March 15, 2022

Improving Cybersecurity Resilience: Starting the Journey, Part 2

In the first blogpost, we outlined six fundamental capabilities that provide critical coverage to reduce the risk of the most common types of attacks, ease incident response, and mitigate damage. We chose these items based on their outsized importance, particularly for organizations that are starting from scratch.

In this blog post, we present five additional capabilities that round out the list of security basics that all organizations should implement.

Active Directory: Reduce administrator privileges and enhance security settings.

Microsoft provides myriad features to harden Active Directory. Many of these require planning to minimize disruptions to legacy applications and configurations. Near-term, however, there are enhancements that can make it more difficult for an attacker to move within the environment, including the below activities:

  • Reduce the number of user accounts in privileged groups.
  • Where service accounts are required to be privileged, limit their scope as much as possible.
  • Review trust relationships.
  • Enable audit logs to provide useful information to analysts and ensure that less useful information does not fill up the logs.  
  • Clean up stale objects and disable legacy protocols that increase attack surface, where possible.

In many environments, there are numerous accounts configured with privileged access. Each of these accounts can be viewed as having a “skeleton key” across a large part of the environment. Pruning this list reduces that risk. For accounts that do require privileges, where possible, their scope should be reduced. For example, if an account that runs a service related to a key application must be privileged, it should only be allowed to operate on the limited number of servers related to that application. This configuration reduces the chance that an attacker will obtain this account’s password, and if the attacker succeeds in doing so, reduces the impact.

For organizations with limited security staff and simple IT environments, one of the most impactful measures to harden AD can be shifting to Azure AD and engaging a competent managed services provider to administer it.  

Harden Privileged Access Management (PAM): Protect and automatically rotate privileged accounts’ passwords, requiring MFA to use the accounts to authenticate to resources.

Near-term, place 90% or more of privileged accounts’ passwords under management of a tool that requires MFA to access them and automatically rotates them regularly. LAPS, which is a limited solution to part of this problem for a subset of important accounts, is a Tier 1 recommendation because of its ease of implementation when compared to a full-featured PAM tool.  

For accounts that cannot immediately be placed under PAM management (typically service accounts), implement Active Directory security policies to restrict where those accounts can be used and monitoring rules to identify where they are used abnormally. Then create a process to rapidly react to alerts; attackers will gravitate towards these accounts.    

Authentication – how users prove they are who they claim to be – is a mechanism often subverted by attackers. Most significant intrusions where an attacker obtains widespread internal access involve an attacker exploiting an authentication-related vulnerability at some point. A major contributing factor is that authentication typically depends on passwords, and passwords can be stolen. Viewed from a post-mortem perspective, the point at which an attacker succeeds in leveraging stolen privileged credentials while inside the network is usually the point after which complexity, business impact, and cost to recover increase rapidly.

Vulnerability and Patch Management: Scan frequently, secure settings to commonly vulnerable applications, patch quickly.

With systems management tooling in place (Tier 1), the goal of this effort is to implement processes to identify and quickly mitigate operating system and application vulnerabilities. This includes:

  • Frequently scanning externally available network space and internal systems to identify vulnerabilities in exposed systems and applications.
  • Configuring particularly at-risk applications including web browsers, email clients, and PDF software to apply updates.  
  • Configuring and maintaining restrictive Microsoft Office macro settings.
  • Applying vendor-released patches to operating systems and applications promptly.

Attackers look for vulnerabilities to exploit as a means of entering a network, and once inside, to easily escalate their privileges. These measures reduce the available attack surface. IT projects can have unintended consequences, including systems, applications, or network ports exposed where they should not be. Vulnerability scanning is a means of verifying that only intended services are exposed, and that they are patched. Patching operating systems and applications is a “table stakes” activity in today’s environment; systems missing one critical patch can represent immediate entry points for attackers.

Monitor, Hunt & Respond: Operationalize incident identification and response, proactively seek indications of malicious activity undetected by in-place tooling.

With EDR tooling in place (Tier 1), implement processes to effectively leverage a variety of data sources to identify indications of an intrusion early in its timeline. Going beyond reactive approaches, implement processes to proactively “hunt” for indications that otherwise undetected malicious activity may have been missed. Finally, implement and test incident response playbooks, both programmatic and technical.  

Technology is only part of the resilience equation; it must be coupled with effective processes executed by knowledgeable people. Whether handled by an in-house team, an outside service provider, or a combination of the two, organizations should strive to have clear answers to the questions below. Going through this exercise may also result in identifying additional data sources that are needed for monitoring.  

Monitoring

  • Into which areas of the environment do we have good visibility and where is our visibility lacking?
  • How do we monitor our environment to detect security incidents?
  • To what degree are we monitoring our environment for publicly available indicators of compromise derived from intrusions at other organizations?
  • How do we measure the effectiveness of these capabilities?
  • How consistent are we about the type of information we gather?
  • What additional tools or information do our security analysts or outside partners need to do their jobs?

Hunting

  • Have our systems been compromised? What level of confidence do we have in that assertion?  
  • What are we doing to proactively identify signs of compromises that are not detected by our existing monitoring technologies and processes?

Response

  • What do we consider a “security incident?”
  • What capabilities do we have to respond to a security incident?
  • To what degree have these capabilities been tested?
  • What do the boots-on-the-ground teams think of the tools and processes we have implemented in this area – do they enable all involved to do their jobs?
  • Do we have pre-existing arrangements with legal, technical, and other experts?  

Security Awareness & Phishing Simulations: Provide ongoing awareness training on security risks.

Like the “buckle up for safety” campaigns that raise awareness of a critical physical safety measure, security awareness campaigns should provide digestible and actionable information to employees, contractors and others that have a stake in the organization’s security posture. The most effective security awareness programs couple a variety of types of content, including periodic reminder emails, banners on internal company websites, and points made by leadership as part of team meetings. Periodically test employees’ behavior with simulated phishing emails as an educational tool to reinforce the awareness messages.

While it is inevitable that some users will “click the link,” well-constructed security awareness programs reduce risk by lowering that number. Additionally, vigilant employees are more prone to question suspicious emails enticing them to transfer funds without authorization – helping to reduce the risk of business email compromise (BEC) attacks.  

If you have questions about business resilience or need help implementing any of these solutions, you can contact a MOXFIVE Technical Advisor at ask@moxfive.com or use our Contact form.

Jim Aldridge

Jim is a leader experienced in a variety of cybersecurity domains and adept at aligning diverse stakeholders ranging from technical specialists to executive leadership with business objectives. His pragmatic perspectives on IT and cybersecurity result from years of in-the-trenches experience attacking networks as a penetration tester and responding to targeted security breaches as an incident responder.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 

HOW WE CAN HELP

Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More