HBSS CND Compliance 2015

Table of Contents

Course Objective ............................................................................................................................. 2

OPORD 12-1016 Overview .............................................................................................................. 3

SIPR HBSS Server Build Definitions ................................................................................................. 4

Training ........................................................................................................................................... 5

Deployment..................................................................................................................................... 7

HBSS Reporting and Feeds .............................................................................................................. 9

HBSS Modules ............................................................................................................................... 11

Host Intrusion Prevention - IPS ..................................................................................................... 13

Host Intrusion Prevention – Firewall ............................................................................................ 14

Host Intrusion Prevention - Application Whitelisting ................................................................... 16

Antivirus ........................................................................................................................................ 18

Antivirus - 2 ................................................................................................................................... 19

Rogue System Detection ............................................................................................................... 20

Enhanced Reporting Dashboards/Queries ................................................................................... 22

Additional Resources .................................................................................................................... 23

Page 1 of 24

Course Objective

UNCLASSIFIED

UNCLASSIFIED

To provide a virtual cyber tools training course that aides in the understanding of USCYBERCOM OPORD 12-1016 and how to use HBSS as a CND tool in day to day operations.

Course Objective

Course Agenda• Overview and requirements of OPORD 12-1016

• OPORD 12-1016 Overview• SIPR HBSS Server Build Definitions• Training• Deployment• HBSS Reporting and Feeds• HBSS Modules• Host Intrusion Prevention – IPS• Host Intrusion Prevention – Firewall

• Host Intrusion Prevention -Application Whitelisting

• Antivirus• Rogue System Detection• Enhanced Reporting Dashboards

and Queries• Resources• Review

2

**002 Instructor: This 20-minute course is intended to aide in the understanding of USCYBERCOM OPORD 12-1016 and how to use HBSS as a CND tool in day-to-day operations. In this module, an overview of the OPORD will be provided. The overview will be followed by the specific requirements and explanations that make up the various sections of the OPORD. Finally, an introduction to the enhanced reporting dashboards and resources will be provided as well.

Page 2 of 24

OPORD 12-1016 Overview

UNCLASSIFIED

UNCLASSIFIED

• OPORD 12-1016 directs the deployment and configuration of HBSS

• Directed configurations are USCYBERCOM minimums to comply with the OPORD. Sites may be directed internally or by their CC/S/A to establish higher protection levels

• HBSS thresholds are classified; refer to OPORD 12-1016 Appendix 3 to annex C for details

• HBSS Baseline Orders are used to ensure that HBSS is using the latest approved baseline and product versions.

OPORD 12-1016 Overview

3

**003 In 2012, OPORD 12-1016 superseded previous US Cyber Command HBSS Directives mandated by Fragmentary Order 13 to OPORD 05-01. The configurations that will be discussed are the minimum level of protection necessary in order to comply with the directive. Local sites, Combatant Commands, Services, or Agencies may establish and require higher protection levels as necessary. The OPORD can only be retrieved from the USCYBERCOMMAND SIPR website due to various portions of the OPORD that are classified and will not be discussed here to include thresholds for how and when to act

Page 3 of 24

upon malicious activity. HBSS Baseline Orders are used to ensure that HBSS is using the latest approved baseline and product versions.

SIPR HBSS Server Build Definitions

UNCLASSIFIED

UNCLASSIFIED

• Build 1– All ePOs hosted at the DECCs are considered “Build 1” ePO Servers.

– ESD maintains the hardware and installs new software and patches.

– The customer has the responsibility of applying any McAfee software and policies.

– Roll-up reporting is preconfigured by ESD.

• Build 2– ePOs maintained by the CC/S/A are considered “Build 2” ePO Servers.

– PEO-MA makes new software packages available to the CC/S/As via the patch repository.

– The CC/S/A are responsible for installing the new software, applying it, and settings policies.

– Roll-up reporting must be established by the CC/S/A.

– All “Build 2”s must be preapproved by DISA.

SIPR HBSS Server Build Definitions

4

**004 For only SIPRNET instances of HBSS servers, it is important for a site to understand whether they are utilizing a Build 1 or Build 2 to determine their responsibilities with configuring and maintaining HBSS and roll-up reporting capabilities. ePO servers hosted at the DISA Defense Enterprise Computing Centers, or DECC, are Build 1s. Customers have the responsibility of applying new McAfee software and applying McAfee policies. All other

Page 4 of 24

ePO servers are Build 2s. Combatant Commands, Services, and Agencies that utilize Build 2 servers are completely responsible for the configuration and maintenance of them. This includes installing and distributing new software and patches, configuring roll-up reporting, and applying OPORD-directed policies.

