by: steven aiello

ver: 2.0.1

S E C U R I T Y K P I S

Steven Aiello

Introduction.

Security & Compliance Solutions Principal

SANS GCIH License 29615 – Mentor Status

SANS GSEC License 353652 – Mentor Status

OSCP – (In Progress)

CISSP

CISA

VCAP - DCA

VCAP - DCD

VCP

This is where I’ve beenIt’s been a long road…

Compliance I.R. A.D.Web Development

Network Logging Systems Admin.Endpoint

- Marcus Lemonis

Performance is the best way to

shut people up.”

The DataWhat does the data say about our efforts in cyber security?

the results

20the change

4the money

101.6the activity

6

$

2020In 2020, these organizations are

expected to spend $101.6 billion

on cybersecurity software,

services, and hardware, according

to research released Wednesday

by the International Data

Corporation. This equates to a

38% increase from the $73.7

billion that IDC projects

organizations will spend on

cybersecurity in 2016.”

Oct 12th 2016fortune.com

$101.6

B

38

%

2016

“

2016Employee notifications were the

most common internal discovery

method for the second straight

year and there was also an uptick

identification through internal

financial audits, associated with

business email compromise

(BEC). Third-party disclosure is

up due to an increase in numbers

of breaches disclosed by the

affected customer or an external

threat actor bragging or extorting

their victims.”

DBIR 2017verizon

law

““disclosed by the affected

customer or an external

threat actor bragging or

extorting their victims.”

Accommodation 93%

Healthcare 65%

Finance 47%

Manufacturing 20%

Information 16%

Professional 4%

Public 1%

Broken down by industry

How likely you are to be breached if you’ve had an event

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Email & Email Attachments

43%

Backdoor or C2 (Hacking) 24%

Web Application 19%

Direct Install 6%

LAN Access 4%

Partner Facility 4%

Attack vectors of confirmed

breaches:

Top attack vectors of known breaches

Backdoor or C2 (Hacking) Email & Email Attachments

Web Application Direct Install

LAN Access Partner Facility

Top six actions by threat actors

that follow the well-traveled path of phishing users to install C2 and

keylogging software in order to capture credentials that are used to

authenticate into, and exfiltrate data out of, organizations.”

Thetop sixthreat action varieties

“

DBIR 2017verizon

To recap what’s happening

81%of breaches leveraged

weak or stolen

passwords, this

includes password

hashes…

66%of malware was

installed via malicous

email attachments

24%of breaches involved

backdoors or “hacking”

Top 6actions threat actors

use involve valid

passwords to move

laterally through the

network

Top 6actions threat actors use

involve valid passwords to

access data and exfiltrate

it [within days] …

Four security KPIs

Data monitored for

anomalous access

What data is important to the business?

What are “normal” data access patterns

by user account? How does the

organization monitor for changes in data

access patterns?

Minimization and

monitoring of lateral

movement What percentage of systems have

unilateral access to other hosts? What

policies and technologies can organizations

put in place to gain visibility?

Confidence in system control

What are our patch times for operating

systems, CotS applications, internally

developed applications? How do we

reduce patching cycles? For systems

that cannot be patched, leverage

application white listing.

Confidence in account

validity

What level of confidence does the

organization have that user accounts

authenticating to systems are being

properly used?

Confidence in account validity

KPI number one:

Account validity is possibly the most difficult KPI to score well in. No,

your two factor authentication will not protect you…

Four security KPIs

Protection from Kerberos Golden Ticket

Mitigating pass the ticket on Active Directory

CERT-EU Security 2014-07

KPI one: confidence in account validity

SMB is the problem

Protection from PTH attacks

• psexec bypasses 2FA

02Kerberos is the

problemCreating the Golden Ticket

• KRBTGT password hash

• Domain admin. username

• Domain name

• Domain SID

032FA == local logon

onlyTwo-factor authentication only

protects user logon attempts from

the Windows console or RDP

01

KPI one: confidence in account validity

If not possible…

For mobile users:

\Security Settings

\Local Policies

\Security Options

Interactive Logon: Number of

previous logons to cache (in case

domain controller is not available)

02Kerberos is still the

problemProtection from the Golden Ticket

• KRBTGT password hash

• Domain admin. username

• Domain name

• Domain SID

If a golden ticket is created the

only way to invalidate the ticket is

to reset the KRBTGT two times

03Disable cached creds

Within Active Directory Group

Policy:

\Computer Configuration

\Windows Settings

\Security Settings

\Local Policies

\Security Options

Do not allow storage of passwords

and credentials for network

authentication

01

Confidence in system control

Whitelist what you can’t rapidly patch

If systems are so sensitive they cannot be patched, by that merit

they should not change. Application whitelisting should be used on

systems that change infrequently

Document patch cycles

Not all systems can be patched, however, you should understand

what those limitations are and seek to improve on them

2

1

Four security KPIs

Isolate what you can’t patch or whitelist3

2019 20202017 2018

Are you patching your

applications as fast as

you patch your OS?

