BASIC NETWORK SECURITY
How do you deliver real-time monitoring, correlation and expert analysis of security activity across your enterprise? Companies receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. Trying to find what works best for your company is very difficult task.
The basic cyber threat information needed to secure your enterprise network.
- Malware signatures, file hashes, email addresses
- Indicators such as command and control server (C2) IPs list, domains, and URL's
- Alerts characteristics of registry changes, artifacts in memory, software CVE's
Most sharing forum provide cyber threat signatures, IP list, and other indicators but this information comes unstructured & human-to-human.
As we progress to the global threat more compatible automation trends of machine-to-machine transfer are becoming available. Some of the tools and standards available for machine/ automotive sharing are:
- The Open Indicators of Compromise (OpenIOC) framework
- Vocabulary for Event Recording and Incident Sharing (VERIS)
- Cuber Observable eXpression (CybOX)
- Incident Object Description and Exchange Format (IODEF)
- Trusted Automated eXchange of Indicator Information (TAXII)
- Structured threat Information Expression (STIX)
- Traffic Light Protocol (TLP)
- Open Threat Exchange (OTX)
- Collective Intelligence Framework (CIF)
- Per Mitre, IOC and STIX are somewhat a collaborative community-driven effort to define and develop a standardized language to represent structured cuber threat information.
- DHS releases most of its advisories in PDF and STIX versions
- OpenIOC protocol/definition was created for use with Mandiant IOC
- Microsoft recently revealed the Interflow project which incorporates STIX, TAXII, and CybOX to provide an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time
When it comes to securing your enterprise system, the services for monitoring, assessing, protecting and responding to network systems come in a variety of names:
- Data & Event Correlation
- Hybrid Assessment and IDS
- Incident Management
- Intrusion Detection and Management
- Intrusion Monitoring and Response Service
- Patch Management
- Security Advisories and Archives
- Security Information Management
- Vulnerability Assessment Service
- Vulnerability Assessment and Remediation
- Vulnerability Notification Service
(SIEM) SIEM : Security information and event management is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.
The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as security event management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as security information management (SIM).
- Data aggregation : Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
- Correlation : looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution
- Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
- Dashboards: Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
- Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
- Retention: employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.
- Forensic analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.
- Learn as much about the risk as possible. Understanding the risk, threats and vulnerabilities that currently exist on your enterprise.
- Knowledge is power, the more you know about your target the more likely you are to succeed.
- Don’t worry about what you see it’s what you don’t see
- Know What You Have (that others might want)
- Identify the “Opportunities” You Might Be Providing
- Research Your Employees
- Educate Your Employees
- Establish and Utilize Checks & Balances System
- Audit remote access points
- Apply the principle of least privilege / need to know or have, Access Control – “Need to Know” = “Need To Access”
- Monitor third party aggregation points
- Enforce strong password policy/multifactor authentication. Something you know/have/are
- Monitor contractors and business partners with access to your data
- Regulate the traffic that enters and exists their network (Know what you have)
- Network segmentation/air gap
- Have an incident response team in place
- Mandatory online opsec training for all employees (end user is always the weakest link)
- Control physical access to computers and network components
- Employee departure Checklist
- Scale Down
- Shred / Destroy What You Don’t Need
- Don't rely on “Security by obscurity". It doesn't work
- Patch CMS Applications
- Automate log management and find a good monitoring IP control product. Who can monitor thousands of "events" in logs daily?
- Expand log management retention cycles due to historical data on recently public breaches
- Implement application whitelisting
- Plan For “The Worst Case Scenario”
- Encrypt/tokenize sensitive data
- What is the company’s public facing IP ranges?
- What is their host naming convention?
- Do they have Database servers, Application Servers or Web Servers on the DMZ?
- Do they allow Remote Access and if so who has access to what?
- Do you enforce mulitfactor authentication?
- “There is no patch for human stupidity.” Sometimes the best way to get information is not technical, it is personal.
- Inventory your network (topology) network connection, number of computers systems. As part of your risk assessment you should Inventory your network both physically and logically (flow of data) before an incident occurs as keep pace with any internal and external environmental changes. Understanding your complete security posture of across your entire ecosystem will help to prevent or mitigate any future attack against your security enclave. Understanding where the endpoint systems are and how data flow through them is critical? Understand data in use, data and rest and data in motion.
This report from Carnegie Mellon -- the harmonization of the taxonomy with other risk and security activities, particularly those de-scribed by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation(OCTAVE).
