defense in depth for systems administrators · • deface or destroy informa(on. ... • web app...
TRANSCRIPT
Informa(on.Security.Handled.™Informa(on.Security.Handled.™
DefenseinDepthforSystemsAdministrators
Informa(on.Security.Handled.™
#whoamiJaymeHancock• Currently:Penetra?onTesterwithAppSecConsul?ng• Previously:SystemsAdministratorforSmall&MedBusiness
SystemsAdministratorforFortune500s• Cer?fica?ons:OffensiveSecurityCer?fiedProfessional(OSCP),ISC2Cer?fiedInforma?onSystemsSecurityProfessional(CISSP),GIACCer?fiedEnterpriseDefender(GCED),EC-CouncilCer?fiedEthicalHacker(CEH),MicrosoTCer?fiedProfessional,etc...• Ac?veintheInforma?onSecuritycommunity,occasionalguestbloggerforAlienVault,craTbeerenthusiast
Informa(on.Security.Handled.™
AboutThisTalk• Aintroduc?ontoDefenseinDepthfromanexperiencedSystemsAdministrator• Gearedatdevelopingamindsetofalayereddefense• Givenbyapenetra?ontesterwhoexploitsthelackofdefensivemeasuresforaliving• Prac?calexamplesofhowfairlysimplechangescanhelpstopanaYacker
Informa(on.Security.Handled.™
WhatThisTalkisNot• Notalistofmi?ga?onstosecureyourenvironment• Notaimedatexperiencedsecurityprofessionalsorcurrentinforma?onsecurityengineers/analysts(you’llprobablybebored)• Notalistofproductsyoucanbuy
Informa(on.Security.Handled.™
WhyAreWeHere?• 0-Days:Awesome,newsworthy,anddefinitelynotyourbiggestthreat• Morecompromisescomefrommisconfigura?ons,weakpasswords,unpatchedsoTware,ortrustexploita?on• Mostbangforyourbuck:basicsecurityprac?ces,donewell(andconsistently!)
Informa(on.Security.Handled.™
WhatisDefenseinDepth?
Source:hYps://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525hYps://www.owasp.org/index.php/Defense_in_depthhYps://en.wikipedia.org/wiki/Defense_in_depth_(compu?ng)
• SANS:“…theconceptofprotec?ngacomputernetworkwithaseriesofdefensivemechanismssuchthatifonemechanismfails,anotherwillalreadybeinplacetothwartanaYack.”
• OWASP:“Theprincipleofdefense-in-depthisthatlayeredsecuritymechanismsincreasesecurityofthesystemasawhole.IfanaYackcausesonesecuritymechanismtofail,othermechanismsmays?llprovidethenecessarysecuritytoprotectasystem.”
• Wikipedia:“...aninforma?onassuranceconceptinwhichmulBplelayersofsecuritycontrols(defense)areplacedthroughoutaninforma?ontechnologysystem.Itsintentistoprovideredundancyintheeventasecuritycontrolfailsoravulnerabilityisexploitedthatcancoveraspectsofpersonnel,procedural,technical,andphysicalforthedura?onofasystem’slifecycle.”
Informa(on.Security.Handled.™
WhatisDefenseinDepth?
Source:www.microsoT.com
Asasysadmin,howmuchofthisimagedoyoudirectlycontrolormanage?Controlsshouldexistateachlevel,butwithinthelevelsyoumanage,youmustfurtherlayeryourdefenses.
Informa(on.Security.Handled.™
DefenseinDepth-Summarized• AMindsetandMethodology• PlanYourDefensiveControlsAroundFailure• Assumeacontrolwillfail.Whathappensnext?Defenseindepthbeginshere.
Informa(on.Security.Handled.™
Thenvs.Now• OldStrategy:Securetheperimeter.InstallAV.• Reality:MajorityofcommonaYackvectorsbypasstheperimeteren?rely.• Phishing• DownloadedMalware• CloudServices
• Tendencytoletourguarddownoninternalsystemhardening–toomuchinternaltrust.
Informa(on.Security.Handled.™
AFewHardTruths• Assomeoneresponsiblefordefendinganenvironment,youhavetogeteverythingright,every?me,forever.• AnaYackerhastogetthingsrightonce.• Unfair?Absolutely.Stackthedefensesavailabletoyou-assumeanaYackerwillgetpasteach.
Informa(on.Security.Handled.™
SecurityControlsDefined• Physical:Lockedserverroom,securedbackups• Technical:Firewalls,securityGPOs• Administra?ve:Backgroundchecks,securityawarenesstraining
• Forthepurposeofthistalk,wewillbereferring(mostly)totechnicalcontrols
Informa(on.Security.Handled.™
SecurityControls–CommonExamples• UserAuthen?ca?on:Uniqueusernameandpasswordforeachuser
• Two-FactorAuthen?ca?on:Provesiden?tybyaddingabiometricortokenrequirement
• An?-Malware:DetectandPreventmalicioussoTware• IntrusionDetec?on/Preven?onSystems:Preventsoralertsonunwantedconnec?ons
• AwarenessTraining:EmpowerstheusertomakebeYerdecisions• VulnerabilityScanning:Detectandmi?gatevulnerabili?esbeforeanaYackercanfindandexploitthem
• Firewall:Preventsunwantedconnec?ons
Informa(on.Security.Handled.™
AYackerGoals• Goalsvary.Considerthethreatstoyourbusiness:• Doyoustorecreditcarddata?• DoyoustoreePHI?• Doyouworkforagovernmentorpoli?calorganiza?on?• Doyoucreateintellectualproperty?• Doesyourbusinesshaveaccesstootherlargeorganiza?ons?
