“Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network,”the introduction reads, “While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.”
In summary, to achieve this the NSA recommends that organizations:
- Segregate network systems;
- Protect and restrict administrative privileges;
- Deploy, configure, and monitor application whitelisting;
- Limit workstation-to-workstation communications;
- Implement robust network boundary defensive capabilities;
- Maintain and actively monitor centralized host and network logging solutions;
- Implement Pass-the-Hash mitigations to reduce the risk of credential theft and reuse;
- Deploy Microsoft Enhanced Mitigation Experience Toolkit (EMET) or other anti-exploitation capability;
- In addition to anti-virus services, employ anti-virus file reputation services;
- Implement Host Intrusion Prevention Systems (HIPS); and,
- Update and patch software in a timely manner.
The report also recommends that organizations “prepare for incident response and recovery,”including preparation “for a worse case scenario.”
Three of these recommendations stand out. Many companies allow unfettered network connectivity within their corporate network. Workstations are most likely to be the initial point of compromise, from where lateral attacks are conducted to increase the intruder’s footprint. Sophisticated adversaries specifically target system administrators to leverage their credentials and take over the entire environment. The NSA’s recommendations to segregate network systems and limit workstation-to-workstation communications make this type of attack more difficult and help to contain the damage should an intrusion occur.
Perhaps most notable is the NSA’s endorsement of application whitelisting. It is clear that traditional antivirus products are not capable of detecting and blocking targeted malware. An effective defensive strategy should include preventing unapproved code from executing in the first place. Some operating systems, including Windows, have policy-based execution controls. Security vendors have also introduced helpful products.
In February 2014, Bit9 (which specialized in endpoint application control) and Carbon Black (which specialized in incident response) merged to bring together their complementary technologies. The new company, Bit9 + Carbon Black, focuses on protecting their clients using a combination of application whitelisting and event recording.
The Bit9 agent is installed on Windows, OS X, and Linux endpoints (workstation or server) and provides, as described by Ben Johnson, the firm’s Chief Security Strategist, “default deny”endpoint application control. Code execution is prevented unless approved by policy. In addition to hashes of known safe software, Bit9 allows other sources of trust including digital signatures, installation method, software repository, and publisher. For example, an organization might specify that software packages delivered via their SCCM and those located on a specific file share are authorized. Code originating from other sources would be prevented from executing.
The product can also enforce separate policies for different users. Designated users can authorize the execution of software on their local computer even though it is not approved for use throughout the company.
The Carbon Black technology was created from incident response experience. According to Johnson the firm often found limited information in system logs and as a result had to conduct labour intensive digital forensics. In response they developed a software agent that records everything executing and communicating on the platform, along with events such as file system and registry changes.
The Carbon Black agent sends data to a centralized server where it can be searched and analyzed. Rules can also be written to detect indicators of compromise and notify analysts, who can then conduct retrospective reviews. For example, the product might detect an approved application creating a new executable on disk or the first use of a valid process such as ftp.exe.
Since the Bit9 and Carbon Black merger, they have integrated the centralized components. For example, Carbon Black detections can be used to explicitly ban execution of code by Bit9. According to Johnston, the company has also made a strong investment in threat intelligence and integrating the resulting information into the new Bit9 + Carbon Black offerings.
While the firm advises clients to continue using traditional anti-virus products in addition to Bit9 + Carbon Black, they have noticed some customers are dropping their paid antivirus subscriptions, opting instead to use the free Windows Defender combined with Bit9’s application whitelisting capabilities.
Defending against targeted malware is difficult and there is no perfect solution. One of the controls all companies should be seriously considering is application whitelisting.
The NSA report can be viewed here: https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…