The taxonomy of operational cuber security risks, is structured around a hierarchy of classes, subclasses, and elements. The taxonomy has four main classes:
- actions of people -- action, or lack of action, taken by people either deliberately or accidentally that impact cuber security
- systems and technology failures -- failure of hardware, software, and information systems
- failed internal processes -- problems in the internal business processes that impact the ability to implement, manage, and sustain cuber security, such as process design, execution, and control
- external events -- issues often outside the control of the organization, such as disasters, legal issues, business issues, and service provider dependencies
Each of these four classes is further decomposed into subclasses, and each subclass is described by its elements.
BEST CYBER SECURITY INDUSTRY PRACTICES:
- DNSSEC-Domain Name System Security Extension is a technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall process. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit. List of DNSSEC-outages
- The DomainKeys Identified Mail (DKIM) Internet standard enables email senders to digitally sign their messages so that receivers can verify that those messages have not been forged. The DKIM sender authentication scheme allows the recipient of a message to confirm a message originated with the sender's domain and that the message content has not been altered. A cryptography-based solution, DKIM provides businesses an industry-standard method for mitigating email fraud and protecting an organization's brand and reputation at a relatively low implementation cost.
- Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf. The goal is to reduce the amount of spam and fraud by making it much harder for malicious senders to disguise their identity
- SPF is difficult to achieve for large organizations, who are among the most at risk for these types of attacks. Large organizations typically have many outside 3rd parties who send email as them.
- What should I use? DKIM or SPF?
Both. To some people SPF doesn't seem very useful if it requires that servers both set SPF records for domains and servers check the SPF records of incoming e-mails that are received, because not all servers either check SPF records or set SPF records for domains. In fact, with cPanel Hosting you are able to set the SPF records for your domains within the Email Authentication section of the cPanel control panel. However, it doesn't hurt to set SPF records because it will be authentication for servers that may require an SPF record to be set for incoming e-mails. DKIM can also be enabled in the same section within cPanel. Web hosting companies like GoDaddy that need to assist clients with r outbound SMTP traffic problem and also find faster solutions to CMS hacks and hijacked accounts.
- SEE Dmarcian Ispectors
"Response Policy Zone" refers to the method of both describing and delivering DNS firewall configuration data. It's done with a specially formatted DNS "zone file" which is edited or generated the same way other DNS zone files are done, and is then propagated to all of your DNS firewalls using the same DNS "zone transfer" protocols used for any other DNS zone. Because DNS zone transfers are now incremental and because changes to DNS zones are now signaled in real time, the synchronization of your DNS firewall cluster is both efficient, robust, and timely.
The prime motivation for creating this feature was to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.
- If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
- If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
- If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.
Policy zones published by a multiple providers (see below) can be checked in order before a normal answer from the global DNS is used. White lists can also be maintained by a local administrator to prevent false positives for key infrastructure. source https://dnsrpz.info/
- BCP 38 NETWORK INGRESS FILTERING is a filtering technique used by many Internet service providers to try to prevent source address spoofing of Internet traffic, and thus indirectly combat various types of net by making Internet traffic traceable to its source. BCP38 prevents spoofed packets from leaving a network. Network ingress filtering is a "good neighbor" policy which relies on cooperation between ISPs for their mutual benefit. The best current practices for network ingress filtering are documented by the Internet in BCP 38 and BCP 84, which are defined by RFCs 2827 and 3704, respectively. http://en.wikipedia.org/wiki/Ingress_filtering
BCP 84: for muti-homed networks
- BCP 140: Preventing the Use of Recursive Nameservers in Reflector DDOS attacks. Basically recommending to nameserver operators to use means provided recursive name lookup service to only the intended clients and In nameservers that do not need to be providing recursive service. For instance servers that are meant to be authoritative only, turn recursion off completely. In general, it is a good idea to keep recursive and authoritative services separate as much as practical. This, of course, depends on local circumstances. http://www.networksorcery.com/enp/rfc/rfc5358.txt
- Managed Trusted Internet Protocol Service (MTIPS) developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative. MTIPS will reduce the number of connections to the Internet.
WHAT EVERY IT PROFESSIONAL SHOULD UNDERSTAND:
- Registrars have become part of the security ecosystem. The Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations. Their business practices and policies affect the costs of malware and of the criminal business models built around it. Registrars may derive additional revenues from domain name registrations, even if they are related to malware, but they do not incur any specific direct costs. Nonetheless, if their domains are associated with malicious activity, it may result in an increasing number of formal and informal abuse notifications. Dealing with such abuse notifications is costly, requiring registrars to commit and train staff. Suspending domains may also result in legal liabilities. Furthermore, many registrars may be ill-equipped to deal with malware deregistration requests. Malware domain de-registrations can be very complex to process compared to, for example, phishing domain de-registrations, which are normally a clear breach of trademark or copyright. Some experts report that registrar abuse handling teams will often cite insufficient evidence to process a de-registration request, although evidence sufficient for many incident response teams has been provided. Because of the risk of legal action where a legitimate domain would be incorrectly de-registered, registrars often prefer to support their customer rather than the complainant. One of the economic costs that registrars face is proving the identity of registrants. Certain domain spaces (.com.au, for example), require strict tests of company registration and eligibility for a name before it can be granted. Evidence suggests that these constraints have lowered fraudulent domain registrations in the .com.au space.