Training

UNCLASSIFIED

UNCLASSIFIED

• Ensure that all personnel responsible for the deployment, implementation, administration, and analysis of HBSS have completed the applicable training

• Minimum required training courses needed for the four HBSS roles

• Admin - HBSS 201 and HBSS 301

• Reviewer – HBSS 101 and/or HBSS 201

• Analyst - HBSS 201 and HBSS 501

• Auditor – HBSS 301

Classroom Training https://disa.deps.mil/ext/cop/iase/classroom_trainingFedVTE Training: https://fedvte.usalearning.gov/

Training

Course Description101 HBSS Management Roles, 45 minutes, FedVTE only

201 HBSS Administrator, 30 hours, Classroom or FedVTE

301 HBSS Advanced Administrator, 30 hours, Classroom or FedVTE

501 HBSS Analyst, 30 hours, Classroom only

5

**005 OPORD 12-1016 mandates that all personnel deploying, implementing, administering, or analyzing data from HBSS have completed applicable training. The minimum required training is different depending on the responsibilities that an individual has when working with HBSS and

Page 5 of 24

resulting data. Small sites that have a single individual accountable for the responsibilities associated with more than one of these roles will be required to attend or view the training associated with each individual role. Administrators are required to take either the classroom-based or FedVTE-based version of both the 201 Administrator and 301 Advanced Administrator courses. Administrator course completion certificates should be maintained and provided when inspected to ensure compliance with STIG ID H90200. Depending on their level of responsibilities in terms of reviewing HBSS, reviewers should take the 101 HBSS Management Roles course available in FedVTE/IASE only, the 201 Administrator course, or a combination of both. Analysts should have at least a good understanding of Host Intrusion Prevention provided by the 201 Administrator course and the skill sets necessary to perform analysis as taught in the 501 Analyst course which is available both in a classroom environment and can be scheduled along with the other classroom-based courses at https://disa.deps.mil/ext/cop/iase/cla ssroom_training. Finally, Auditor roles are required to understand the Policy Auditor component of HBSS which is taught in detail in the 301 Advanced Administrator course.

Page 6 of 24

Deployment

UNCLASSIFIED

UNCLASSIFIED

• Prior to installing HBSS, systems will be:

– Scanned using a full anti-virus scan

– Scanned for known bad hashes

– Up-to-date with approved security patches

• Prior to adding any new systems to the network, the McAfee Agent specific to the site’s server will be installed on those systems so that they check in immediately

• ePO servers and all components will comply with all directives and DOD STIGS

• ePO Database backups will be encrypted IAW FIPS 140-2

Deployment

6

**006 If rebuilding or installing ePO for the first time, OPORD 12-1016 requires that the Windows server operating system be scanned for viruses and known bad hashes no earlier than one week before installing ePO. Additionally, the operating system should have the approved security patches, viewable in the maintenance release notes on the patch repository, already installed as well. For new HBSS-compatible systems coming on to the network, the McAfee Agent created on the ePO server must be installed manually or be a part of the image used to create the new system. Upon physically

Page 7 of 24

connecting the system to the network, that system will immediately check in to the ePO server and ideally be placed in a group that runs a task to install the point products. Alternatively, point products can be installed prior to connecting to the network as well. In addition to OPORD compliance, the ePO server and all point products also need to comply with the DOD STIGS. At a minimum, each server will be in compliance with the appropriate Windows Server OS STIG, Database STIG, Internet Explorer STIG, Antivirus STIG, and HBSS STIG. The HBSS STIG is broken up into individual point products, ePO versions, and deployment methods. Finally, as outlined in both the OPORD and various STIGS, Database offline backups need to be encrypted in accordance with FIPS 140-2.

Page 8 of 24

HBSS Reporting and Feeds

UNCLASSIFIED

UNCLASSIFIED

HBSS Reporting and Feeds

Type Description NIPRNet SIPRNet

Asset Data Rollup

Modules Installed and AV Signature Status – Uses ePO

built-in rollup functionalityRequired every 24 hours

Event Data Feed

AV, HIPS, and DCM Alerts –Uses ArcSight connector

Not Currently Required

Required innear real time

CMRS Software and Patch inventory, IAVM compliance, and STIG

compliance – Uses APS

Required. Frequency will be specified in future directives.

