Stop Advanced Adversaries: With the Top 5 Critical Controls
-
Upload
tripwire -
Category
Technology
-
view
403 -
download
1
Transcript of Stop Advanced Adversaries: With the Top 5 Critical Controls
![Page 1: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/1.jpg)
Stop Advanced AdversariesWith the Top 5 Critical Controls
Travis SmithPrincipal Security ResearcherTripwire
![Page 2: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/2.jpg)
2
Real World ExamplesOffice of Personnel Management (OPM) APT Style Attack
Loss of Confidentiality and SecurityUnplanned Change
21.5 million government employee records stolen
![Page 3: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/3.jpg)
3
What Happened?
BlueprintsSecurityClearancePersonnelRecords
FingerprintRecords
opmlearning.org
wdc-news-post.com
Mar 2014
Jun 2014
Jul 2014
Jul-Aug2014
Dec 2014
Mar 2015
Mar 2015
Apr 2015
Apr 2015
![Page 4: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/4.jpg)
4
Lessons Learned
Blueprints SecurityClearance
PersonnelRecords
FingerprintRecords
opmlearning.org
wdc-news-post.com
Two-Factor Authentication
![Page 5: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/5.jpg)
5
Real World ExamplesTarget Breach Compromised HVAC, Malicious Patches
Loss of Confidential InformationUnplanned Change
40 million credit card numbers stolen
![Page 6: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/6.jpg)
6
What Happened?
DLL
DLL
DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL
![Page 7: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/7.jpg)
7
Lessons Learned
DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL
Two-Factor Authentication
![Page 8: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/8.jpg)
8
Real World ExamplesUkrainian Power Outage Black Energy & KillDisk malware
Loss of Security, Availability and SafetyUnplanned Change
80K- 200K Ukrainians without power, December 23rd, 2015
![Page 9: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/9.jpg)
9
What Happened
![Page 10: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/10.jpg)
10
Lessons Learned
1. Configuration Benchmarks2. Critical Change Audit3. Whitelist Profiler
![Page 11: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/11.jpg)
11
Cause & Effect, Security & Availability….A very real threat to safety… in a galaxy far, far away…
Loss of Security, Availability and SafetyUnplanned Change
![Page 12: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/12.jpg)
12
CIS Critical Security ControlsThe Controls Formally Known As The SANS Top 20
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges Attack SurfaceAttack Surface
![Page 13: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/13.jpg)
13
Critical Security Control 1Inventory of Authorized and Unauthorized Devices
1.1 – Deploy an Automated Asset Inventory Discovery Tool 1.2 – Use DHCP Logs To Detect Unknown Systems 1.3 – Add New Equipment To Inventory System 1.4 – Maintain Asset Inventory Consisting Of
IP Address, Machine Name, Purpose, Asset Owner, and Department
1.5 – Deploy 802.1x 1.6 – Use Client Certificates To Validate Systems
![Page 14: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/14.jpg)
14
Critical Security Control 1Inventory of Authorized and Unauthorized Devices
![Page 15: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/15.jpg)
15
Critical Security Control 1Inventory of Authorized and Unauthorized Devices
![Page 16: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/16.jpg)
16
Critical Security Control 2Inventory of Authorized and Unauthorized Software
2.1 – Devise an Authorized Software and Version List Monitor by FIM Tools to Validate Software Has Not Been Modified
2.2 – Deploy Application Whitelisting Software Restriction Policies and AppLocker
2.3 – Deploy Software Inventory Tools 2.4 – Air-Gapped Systems To Run Risky Applications
![Page 17: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/17.jpg)
17
Critical Security Control 2Inventory of Authorized and Unauthorized Software
![Page 18: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/18.jpg)
18
Critical Security Control 2Inventory of Authorized and Unauthorized Software
![Page 19: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/19.jpg)
19
Critical Security Control 3Secure Configurations for Hardware and Software
3.1 – Establish Secure Configurations for OS and Applications Golden Images
3.2 – Follow Strict Configuration Management Policies I.E. – Use the CIS Benchmarks
3.3 – Store Images on Secure Servers, Use FIM To Monitor for Change 3.4 – Use Secure Communication for Remote Administration 3.5 – Use FIM to Monitor Critical System Files 3.6 – Implement Configuration Management Tools 3.7 – Use System Config Tools To Push Configuration
I.E - Group Policy
![Page 20: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/20.jpg)
20
Critical Security Control 3Secure Configurations for Hardware and Software
Recommended controls for hardening OS’s, software, and network devices. Cloud Providers (AWS)
Desktop Software (Web browsers, Office Suite)
Mobile Devices (Android, iOS)
Network Devices (Cisco, Checkpoint)
Operating Systems (Windows, Linux, OSX)
Server Software (Web servers, email, DB)
![Page 21: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/21.jpg)
21
Critical Security Control 3Time Consuming Process
This took ~5 minutes to check, modify, and recheck configuration 155 Scored Tests (13 Hours / device) 85 Not Scored Tests (7 Hours / device)
80%
Enterprise-wide Standards for Secure Configurations: "80% of CIS Benchmarks"
![Page 22: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/22.jpg)
22
Prevent, Detect, Respond Detect & Enforce, Security & Availability Continuously and simultaneously
Secu
re S
erve
r, N
etw
ork
& In
