Every day, new challenges, attacks, and vulnerabilities are publicized. Just as attackers and the threat landscape are constantly changing, adapting, and evolving, so too must the Blue Teams and defenders who protect organizations against these threats. While the old adage may have been that attacks are rare and unlikely to happen, a new mentality of “assume breach” has been adopted to help guide security strategies toward quickly identifying suspicious activity, lateral movement, and other attacker actions on objectives.
“Even if your organization isn’t dealing with information typically regarded as critical (like financial or healthcare information), almost all companies have sensitive data about their clients, users, and employees that must be protected”.
– Kelsey Segrue, TrustedSec
TrustedSec has found that the best way for organizations to protect themselves against the volatility of the modern cyber age is by simply practicing good cyber hygiene. But what exactly is cyber hygiene? This refers to the routine fundamental security practices that organizations can regularly perform to maintain the health of their network and organizational assets.
The National Institute of Standards and Technology (NIST) has published a Cybersecurity Framework that outlines general best practices and standards that can assist organizations with identifying their current posture, target states, and how to progress toward cybersecurity goals.
Of course, this is easier said than done. Setting up basic controls may not be something that gets done in an afternoon. A robust cybersecurity posture requires continuous maintenance, full implementation, and may take weeks or months depending on several factors, including organizational buy-in, leadership support, available assets, and staff skillset. That said, the sooner you start, the better off the organization will be. We have compiled a few ways to quickly assess the current cybersecurity posture and identify and prioritize mitigating visibility gaps, so even small organizations can jump in and begin preparations. The recommendations below pertain to organizations of all sizes.
Know Your Environment: Internal Asset Discovery and Management
You cannot protect what you do not know. You cannot restore your valuable data if you do not know where it is.
One of the fastest ways to discover what is on your network is to scan it.
- Scan your network. Nmap is a free tool to scan your network for open ports, systems, etc. Use this tool to scan your entire internal network for all hosts that are online. Document these hosts in an XLS and suddenly you have a rudimentary asset inventory.
nmap -sP -R -oG scan.txt IPRANGE
This will quickly provide you with an output list of IP addresses and hostnames within your environment. Add more options, like -O, to get operating system information, etc.
Once you have this list, work with lines of business or administrators to determine which systems are critical. Once you have a list of business critical systems, you can start working to add more information to the list, store it in a more robust system, and assign business impact analysis (BIA) ratings to each system.
There are many more asset discovery tools available. RedHunt Labs has compiled a list of helpful asset discovery tips and tools within their GitHub repository.
Know Your Internet-Exposed Assets and Services
Notice the last section said internal scanning. You also need to determine whether any internal assets have ports or services that have unintentionally been exposed to the Internet. This typically occurs when servers or new endpoints are installed or configured with default settings and not properly locked down, or when legacy firewall ACLs are not decommissioned. While you can, and occasionally should, scan your Internet IP ranges to see what assets and services are exposed to the Internet, there are additional ways to accomplish this task.
- Scrutinize Your Firewall Rules. This will tell you exactly what internal connections you are allowing from the Internet, or vice versa. Validate that everything you have allowed in is legitimate and that you do not inadvertently have anything, such as RDP, allowed from the Internet. This firewall configuration audit should pertain to both outside-in and inside-out network communication.
See What Others See in Your Internet Presence
- DNS Dumpster is a free domain research tool that helps to identify an organization’s Internet footprint by way of performing DNS reconnaissance. You can enter your domain name in the search bar and find host records, DNS server information, and even a map of parent and subdomains. Is there anything surprising associated with your organization?
- Shodan is another helpful tool that can facilitate identification of (potentially unknown) Internet-facing endpoints. While the free version allows for basic searches for single IP addresses or hosts, the more advanced searches and filters require a paid membership. Shodan allows you to see which services and endpoints are exposed, what ports they have open, and can even identify any CVE vulnerabilities based on available metadata.
Baseline Network and Endpoint Activity
Baselining helps identify anomalies by establishing known expected behavior in network and endpoint activity. Your baselines should provide an accurate picture of how the network typically operates. Additionally, it will allow you, or your third-party Incident Response retainer or MSSP, to quickly sift through logs and endpoint telemetry to identify truly malicious behavior. Below are some network and endpoint questions you can answer to facilitate establishing a baseline of your environment.
- What types of egress traffic are typical for your environment? Are SSH, FTP, and other file transfer protocols expected?