• Coordinate roll-ups with both:• HBSSTEAM@CYBERCOM.SMIL.MIL• J34CM_HBSS@CYBERCOM.SMIL.MIL

7

**007 There are three different types of reporting data: Asset, Event and Asset data rollup is primarily used to determine compliance with directives by providing point product deployment status, antivirus signature version distribution, and policy configuration status. Asset data can be rolled-up by specifying a roll-up server in the ePO server configuration and creating roll-up tasks. OPORD 12-1016 requires that asset data be rolled-up at least every 24 hours on both NIPRNet and SIPRNet ePO servers. Event data feeds contain antivirus, Host Intrusion Prevention, and Device

Page 9 of 24

Control Module alerts. An ArcSight connector needs to be installed on the ePO server so that it can query the ePO database for the alerts and forward them up to USCYBERCOMMAND. The current CND directive, OPORD 12-1016, requires that only SIPRNet ePO servers feed event data in near real time. CMRS, or Continuous Monitoring and Risk Scoring, also provides USCYBERCOMMAND with compliance data. Software and patch levels for each asset are obtained by the ACCM module and IAVM and STIG compliance data is generated by running Policy Auditor reports. APS, or the Asset Publishing Service, is used to report this specific data to the CMRS systems on both NIPRNet and SIPRNET. Server information such as the hostname or IP address and connection credentials for both asset data rollups and event data feeds need to be obtained by coordinating an intent to connect with USCYBERCOMMAND using the HBSSTEAM@CYBERCOM.SMIL.MIL and J34CM_HBSS@CYBERCOM.SMIL.MIL email address.

Page 10 of 24

HBSS Modules

UNCLASSIFIED

UNCLASSIFIED

HBSS Modules

• The following must be installed on all compatible systems• McAfee Agent• Host Intrusion Prevention• Policy Auditor• Antivirus (McAfee or Symantec)• Rogue System Detection Sensor• Asset Configuration Compliance Module (per TASKORD 13-0683)• Device Control Module

• Default Deny All• Allow specific authorized users and specific authorized devices

• Asset Baseline Monitor is not currently mandated

8

**008 Ensuring that the latest approved versions of the McAfee Agent, Host Intrusion Prevention, Policy Auditor, antivirus, Rouge System Detection Sensor, Asset Configuration Compliance Module (per current TASKORD 13-0683), and Device Control Module are on all compatible systems is the first and most important step to ensure compliance with OPORD 12-1016. The OPORD also requires that Device Control Module is at least configured in a default deny all manner for removable USB storage devices with the exception for mission essential scenarios that have been

Page 11 of 24

preapproved. In the case of these exceptions, DCM rules must specify authorized devices and authorized users when possible. Local site, CC/S/A, or additional USCYBERCOMMAND directives may require more stringent policies be in effect such as to not allow exceptions or prevent writing to CD or DVD media. Additionally, specific configuration directives will be introduced for Host Intrusion Prevention, antivirus, and Rogue System Detection Sensor on subsequent slides. While it is a part of the baseline, the Asset Baseline Monitor Module is not currently mandated to be deployed to all systems.

Page 12 of 24

Host Intrusion Prevention - IPS

UNCLASSIFIED

UNCLASSIFIED

Host Intrusion Prevention - IPS

• Investigate alerts daily and exceptions to authorized applications triggering alerts must be approved by the IAM and created within one week

• Block all High and Medium Severity HIPS Signatures• Waivers can be created for individual medium signatures but must be

signed off by the local O-6/GS-15 and reported to the appropriate CNDSP

• Block or Log Low Severity HIPS Signatures• Waivers can be created for individual low signatures and signed off by

the local IAM• Changes to the default severity levels of high or medium HIPS

Signatures are prohibited unless for testing purposes only and may not exceed 60 days

9

**009 OPORD 12-1016 requires that Host Intrusion Prevention alerts be investigated daily and that exceptions that need to be created to allow a specific application to function properly are approved by the network IAM and created within one week of first appearing. The OPORD requires that high and medium severity signatures be blocked while sites have the option to block or log low severity signatures. Exceptions for those signatures deemed as false positives can be approved as waivers signed off by the appropriate authorities depending on the severity level.

