Stop Advanced Adversaries: With the Top 5 Critical Controls

Stop Advanced AdversariesWith the Top 5 Critical Controls

Travis SmithPrincipal Security ResearcherTripwire

2

Real World ExamplesOffice of Personnel Management (OPM) APT Style Attack

Loss of Confidentiality and SecurityUnplanned Change

21.5 million government employee records stolen

3

What Happened?

BlueprintsSecurityClearancePersonnelRecords

FingerprintRecords

opmlearning.org

wdc-news-post.com

Mar 2014

Jun 2014

Jul 2014

Jul-Aug2014

Dec 2014

Mar 2015

Mar 2015

Apr 2015

Apr 2015

4

Lessons Learned

Blueprints SecurityClearance

PersonnelRecords

FingerprintRecords

opmlearning.org

wdc-news-post.com

Two-Factor Authentication

5

Real World ExamplesTarget Breach Compromised HVAC, Malicious Patches

Loss of Confidential InformationUnplanned Change

40 million credit card numbers stolen

6

What Happened?

DLL

DLL

DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL

7

Lessons Learned

DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL DLL

Two-Factor Authentication

8

Real World ExamplesUkrainian Power Outage Black Energy & KillDisk malware

Loss of Security, Availability and SafetyUnplanned Change

80K- 200K Ukrainians without power, December 23rd, 2015

9

What Happened

10

Lessons Learned

1. Configuration Benchmarks2. Critical Change Audit3. Whitelist Profiler

11

Cause & Effect, Security & Availability….A very real threat to safety… in a galaxy far, far away…

Loss of Security, Availability and SafetyUnplanned Change

12

CIS Critical Security ControlsThe Controls Formally Known As The SANS Top 20

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges Attack SurfaceAttack Surface

13

Critical Security Control 1Inventory of Authorized and Unauthorized Devices

1.1 – Deploy an Automated Asset Inventory Discovery Tool 1.2 – Use DHCP Logs To Detect Unknown Systems 1.3 – Add New Equipment To Inventory System 1.4 – Maintain Asset Inventory Consisting Of

IP Address, Machine Name, Purpose, Asset Owner, and Department

1.5 – Deploy 802.1x 1.6 – Use Client Certificates To Validate Systems

14


15


16

Critical Security Control 2Inventory of Authorized and Unauthorized Software

2.1 – Devise an Authorized Software and Version List Monitor by FIM Tools to Validate Software Has Not Been Modified

2.2 – Deploy Application Whitelisting Software Restriction Policies and AppLocker

2.3 – Deploy Software Inventory Tools 2.4 – Air-Gapped Systems To Run Risky Applications

17


18


19

Critical Security Control 3Secure Configurations for Hardware and Software

3.1 – Establish Secure Configurations for OS and Applications Golden Images

3.2 – Follow Strict Configuration Management Policies I.E. – Use the CIS Benchmarks

3.3 – Store Images on Secure Servers, Use FIM To Monitor for Change 3.4 – Use Secure Communication for Remote Administration 3.5 – Use FIM to Monitor Critical System Files 3.6 – Implement Configuration Management Tools 3.7 – Use System Config Tools To Push Configuration

I.E - Group Policy

20

Critical Security Control 3Secure Configurations for Hardware and Software

Recommended controls for hardening OS’s, software, and network devices. Cloud Providers (AWS)

Desktop Software (Web browsers, Office Suite)

Mobile Devices (Android, iOS)

Network Devices (Cisco, Checkpoint)

Operating Systems (Windows, Linux, OSX)

Server Software (Web servers, email, DB)

21

Critical Security Control 3Time Consuming Process

This took ~5 minutes to check, modify, and recheck configuration 155 Scored Tests (13 Hours / device) 85 Not Scored Tests (7 Hours / device)

80%

Enterprise-wide Standards for Secure Configurations: "80% of CIS Benchmarks"

22

Prevent, Detect, Respond Detect & Enforce, Security & Availability Continuously and simultaneously