Informa(on.Security.Handled.™
AYackerGoals• Ul?mategoalisnotalwaysgainingroot/adminaccess.• Pivottoanothermachine/network• Exfiltratefilesthataren'tproperlysecured• Establishafootholdintothenetworkandreturnlater• Plantfilesormaliciouscode• Defaceordestroy
Informa(on.Security.Handled.™
Scenario#1:DomainCompromise• CorporateNetwork• Developers,servers,worksta?ons,andBYOD• Iden?fywheredefensesfailedordidn’texist• ATerscenario,we’llimplementdefenseindepthandseehowtheaYackwouldhaveended.
Informa(on.Security.Handled.™
Scenario#1:DomainCompromise• AYackerlandsonpartoftheinternalnetwork• Devmachinediscovered,runningatestwebapp• Nopasswordrequiredtoaccesswebapp• Webappallowsarbitraryscriptexecu?on• AYackerwritescodetocreatereverseshell• OSisnotpatched,aYackerobtainsroot• AYackerpoisonsLLMNRresponses• LLMNRsendsuserpasswordhashes,crackedoffline
• PasswordhashwasforDomainAdminaccount• AYackerRDPsintoDomainController,createsownDomainAdminaccount.Dumpshundredsofuserhashes(LM)
• AYackercracksallADhashesoffline
Informa(on.Security.Handled.™
Scenario#1:DomainCompromiseIssue SecurityControl
WebApplica?ondidnotrequireauthen?ca?on
Requireauthen?ca?on,strongpasswords
Accesstorunscriptsdirectlyonserver Role-basedaccesscontrol,disablescriptfunc?onality
PrivilegeEscala?onExploit KeepOSandinstalledsoTwarepatched
LLMNRResponsePoisoning DisableLLMNRandNetBIOSNameResolu?onifnotneeded.
Useraccounthashescracked Requirestrongaccountpasswords,don’tuseLMhashes
QAsystemhadaccesstoDomainControllers Networksegmenta?on,firewalling
UseraccountcrackedwasDomainAdmin Strongerpasswordsforadminaccounts.LimitmembershipinDomainAdminsgroup(considerusingmanagementgroupsinstead)
Informa(on.Security.Handled.™
Scenario#2:Ransomware• CorporateNetwork• SmallOffice.Flatnetwork
• Iden?fywheredefensesfailedordidn’texist• ATerscenario,we’llimplementdefenseindepthandseehowtheransomwareaYackwouldhaveended.
Informa(on.Security.Handled.™
Scenario#2:Ransomware• Recep?onistreceivesphishingemail
• Wordmacrodropspayload,connectstoCommand&Controlserver
• VSSSnapshotsdeleted• Alllocaldocumentfilesencrypted
• Allshareddocumentfilesonnetworkencrypted
• Norestorablebackups
Informa(on.Security.Handled.™
Scenario#2:RansomwareIssue SecurityControl
MaliciousEmailDeliveredtoUser SpamFiltering.MalwareFiltering.IPGeo-Loca?onBlocking
MaliciousEmailisOpened An?virus
WordDocumentMacroExecuted DisallowOfficeMacros(GPO)
FileDropped,Executed Disallowexecutablesfrom%tmp%
VSSSnapshotsDeleted RemoveUserLocalAdminRights
LocalFilesEncrypted An?virus,An?malwaretools
FilesonNetworkSharesencrypted FileServerResourceMonitorrules,canaryfiles,systemmonitoring(openhandles),principleofleastprivilege
NoRestorableBackups* Off-site,testedbackups
*Includedforcompleteness;restoringfrombackupsisacorrec?veac?on,notapreven?vesecuritycontrol.
Informa(on.Security.Handled.™
Scenario#3:ePHICompromise• Mid-sizedClinicalNetwork• Completelyflat;healthcareworkers,servers,BYODonsamenetwork.Public-facingserversdualhomedtointernalnetwork
• Iden?fywheredefensesfailedordidn’texist• ATerscenario,we’llimplementdefenseindepthandseehowtheaYackwouldhaveended.
Informa(on.Security.Handled.™
Scenario#3:ePHICompromise• AYackerdiscovers(forgoYen)FTPserverwithanonymousloginenabled.