Page 13 of 24

Host Intrusion Prevention – Firewall

UNCLASSIFIED

UNCLASSIFIED

Host Intrusion Prevention – Firewall

• To prevent cross domain violations, location or connection aware groups using the HIPS firewall must be enabled and applied as close to the top as possible allowing for basic connectivity above the LAG or CAG first

• Firewall must be enabled in regular protection for the rule to be effective (can not be in learn or adaptive mode)

• Please see TTP section of the IASE website for applicable TTPs

10

**010 Host Intrusion Prevention provides the capability to change a severity level. Changing a high or medium severity level to low or informational could effectively disable that signature and circumvent the waiver process. Any changes to a severity level must be for testing the impact of that signature such as to log prior to blocking and should not exceed 60 days prior to being reverted back to the original severity level. Blocking high and medium signatures is not possible unless the Host Intrusion Prevention product is enforcing instead of turned off or in adaptive mode. Using the HBSS

Page 14 of 24

Enhanced Reporting queries and dashboards will indicate if the product is in adaptive mode. The Host Intrusion Prevention firewall allows location or connection aware groups that effectively do the same thing but are named differently depending on the version of HIPS installed. LAGs or CAGs ensure that a system can only communicate on the network that it is supposed to be attached to. OPORD 12-1016 directs that enabling the firewall and specifically those groups is mandatory and reduces cross domain violations. There are default rules or groups of rules that McAfee uses to ensure basic connectivity to access networks, these should be placed at the top of the firewall rules list. The LAG or CAG rule should be placed directly below these basic connectivity rules to ensure that the system cannot be used for malicious purposes if placed on the wrong network. Host Intrusion Prevention provides the capability for firewalls and/or other features to be in a "learn" or "adaptive" mode. Like the intrusion prevention capability discussed previously, allowing the firewall to remain in learn or adaptive mode does not comply with the directives and is viewable on the Enhanced Reporting queries and dashboards. Because the LAG or CAG capability is specific to the Host Intrusion Prevention firewall, it must be enabled at a minimum. Sites may

Page 15 of 24

implement additional host-based firewalls as well. There is a TTP to assist with creating location or connection aware groups that can be located using the TTP links at the end of this presentation.

Host Intrusion Prevention - Application Whitelisting

UNCLASSIFIED

UNCLASSIFIED

Host Intrusion Prevention - Application Whitelisting

• Must be enabled on Windows Servers• Turned on by creating exceptions for preauthorized applications

and then enabling the following:• Generic Application Hooking Protection (signature 1610)• Generic Application Invocation Protection (signature 1611)

• The NSA Whitelist tool and Windows AppLocker can be used in place of the McAfee application blocking

• Please see TTP section of the IASE website for applicable TTPs

11

**011 While other mandates may enforce application whitelisting or blocking all applications other than those reviewed and given explicit permission to run on individual user systems, the OPORD specifically mandates that it must be enabled on Windows servers. With the introduction of Host Intrusion Prevention version 8, the method for

Page 16 of 24

applying application whitelisting changed from being a separate feature to enabling two default IPS signatures. Both signature 1610 and 1611 should be enabled with exceptions created for those specific signatures to allow only preauthorized mission critical applications to run and/or hook into other programs as necessary. In lieu of using Host Intrusion Prevention to provide application whitelisting, the NSA Whitelist tool, best implemented at smaller sites, and the Windows AppLocker feature can be implemented as well. There is a TTP to assist with enabling Host Intrusion Prevention application whitelisting that can be located using the TTP links at the end of this presentation.

Page 17 of 24

Antivirus

UNCLASSIFIED

UNCLASSIFIED

Antivirus

• Current required Version for all Windows Systems is McAfee AV 8.8 patch 4

• Please reference the current Baseline Order for the required versions for systems other than Windows

• Global Threat Intelligence (GTI) is an option within the McAfee AV product. All NIPRNET systems are required to have it enabled and set to medium or higher.

12

**012 OPORD 12-1016 mandates the use of antivirus on all DOD systems. The current HBSS Baseline Order will mandate the version that needs to be installed for compliance. Due to the number of different versions of non- Windows systems and their compatibility with the Antivirus products, please refer to the current HBSS Baseline Order to ensure that the required versions of each product are used on these types of systems. Global Threat Intelligence, or GTI, is an option within the McAfee AV products that enhances protection by comparing potentially malicious files against a list of threats that are pending incorporation into the

Page 18 of 24

regular signature updates. The use of it on NIPRNET is mandated by TASKORD 13-0098 which requires that it be set to medium or higher.