- Do you allow users to bypass internal DNS servers by using Google or other popular public DNS servers?
- Do you allow connections to external file hosting websites such as DropBox or OneDrive?
- What applications are allowed in your environment? Are you able to enforce allow or block lists for unauthorized software?
- Are command line utilities such as PowerShell or PS Exec prevalent and authorized? For all users or just administrators? Can you restrict this activity if it is not already?
- Do you allow access to Administrative Shares (IPC$, ADMIN$, C$)?
- Is RDP, SMB, RPC, or other traffic between internal hosts allowed?
Baselines do not necessarily need to be codified to be effective, though it is preferred. Some of the above-mentioned behavior may be typical for your environment and may be limited or expected for a small subset of users. Therefore, it is also important to have a reasonable understanding of what behavior is acceptable for certain user groups, if possible.
Addressing Visibility Gaps
Asset identification and discovery is vital to understanding the threat impact and risk within an environment. Once a basic understanding of the environment’s landscape is gained, an important follow-on step is to capture and maintain logs. If enterprise-wise log centralization is not possible, prioritization should be given to “Crown Jewels,” or those assets that are most vital to business operations. Having access to centralized logs is key not only for Incident Responders and Threat Hunters, but also for IT teams that may need system-level information for troubleshooting. Log collection, while important, may only provide a limited scope of information if left on the endpoint. Therefore, it is important to make sure these they logs are retained for an increased period of time.
Centralized Logging Options
- Windows Event Forwarding – A very basic way of achieving log retention is setting up a Windows Event Forwarding server. This will allow you to natively forward all your windows event logs to a central server for retention.
- Third-Party Tool – There is a large market for centralized logging options that includes some free options such as Graylog and ELK. There are also many paid options such as Splunk and LogRhythm.
Increase Endpoint Windows Log Size – A very basic way of achieving log retention is setting expanding the default size of the windows event logs:
- Open event viewer
- In the event tree, right click a security log type
- Up the maximum log size to whatever is acceptable in terms of storage
- Optional – archive logs instead of over writing
Gaining Additional Visibility
- Enhanced Windows Auditing: You can improve native Windows logging by adjusting audit policies via GPO to include process command line arguments within Event ID 4688 (Process Creation). Oddvar Moe has detailed instructions for how to accomplish this on his blog post Wanted: Process Command Lines. This can provide useful information to Incident Responders or your internal IT or security team without the need to download or install additional endpoint agents.
- Sysmon: While event logs provide valuable insight into internal system events, there are some key details missing from native Windows logs. If possible, it is recommended that organizations roll out Sysmon. With the additional logging metrics Sysmon offers, it is a great tool to bolster cyber security and provides invaluable information for troubleshooting.
Organizations should always assume that a compromise is possible. Continuous monitoring can provide rapid detection of threats, but an efficient and well-executed Incident Response Plan in conjunction with Disaster Recovery (DR) or Business Continuity Plans (BCP) can significantly reduce the amount of time it takes to restore critical business functions. Therefore, you need to make sure you have a process in place to quickly respond to potential breaches. Here are some ways to do that:
- Create an Incident Response Plan. This documents the responsibilities and workflow of an incident. Writing Incident Response Plans is not an easy task, but fortunately there are a lot of examples on the Internet, such as Ryan McGeehan’s Incident Response Plan. If you don’t know where to start, this is a good place.
- Test Your Plan. Once the plan is documented, test it. The best way to test is through a Tabletop Exercise. Come up with an incident likely to happen, bring everyone into a meeting, and talk through the response process.
- Hire an Incident Response Retainer. If you don’t have the internal capability to respond to incidents, bring in external help. Now is the time to determine who will help you. Set up an Incident Response retainer with a reputable firm so you have guaranteed assistance should an incident occur. If you have cyber insurance, be aware that they may have preferred responders. It may also be worth having a backup in case your Incident Response retainer or cyber insurance provided one cannot start working right away.
Often, the best security measures are the most basic. Establishing situational awareness of the internal environment, including any internet-facing assets, baselining network and endpoint activity, addressing known visibility gaps, and creating a robust Incident Response Plan are key components in strengthening an organization’s security posture. By implementing industry best practices and conducting basic defense-in-depth strategies, you can not only protect your organization from breaches, but significantly reduce the time to detect and respond to these attacks.
Read part 2 of the Back to Basics series