dust
rial C
onfig
urati
ons
Time
MEGASCAN required to reassessTraditional
Assessment
Continuous Configuration, Detection & Response
The Goal is Security, not Audit Lower Costs, Greater Efficiency Increased Availability, Detect and Respond Measurable, Sustainable, Reliable
Continuous Diagnostics and Mitigation
Manual Configuration
Assessment
Enterprise-wide Standards for
Secure Configurations: “80% of
CIS Benchmarks”
![Page 23: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/23.jpg)
23
Critical Security Control 3
![Page 24: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/24.jpg)
24
![Page 25: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/25.jpg)
25
![Page 26: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/26.jpg)
26
![Page 27: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/27.jpg)
27
![Page 28: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/28.jpg)
28
Critical Security Control 4Continuous Vulnerability Assessment and Remediation
4.1 – Run Automated Vulnerability Scans (Weekly) Scan for CVE and CCEP
4.2 – Correlate Event Logs Verify Scanning Occurred
Detect Successful Exploits
4.3 – Perform Authenticated Vulnerability Scans 4.4 – Regularly Update Vulnerability Signatures 4.5 – Deploy Patch Management Tools 4.6 – Monitor Logs For Scan Activity 4.7 – Compare Scan Results, Confirm Vulnerabilities Are Fixed 4.8 – Apply Patches to Riskier Systems First
![Page 29: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/29.jpg)
29
Critical Security Control 4Continuous Vulnerability Assessment and Remediation
![Page 30: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/30.jpg)
30
Critical Security Control 5Controlled Use of Administrative Privileges
5.1 – Minimize Use of Admin Accounts, Audit All Activity 5.2 – Inventory and Audit Administrative Accounts 5.3 – Change Default Passwords 5.4 – Log Changed to Administrative Accounts 5.5 – Log Failed Logins to Administrative Accounts 5.6 – Use 2FA For Admin Access 5.7 – If 2FA unavailable, Use Passwords Longer Than 14 Chars 5.8 – Login With Non-Admin Accounts, Then Escalate Privileges 5.9 – Use Dedicated Machines for Admin Tasks
No Internet Access, email, document editing, etc.
![Page 31: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/31.jpg)
31
Critical Security Control 5Controlled Use of Administrative Privileges
![Page 32: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/32.jpg)
32
Continuous Monitoring
Shrink the Attack Surface
Identify Suspicious Changes
![Page 33: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/33.jpg)
33
12 Key CapabilitiesSource: Gartner’s Market Guide for Endpoint Detection and Response
PLUS policy, compliance and continuous monitoring
![Page 34: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/34.jpg)
34
Critical Security Control 3Increased Protection
Pareto 80/20 Principle
97%
All 20 CIS Controls
85%
First Five CIS Controls
![Page 35: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/35.jpg)
35
https://www.cisecurity.org/critical-controls/documents/Poster_Winter2016_CSCs%20final.pdf
![Page 36: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/36.jpg)
36
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 37: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/37.jpg)
37
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 38: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/38.jpg)
38
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 39: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/39.jpg)
39
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 40: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/40.jpg)
40
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks C:\Windows\Inf\Usbstor.pnf
C:\Windows\Inf\Usbstor.inf
![Page 41: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/41.jpg)
41
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 42: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/42.jpg)
42
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 43: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/43.jpg)
43
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 44: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/44.jpg)
44
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
![Page 45: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/45.jpg)
45
Built-In SecurityFree Tools to Harden Windows Systems
Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks
Net.exe start > services.txt
![Page 46: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/46.jpg)
46
Tripwire Solution
![Page 47: Stop Advanced Adversaries: With the Top 5 Critical Controls](https://reader035.fdocuments.in/reader035/viewer/2022062503/58e5fba81a28ab09478b58ef/html5/thumbnails/47.jpg)
47
•Baselining Systems Tells You What You Currently Have•Files, Registry, Database Configurations, Network Devices, Active Directory, Critical Infrastructure
Know Your Current System State
•Security Policies Can Define Your Desired State•Industry Standard Hardening, Compliance, Self-Created
Know your Desired System State
•Compare Your State To Desired and Correct Differences•Assessment, Deviations, Variance, Remediation, Automation
Know How To Transition From Current To Desired State
•Agent and Agentless Change Detection•Scheduled Scanning & Real Time
Know When Your Desired State Changes
•Deep Change Inspection•Who, What, When, Where, Detailed Content, Change Management Processes
Know Why & Who made Changes
•Sources Of Truth•Change Windows, Patch Reconciliation, BAU, CMDB Reconciliation, Threat Intel
Know If Changes Are Good or Bad
•Inspect, Take Action, Report•Historical Changes, Auto-Remediate, Audit Ready, Change Dashboards
Know How To Respond, Alert and Share
What You Don’t Know Will Hurt You…Things You MUST Know