Antivirus - 2

UNCLASSIFIED

UNCLASSIFIED

Antivirus - 2

• AV signature updates client task must run at least every 24 hours or global updating must be enabled

• Use of Symantec requires ePO Symantec Reporting Extension for asset roll-up compliance

• Investigate alerts daily

• Exceptions to authorized applications triggering alerts must be approved by the IAM and created within one week.

13

**013 The OPORD also requires that new antivirus signatures be distributed to all systems at least every 24 hours. Either the ePO global updating feature must be enabled in the settings to automatically push these new signatures or a client task that performs updates must run at least daily. When using Symantec products, the ePO Symantec Reporting Extension must be installed so that those

Page 19 of 24

receiving roll-up reports can ensure compliance with product and signature deployments. All antivirus alerts must be investigated daily and exceptions that need to be created to allow a specific application to function properly need to be approved by the network IAM and created within one week of first appearing.

Rogue System Detection

UNCLASSIFIED

UNCLASSIFIED

Rogue System Detection

• Sensor deployment requirements:

• At least one per subnet for those containing HBSS compatible systems.

• /30 subnets that can only contain two host IP addresses are also excluded

• Detected systems will be investigated daily• HBSS compatible systems will have the McAfee Agent deployed

• If the Agent is not installing using default domain credentials, investigate immediately

• Authorized HBSS non-compatible systems will be whitelisted• IAMs will maintain and review a record of whitelisted devices

14

**014 The OPORD and STIGs were changed from previously requiring all subnets to be covered by Rogue System Detection Sensors to only subnets that contain HBSS-compatible systems. Subnets containing voice over IP or printers only can be excluded. /30 subnets that can only

Page 20 of 24

contain two host IP addresses are also excluded. Installing the sensor on DHCP servers is a good practice, but each subnet still requires their own sensor to detect rogue systems connected via static IP address assignments. Systems that are detected by Rogue System Detection Sensors must be viewed and investigated daily. Action should be taken on each of these detected systems immediately. If the system is a HBSS-compatible system, the McAfee Agent should be deployed to it so that it can be managed. If the system is not accepting site-specific administrative credentials and installing the agent, it should be investigated immediately. However, if the detected system is not a HBSS- compatible system, then it should be whitelisted upon IAM approval.

Page 21 of 24

Enhanced Reporting Dashboards/Queries

UNCLASSIFIED

UNCLASSIFIED

Enhanced Reporting Dashboards/Queries

• Assist HBSS Administrators, Analysts, Auditors, and Reviewers with ensuring compliance with OGS (OPORD 12-1016)

• Incorporated into current HBSS maintenance release baselines

15

**015 Dashboards have been developed by DISA to assist Information Assurance Managers and Officers with ensuring that they are in compliance with the OPORD 12-1016 directive. These dashboards are available in all recent baselines or maintenance releases of HBSS. Users of ePolicy Orchestrator will only need to configure their own dashboard view to include these dashboards.

Page 22 of 24

Additional Resources

UNCLASSIFIED

UNCLASSIFIED

Additional Resources

HBSS front door

Nipr: ww.disa.mil/hbssSipr: www.disa.smil.mil/hbss

HBSS Pageshttps://disa.deps.mil/ext/cop/mae/CyberDefense/HBSS/

Patch Repositoryhttps://patches.csd.disa.mil

Tactics, Techniques, and Procedures https://disa.deps.mil/ext/cop/iase/ttp/Pages/index.aspx

HBSS Helpdesk

Email: disa.tinker.esd.mbx.okc-disa-peo-service-desk@mail.mil

DSN 850-0032 Option 1, 5 and 4Toll Free: 1 (844) 347-2457, Option 1, 5 and 4

16

**016 And finally, there are a lot of resources out there that those working with HBSS need to be aware of that are not directly tied to training. The HBSS front door on both the NIPR and SIPR are the best place to start when looking for HBSS- related resources. The SharePoint site also contains a lot of useful information pertaining to the components, news, baselines, training, and much more. The patch repository contains the software and documentation necessary to install, configure, and maintain the HBSS baselines. The IASE website will provide you with the Tactics,

Page 23 of 24

Techniques, and Procedures documents previously mentioned. And the HBSS Helpdesk is your resource for any questions or concerns.

Page 24 of 24