3/5

If your application vendors

wont let you patch, whitelist.

Use it where needed – don’t

overextend.

Understanding your

current state and making

progress towards your

goal is key

“You can't manage what

you can't measure."

Peter Drucker.

Can you patch 90% in

30 days?

90%Whitelist fixed

use systems

Measure your

progress

KPI two: confidence in system control

KPI two: confidence in system control

Patch: step 1

Rebuild web applications: step 2

Potentially change code that calls Struts:

step 3

Before someone with Metasploit attacks…https://github.com/rapid7/metasploit-framework/pull/8924

Apache Struts 2 is the perfect

example…

https://arstechnica.com/information-technology/2017/09/exploit-

goes-public-for-severe-bug-affecting-high-impact-sites/

Sometimes

isolation is your

only option…

Four security KPIs

Minimize lateral movement

[and monitor]

Minimizing lateral movement includes defining normal traffic

patterns in the user LAN segment, and monitoring for policy

violations.

KPI three: minimize and monitor lateral movement

If you implement the

recommendations from KPI 1,

the amount of credentials

available will be greatly limited.

The user will have to move

across the network, this is your

opportunity to discover their

actions. Understanding valid

network traffic is critical.

Users WILL open office

documents, it’s part of their job.

Security needs to protect users

while they are doing their job.

Second ThirdFirst

Harvesting

Credentials

Lateral MovementAttacking the User

81%66% 100%

KPI three: minimize and monitor lateral movement

TCP/UDP port scansPolicy: don’t allow it on user

LANs

PING scansPolicy: don’t allow it on user

LANs

No SMB sharesAll file sharing should go back

to the datacenter

John DoeUsers should know company

policy…

The brunt of attacks will be

focused on your users; this

ends up being a “good thing”

because it makes lateral

movement easier to detect…

Attacks WILL come

from the user LAN

KPI three: minimize and monitor lateral movement

Visibility is key

There are open source and

commercially available packages

for netflow monitoring; select

one and master it.

Netflow monitoring

Investment required

If you’re operating at a larger

scale, you may require an

investment in software to help

you manage micro-segmentation

LAN & data center

micro-

segmentation

Our starting point

pVLANs with post ACLs require

zero capital investment as long as

your switches are sized properly

pVLANs & ACLs Every company I’ve

worked for has used

pVLANs

I was shocked when I realized most

companies were NOT using pVLANs in

their user LANs.

ADP 2003SaaS Provider

OnlineTech

2012Iaas Provider

Four security KPIs

Data monitored for anomalous accessData is the new gold”

Mark Cuban “

KPI four: data monitored for anomalous access

most data is pyrite

[fool’s gold]

some... data is gold

90%[most] of your data is

probably fool’s gold

Good security

doesn’t protect

bad data…

Understanding what data you

have, where it lives, and who

can access it will be critical to

successful GDPR compliance

Focus is what you say no to,

let the 90% go…

10%

90% of focus should

be applied here!

The effort To do this well you will most likely need a commercial product

[unfortunately]…

KPI four: data monitored for anomalous access

data center options

Some options are focused in the

datacenter and are loaded on

your SMB, NFS, shares. They

have access analysis capabilities

but let endpoint options

endpoint options

Endpoint options generally

are provided from backup

vendors. They don’t have

analysis capabilities, but can

identify and encrypt sensitive

data at rest on endpoints

choices

There are some primitive tools

within Microsoft’s ecosystem, but

no analysis of access patterns.

Only access auditing, but it’s

better than nothing

Four security KPIs

Confidence in

system control02

Confidence in

system control04 Data monitored for

anomalous access03

Confidence in

account validity01

Four security KPIs

https://www.ted.com/talks/bruce_schneier

Contact melinkedin.com/in/stevenaiello/

overworkedadmin.com

twitter.com/smaiello