October 11, 2022

Back to Basics: The TrustedSec Guide to Strong Cyber Hygiene—Part 2

Written by Shane Hartman

Incident Response Incident Response & Forensics Table-Top Exercises Threat Hunting

In the first Back to Basics blog we discussed cyber hygiene and some fundamental security practices one can take to quickly assess their current cybersecurity posture and identify, prioritize, and mitigate visibility gaps. This post focuses on account management measures and how proactive identification and regulation can drastically elevate your security posture.

Routine cyber hygiene practices are integral to securing organizational assets including not only business endpoints but also proprietary and sensitive client data. While the short-term solutions outlined in Part I can quickly improve your organization’s security posture, it’s also important to focus on long-term cyber hygiene practices that will help in not only staying ahead of cyber threats but also improving response and recovery times in the event of a breach. The remainder of this series will focus on those key long-term, enterprise-wide security practices.

“Great things are not done by impulse, but by a series of small things brought together.”
Vincent Van Gogh

Every environment is unique. As such, each organization will have unique business needs. These needs define the purpose, scope, and objectives of your security program. There are also industry-specific rules and regulations that further influence the ways in which you protect your endpoints and data. That said, our goal is to provide insight into best practices and recommendations suitable for a typical environment based on our experience and knowledge.

The sad reality is that basic cyber hygiene is often overlooked for more 'cutting-edge' security options. Account management may not be military grade or leverage artificial intelligence to reach the revered Zero-Trust network end state, but implementing basic security controls can drastically increase your organization’s security posture and may be key for determining the degree to which your organization succumbs to a cyber attack or breach.

Account Management

Phishing continues to be a viable initial access method for attackers. While the scope for phishing attacks can be quite large, once initial access is gained, attackers will prioritize identifying privileged accounts and credential harvesting in order to perform additional reconnaissance and lateral movement and to establish persistence, in addition to taking other actions on objectives.

It is highly recommended to proactively identify high-value accounts as they are frequently targeted by attackers. Additionally, it is important to keep in mind those accounts with inherited elevated permissions. This can include accounts with permissions to Microsoft Exchange, contained within nested Organizational Units (OUs), those with explicit permissions to domain controllers, or those with permissions to modify or edit Group Policy Objects (GPOs). (We will expand upon Active Directory in a future blog.) This can be further expanded to include specialized accounts which, according to Microsoft, are those that warrant additional security considerations including 'a higher protection level suitable for sensitive users' due to their 'higher business impact'.

Specialized accounts may also include temporary accounts created for third-parties during emergency situations. Because these accounts may be created with elevated permissions, ensure they are promptly deleted once no longer needed.

We also recommend taking this a step past simply identifying and monitoring these accounts. It’s important to do a periodic review (at least quarterly) of your Active Directory environment and ensure that you’re cleaning out stale and/or legacy accounts and objects. This may also be a useful time to validate the functionality of automated processes that may be tied to certain accounts. Do not just limit this review to actual user accounts! Ensure you take into consideration service accounts and computer objects as well when performing reviews of Active Directory. The following Event IDs may be useful to incorporate into your organization’s detection capabilities to monitor for changes made to existing accounts:

4722: A user account was enabled
4723: An attempt was made to change an account's password
4724: An attempt was made to reset an account's password
4725: A user account was disabled
4726: A user account was deleted
4740: A user account was locked out
4767: A user account was unlocked
4728: A member was added to a security-enabled group
4735: A security-enabled local group was changed
4799: A security-enabled local group membership was enumerated

Additionally, while monitoring existing accounts is important, it is just as important to continuously monitor for unauthorized account creations or modification of existing accounts. Detection logic can be created, and alerts generated, based on the following Event ID:

4720: A user account was created

Note: Isolated instances of the above-mentioned Windows Event IDs may not generate high-fidelity alerts; however, correlation across multiple log sources or endpoints could lead to building higher fidelity detection logic. Additionally, each organization has different baseline patterns of behavior.

Access Control

Access control seems like a simple concept in theory. In practice, however, there are multiple layers that make up a robust Access Control policy. We've discussed the fundamentals of account management and the importance of proactive auditing, but there are two other key elements to consider:

Principle of Least Privilege - This is the idea that users, programs, and processes should only have the bare minimum privileges necessary to perform required functions.
Logon Restrictions - According to Microsoft, the 'Enforce user logon restrictions' GPO determines 'whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account'. This policy can be set for users, groups, or OUs.

Credential Storage Considerations

Now that we’ve looked at general account management and access control best practices, let’s dive a bit deeper into individual Windows and Linux account security considerations, including password function, strength, and storage.

