post.com
Two-Factor Authentication
5
Real World ExamplesTarget Breach Compromised HVAC, Malicious Patches
Loss of Confidential InformationUnplanned Change
40 million credit card numbers stolen
6
What Happened?
DLL
DLL
DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL
7
Lessons Learned
DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL
Two-Factor Authentication
8
Real World ExamplesUkrainian Power Outage Black Energy & KillDisk malware
Loss of Security, Availability and SafetyUnplanned Change
80K- 200K Ukrainians without power, December 23rd, 2015
9
What Happened
10
Lessons Learned
1. Configuration Benchmarks2. Critical Change Audit3. Whitelist Profiler
11
Cause & Effect, Security & Availability….A very real threat to safety… in a galaxy far, far away…
Loss of Security, Availability and SafetyUnplanned Change
12
CIS Critical Security ControlsThe Controls Formally Known As The SANS Top 20
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges Attack SurfaceAttack Surface
13
Critical Security Control 1Inventory of Authorized and Unauthorized Devices
1.1 – Deploy an Automated Asset Inventory Discovery Tool 1.2 – Use DHCP Logs To Detect Unknown Systems 1.3 – Add New Equipment To Inventory System 1.4 – Maintain Asset Inventory Consisting Of
IP Address, Machine Name, Purpose, Asset Owner, and Department
1.5 – Deploy 802.1x 1.6 – Use Client Certificates To Validate Systems
14
Critical Security Control 1Inventory of Authorized and Unauthorized Devices
15
Critical Security Control 1Inventory of Authorized and Unauthorized Devices
16
Critical Security Control 2Inventory of Authorized and Unauthorized Software
2.1 – Devise an Authorized Software and Version List Monitor by FIM Tools to Validate Software Has Not Been Modified
2.2 – Deploy Application Whitelisting Software Restriction Policies and AppLocker
2.3 – Deploy Software Inventory Tools 2.4 – Air-Gapped Systems To Run Risky Applications
17
Critical Security Control 2Inventory of Authorized and Unauthorized Software
18
Critical Security Control 2Inventory of Authorized and Unauthorized Software
19
Critical Security Control 3Secure Configurations for Hardware and Software
3.1 – Establish Secure Configurations for OS and Applications Golden Images
3.2 – Follow Strict Configuration Management Policies I.E. – Use the CIS Benchmarks
3.3 – Store Images on Secure Servers, Use FIM To Monitor for Change 3.4 – Use Secure Communication for Remote Administration 3.5 – Use FIM to Monitor Critical System Files 3.6 – Implement Configuration Management Tools 3.7 – Use System Config Tools To Push Configuration
I.E - Group Policy
20
Critical Security Control 3Secure Configurations for Hardware and Software
Recommended controls for hardening OS’s, software, and network devices. Cloud Providers (AWS)
Desktop Software (Web browsers, Office Suite)
Mobile Devices (Android, iOS)
Network Devices (Cisco, Checkpoint)
Operating Systems (Windows, Linux, OSX)
Server Software (Web servers, email, DB)
21
Critical Security Control 3Time Consuming Process
This took ~5 minutes to check, modify, and recheck configuration 155 Scored Tests (13 Hours / device) 85 Not Scored Tests (7 Hours / device)
80%
Enterprise-wide Standards for Secure Configurations: "80% of CIS Benchmarks"
22
Prevent, Detect, Respond Detect & Enforce, Security & Availability Continuously and simultaneously
Secu
re S
erve
r, N
etw
ork
& In
dust
rial C
onfig
urati
ons
Time
MEGASCAN required to reassessTraditional
Assessment
Continuous Configuration, Detection & Response
The Goal is Security, not Audit Lower Costs, Greater Efficiency Increased Availability, Detect and Respond Measurable, Sustainable, Reliable
Continuous Diagnostics and Mitigation
Manual Configuration
Assessment
Enterprise-wide Standards for
Secure Configurations: “80% of
CIS Benchmarks”
23
Critical Security Control 3
24
25
26
27
28
Critical Security Control 4Continuous Vulnerability Assessment and Remediation
4.1 – Run Automated Vulnerability Scans (Weekly) Scan for CVE and CCEP
4.2 – Correlate Event Logs Verify Scanning Occurred
Detect Successful Exploits
4.3 – Perform Authenticated Vulnerability Scans 4.4 – Regularly Update Vulnerability Signatures 4.5 – Deploy Patch Management Tools 4.6 – Monitor Logs For Scan Activity 4.7 – Compare Scan Results, Confirm Vulnerabilities Are Fixed 4.8 – Apply Patches to Riskier Systems First
29
Critical Security Control 4Continuous Vulnerability Assessment and Remediation
30
Critical Security Control 5Controlled Use of Administrative Privileges
5.1 – Minimize Use of Admin Accounts, Audit All Activity 5.2 – Inventory and Audit Administrative Accounts 5.3 – Change Default Passwords 5.4 – Log Changed to Administrative Accounts 5.5 – Log Failed Logins to Administrative Accounts 5.6 – Use 2FA For Admin Access 5.7 – If 2FA unavailable, Use Passwords Longer Than 14 Chars 5.8 – Login With Non-Admin Accounts, Then Escalate Privileges 5.9 – Use Dedicated Machines for Admin Tasks
No Internet Access, email, document editing, etc.
31
Critical Security Control 5Controlled Use of Administrative Privileges
32
Continuous Monitoring
Shrink the Attack Surface
Identify Suspicious Changes
33
12 Key CapabilitiesSource: Gartner’s Market Guide for Endpoint Detection and Response
PLUS policy, compliance and continuous monitoring
34
Critical Security Control 3Increased Protection
Pareto 80/20 Principle
97%
All 20 CIS Controls
85%
First Five CIS Controls
35
https://www.cisecurity.org/critical-controls/documents/Poster_Winter2016_CSCs%20final.pdf
36
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
37
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
38
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
39
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
40
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks C:\Windows\Inf\Usbstor.pnf
C:\Windows\Inf\Usbstor.inf
41
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
42
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
43
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
44
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
45
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
Net.exe start > services.txt
46
Tripwire Solution
47
•Baselining Systems Tells You What You Currently Have•Files, Registry, Database Configurations, Network Devices, Active Directory, Critical Infrastructure
Know Your Current System State
•Security Policies Can Define Your Desired State•Industry Standard Hardening, Compliance, Self-Created
Know your Desired System State
•Compare Your State To Desired and Correct Differences•Assessment, Deviations, Variance, Remediation, Automation
Know How To Transition From Current To Desired State
•Agent and Agentless Change Detection•Scheduled Scanning & Real Time
Know When Your Desired State Changes
•Deep Change Inspection•Who, What, When, Where, Detailed Content, Change Management Processes
Know Why & Who made Changes
•Sources Of Truth•Change Windows, Patch Reconciliation, BAU, CMDB Reconciliation, Threat Intel
Know If Changes Are Good or Bad
•Inspect, Take Action, Report•Historical Changes, Auto-Remediate, Audit Ready, Change Dashboards
Know How To Respond, Alert and Share
What You Don’t Know Will Hurt You…Things You MUST Know