Secu

re S

erve

r, N

etw

ork

& In

dust

rial C

onfig

urati

ons

Time

MEGASCAN required to reassessTraditional

Assessment

Continuous Configuration, Detection & Response

The Goal is Security, not Audit Lower Costs, Greater Efficiency Increased Availability, Detect and Respond Measurable, Sustainable, Reliable

Continuous Diagnostics and Mitigation

Manual Configuration

Assessment

Enterprise-wide Standards for

Secure Configurations: “80% of

CIS Benchmarks”

23

Critical Security Control 3

28

Critical Security Control 4Continuous Vulnerability Assessment and Remediation

4.1 – Run Automated Vulnerability Scans (Weekly) Scan for CVE and CCEP

4.2 – Correlate Event Logs Verify Scanning Occurred

Detect Successful Exploits

4.3 – Perform Authenticated Vulnerability Scans 4.4 – Regularly Update Vulnerability Signatures 4.5 – Deploy Patch Management Tools 4.6 – Monitor Logs For Scan Activity 4.7 – Compare Scan Results, Confirm Vulnerabilities Are Fixed 4.8 – Apply Patches to Riskier Systems First

29

Critical Security Control 4Continuous Vulnerability Assessment and Remediation

30

Critical Security Control 5Controlled Use of Administrative Privileges

5.1 – Minimize Use of Admin Accounts, Audit All Activity 5.2 – Inventory and Audit Administrative Accounts 5.3 – Change Default Passwords 5.4 – Log Changed to Administrative Accounts 5.5 – Log Failed Logins to Administrative Accounts 5.6 – Use 2FA For Admin Access 5.7 – If 2FA unavailable, Use Passwords Longer Than 14 Chars 5.8 – Login With Non-Admin Accounts, Then Escalate Privileges 5.9 – Use Dedicated Machines for Admin Tasks

No Internet Access, email, document editing, etc.

31

Critical Security Control 5Controlled Use of Administrative Privileges

32

Continuous Monitoring

Shrink the Attack Surface

Identify Suspicious Changes

33

12 Key CapabilitiesSource: Gartner’s Market Guide for Endpoint Detection and Response

PLUS policy, compliance and continuous monitoring

34

Critical Security Control 3Increased Protection

Pareto 80/20 Principle

97%

All 20 CIS Controls

85%

First Five CIS Controls

35

https://www.cisecurity.org/critical-controls/documents/Poster_Winter2016_CSCs%20final.pdf

36

Built-In SecurityFree Tools to Harden Windows Systems

Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks

37



38



39



40


Dialog Filter Keyboard Filter StickyKeys BitLocker USB Filtering EMET AppLocker Windows Firewall Local User Checks New Service Checks C:\Windows\Inf\Usbstor.pnf

C:\Windows\Inf\Usbstor.inf

41



42



43



44



45



Net.exe start > services.txt

46

Tripwire Solution

47

•Baselining Systems Tells You What You Currently Have•Files, Registry, Database Configurations, Network Devices, Active Directory, Critical Infrastructure

Know Your Current System State

•Security Policies Can Define Your Desired State•Industry Standard Hardening, Compliance, Self-Created

Know your Desired System State

•Compare Your State To Desired and Correct Differences•Assessment, Deviations, Variance, Remediation, Automation

Know How To Transition From Current To Desired State

•Agent and Agentless Change Detection•Scheduled Scanning & Real Time

Know When Your Desired State Changes

•Deep Change Inspection•Who, What, When, Where, Detailed Content, Change Management Processes

Know Why & Who made Changes

•Sources Of Truth•Change Windows, Patch Reconciliation, BAU, CMDB Reconciliation, Threat Intel

Know If Changes Are Good or Bad

•Inspect, Take Action, Report•Historical Changes, Auto-Remediate, Audit Ready, Change Dashboards

Know How To Respond, Alert and Share

What You Don’t Know Will Hurt You…Things You MUST Know

tripwire.com | @TripwireInc

THANK YOU

48

Travis Smith@[email protected]

Stop Advanced Adversaries: With the Top 5 Critical Controls

Technology

Transcript of Stop Advanced Adversaries: With the Top 5 Critical Controls