Windows Account Security

There are many components that are fundamental to Windows account security practices. Here, we will focus on how Windows handles password processing and storage and what can be done to better secure credentials beyond what Windows does by default. Before we get into what we can do, let's first look at how Windows stores passwords for authentication.

Three main ways Windows credentials can be harvested are:

Extracting from on-disk and in-memory processes such as lsass.exe
Harvesting local user password hashes from the Security Account Manager (SAM) database
Stealing password hashes from NTDS.dit, a database that stores Active Directory data including password hashes for all users in the domain (The NTDS.dit is located on domain controllers.)

Ensuring that you have adequate visibility into your environment allows you to monitor for processes or command utilities that may be interacting with LSASS or the NTDS.dit. This can help detect compromised accounts and potentially drastically decrease the time needed to detect and respond to threats.

Linux Account Security

Just like in Windows, attackers can harvest credentials from memory, as services sometimes store user-entered credentials in plaintext. The two most commonly targeted files are /etc/passwd and /etc/shadow. Even though more modern versions of Linux utilize the shadow file for password hash storage, some may still be stored in the passwd file for backwards compatibility.

Internet Browsers

Internet browsers also commonly store passwords for website authentication, so it is important to monitor for any processes that may be attempting to extract credentials from browsers such as Google Chrome, Firefox, Microsoft Edge, etc.

Improper Credential Storage

You may also have instances of administrative scripts with hardcoded credentials or other files that contain sensitive login information such as authorization details or secrets to cloud-based resources.

Password Policy Best Practices

Passwords are the first line of defense that, when implemented correctly, can set a high barrier of entry for attackers. So, what makes a strong password? There are some common elements to both strong and weak passwords.

Strong passwords take into account the following characteristics:

According to NIST, password length is more important than password complexity.
Passwords should contain a mixture of the following characters:
Uppercase letters [A-Z]
Lowercase letters [a-z]
Numbers [0-9]
Symbols including space [!@#$%^&*()]

This does not necessarily mean compliance with these characteristics ensures a strong password. For instance, the password P@ssword1, while compliant with the strict definition of strong passwords, is not a good choice. Conversely, a password that is too complicated can lead to the password being written down or stored somewhere such as in a text file. For example, the password Az128#34xU@37 is a good, strong password, but it holds no meaning for an easy way of remembering it. This is where something like a passphrase can be helpful. A phrase such as I like to go to the Movies! could become 1like2go2theMov1es! in an easy-to-remember phrase that produces a very strong password.

Additionally, while regular password resets were regarded as a strong security practice in the past, in recent years, it has been determined that this can actually cause users to follow predictable, commonly used passwords. In most cases, it is only recommended to reset credentials for a user account if it is suspected to have been compromised in a breach.

And, employing a third-party tool, such as 1Password, LastPass, or Bitwarden, to manage passwords is a great way to store and manage credentials. This eliminates the need for users to remember complex passwords.

Multi-Factor Authentication

Multi-factor authentication (MFA) is a layered approach to user authentication, requiring multiple methods of verification prior to granting access to internal resources. While SMS-based One Time Codes or tokens was one of the original MFA methods and perhaps is still one of the more widespread methods, within recent years attackers have been using a combination of phishing and social engineering to bypass or spoof SMS-based tokens. As such, today there is a general consensus that FIDO-compliant, hardware-based MFA devices provide the greatest level of security as these are phishing-resistant methods of authentication verification. If possible, opt for phishing-resistant methods of MFA that are FIDO compliant. Microsoft has even introduced a number-matching MFA notification that can be implemented to improve sign-in security. Activating and enforcing MFA to access sensitive resources in your environment is crucial, but it’s also important to ensure you require MFA at any boundaries into your network, such as VPNs.

Starting Small—Account Management

In the grand scheme of things, an account seems like such an inconsequential piece of the overall security in an organization. However, the compromise of the right account can have devastating consequences in a breach. Furthermore, tools like BloodHound have shown that, due to privilege creep, even regular users are often times six degrees or less from Domain Admin (or maybe that’s Kevin Bacon?).

Some key takeaways:

Routinely examine accounts at scale, paying special attention to those with explicit or inherited permissions, and ensure their privileges are limited to only what is required, which can help mitigate privilege creep.
- If you have emergency or third-party service or Admin accounts, disable or restrict their login capabilities when not in use.
Understand how and where credentials are stored (and are therefore vulnerable). Doing so allows monitoring and alerting capabilities to be strategically placed as close to the source as possible.
- Ensure secrets or credentials are not stored on file shares or in other unsecured or unauthorized locations!
Implement a robust password policy coupled with the additional sign-in security that MFA provides to ensure a layered approach to security.

A combination of these takeaways can help maintain good cyber hygiene and long-term organizational resilience.