• FTPsoTwarehasdirectorytraversalvulnerabilityandisrunningasroot
• AYackerusesvulnerabilitytoread/etc/shadow,cracksrootpasswordoffline
• Serverisdualhomed,aYackerhasbypassedthefirewallandisontheinternalnetwork
• DCisvulnerabletoremotecodeexecu?on,aYackergainsSystemprivileges
• DumpsandcracksAc?veDirectorypasswords,thenpa?entdatabase;usesExchangeservertosendoutmaliciousphishingemail…
Informa(on.Security.Handled.™
Scenario#3:ePHICompromiseIssue SecurityControl
ForgoYenFTPserverwithanonymousaccess Inventory,networkmaps,strongpasswordauthen?ca?on
FTPservervulnerabletoexploit KeepsoTwarepatched,especiallywhenpublic-facing
FTPServerrunningasroot Principleofleastprivilege
Dual-HomedNetwork Firewallingandaccesscontrol,IDS/IPS,DMZArchitecture
DomainControllerVulnerability Keepopera?ngsystemsandthird-partyappspatched
Ac?veDirectorypasswordscracked Requirestrongaccountpasswords,don’tuseLMhashes
Pa?entdatabases(ePHI)dumped Networksegmenta?on,segregatedVLAN,firewallrestric?ons
Informa(on.Security.Handled.™
What’sMostImpacxul?• Passwords.Makethemlong,complex,andunique.Oh,andtheyneedtoactuallyexist.• Goodpasswordsaredifficulttoremember.ConsiderusingaPasswordManager
(KeePass,1Password,etc.–thesecanalsoauto-generate)
• Restrictaccess.Removelocaladminrights,monitorpermissions.• Startwithatestusergroup,collectdataaboutsupporttrends,etc.Provethat
thisiseffec?ve.• Considerlateralmovement.Iseverylocaladminpasswordthesame?
• Updateeverything.OS,soTware,andnetworkdevicescanallbecandidatesforini?alexploita?on.• RemembertoupdateyourprintersandIoTdevices.• Don’tallowBYODun?lupdatesareinstalledandverified.
• (Or,don’tallowthematall!)
• Stopover-sharing.EliminateverboseerrormessagesthatletanaYackermapoutyoursystem.Removeprotocolsthatbroadcastdatafornogoodreason.
Informa(on.Security.Handled.™
• Useareputable,centrallymanagedAn?virus• OngoingdebateonwhetherornotAViseffec?ve.• Detec?onratesvary,lookatreputableindependentwebsites.• Notaprimarylineofdefense,justanotherlayer.
• Treatyourinternalnetworkashos?le.• GuardisoTenletdowninternally.Configureservicesandapplica?onsasifthey
werebeingmadepubliclyavailable.
• UnderstandUserWorkflows• Providesolu?onstoproblemsbefore“ShadowIT”introducesvulnerabili?es.• Knowwhat’snormal–doesaccoun?ngtypicallytouchHRfolders?• Dousersworkremotely?• Douserstypicallyconnecttoaddressesinothercountries?Which?
• NetworkSegmenta?on• Doworksta?onsneedtocommunicatedirectlywithSQL?Dousersontheguest
WLANneedtohityourILO/Managementports?
What’sMostImpacxul?
Informa(on.Security.Handled.™
WhereToStart?• GuidelinessuchastheSANSCISCri?calSecurityControlsexist-usethem!• hYps://www.sans.org/security-resources/posters/20-cri?cal-security-controls/55/download
• Whichofthesecanyoudirectlyimpactasasystemsadministrator?
• Mapdirectlytocompliancerequirements
Source:www.sans.org
Informa(on.Security.Handled.™
Takeaways• DefenseinDepthisastrategy,notaproduct.Mustevolveover?meandwiththreats• Whenimplemen?ngsecuritycontrols,assumeeachwillfail.Whathappensnext?• Limitandcontaindamage• Dropthe“internalnetworkismoresecure”assump?on–itswrong.• Getbacktobasics:strongpasswords,restrictedaccess,currentpatchessignificantlyincreaseyoursecurityposture
Informa(on.Security.Handled.™
Service&Solu?onsWhilewedon’tliketobrag,hereareafewthingswe’rereallygoodat:
StrategicConsul?ng/AdvisoryOurteamofSecurityExpertsprovideindustry-leadingRiskAssessment,ProjectManagement,andInfoSecProgramandPolicyDevelopmentservices.
SecurityTes?ngWeprovidethoroughassessmentsofalltypesofapplica?ons,networks,andinfrastructurewithguidanceforimprovingyoursecurityposture.
ComplianceandPCIServicesGapassessmentandauditserviceswithafocusonrealsecurity.Ourexperiencedstaffcanhelpyoureachyourcompliancegoalsinamannerbestsuitedtoyouruniqueenvironment.
TrainingandAwarenessWeofferengagingandinterac?vesecurityawarenessandtechnicaltraining,bothonlineandinstructor-led.
Informa(on.Security.Handled.™Informa(on.Security.Handled.™
ThankYou.ContactInfo:
jhancock@appsecconsul?ng.comTwiYer:@highmeh