- DISTRIBUTED DENIAL OF SERVICE (DDOS) Malicious actors are elevating their crimes by now compromising of web servers as opposed to web-servers because they are always on a carry more bandwidth. With DDOS there are basically two types of attacks, Network Attack (Bandwidth depletion) or an Application Attack (Resource Depletion) .Several techniques can be used to facilitate a DDOS attack. Two of the most common are HTTP GET request and a SYN Flood. The GET attack works as its name suggest. It sends a request for a specific page (generally a homepage) to the target server. With tens of thousands of request from botnets it can be overwhelming to the server. A SYN flood is basically an aborted handshake. Internet communications use a three way handshake to communicate. The initiating client initiates with a SYN, the server responds with a SYN-ACK, and the client is then supposed to respond with an ACK. Using a spoofed IP address the malicious attacker sends the SYN which results in the SYN-ACK being sent to a non-requesting address (or usually non-existing address). DNS amplification DDoS attacks work by prompting open DNS servers to direct large amounts of data at a domain that isn’t the same as the originating domain of the request. To do this, packets are crafted so that the originating IP is spoofed. Responses are sent to the spoofed target address, and so, with a script and a relatively small amount of bandwidth, attackers can direct overpowering floods of data at their target. During traditional DDOS attacks botnets comprised of hundreds or even thousands of infected host computers are programmed to launch an attack on a targeted system or infrastructure. They are a different threat landscape because they affect availability rather than data or systems. DDOS require more of a disaster response than an incident intrusion response. In most cases companies will need outside help to fix the problem. Victim companies must stay on alert because the intrusion of a DDOS attack could simply be a diversion to mask a more sophisticated attack such as intellectual property or the more popular CATO.BASIC DDOS TECHNICAL CONTROLS
- Deploy Intrusion Prevention System
- Apply Rate Limiting
- Black hole routing-discarding or dropping malicious packets
- Upstream filtering
- LEARN MORE
Virtualization is the simulation of the software and/or hardware upon which other software runs. This simulated environment is called a virtual machine (VM). There are many forms of virtualization, distinguished primarily by computing architecture layer. This publication focuses on the form of virtualization known as full virtualization. In full virtualization, one or more OSs and the applications they contain are run on top of virtual hardware. Each instance of an OS and its applications runs in a separate VM called a guest operating system. The guest OSs on a host are managed by the hypervisor. which controls the flow of instructions between the guest OSs and the physical hardware, such as CPU, disk storage, memory, and network interface cards. The hypervisor can partition the system’s resources and isolate the guest OSs so that each has access to only its own resources, as well as possible access to shared resources such as files on the host OS. Also, each guest OS can be completely encapsulated, making it portable. Some hypervisors run on top of another OS, which is known as the host operating system Full virtualization has some negative security implications. Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls. Also, combining many systems onto a single physical computer can cause a larger impact if a security compromise occurs. Further, some virtualization systems make it easy to share information between the systems; this convenience can turn out to be an attack vector if it is not carefully controlled. In some cases, virtualized environments are quite dynamic, which makes creating and maintaining the necessary security boundaries more complex.
Pastebin is a popular website for storing and sharing text. Created by Paul Dixon and a group of developers that continually contributed code to the project to help coders share snippets or entire copies of their source code or highly amusing IRC chat logs. With Pastebin, black hat hackers are able to leave the code of their exploit relatively anonymously. And code from the attack is not the only thing that they leave on Pastebin. They also leave username and passwords from the attack, the information about the servers that were attacked, and more often than not their particular manifesto.
Why Do Hackers like Pastebin?
• It’s easy to use
• It can handle large text files
• It doesn’t proactively moderate postings
• Publishing there doesn’t require registration
• Its heritage is rooted in IRC networks
Other sites designed for sharing text over the web, such as:Pastebin, Pastie, FrubarPaste, YourPaste, Codepad, Slexy and LodgeIt. An Internet-based penetration tester often begins the project by mining public data to identify sensitive details regarding the target.
Doxing The word refers to the practice of publishing personal information about people without their consent. Usually it's things like an address and phone number, but it can also be credit card details, medical information, private e-mails -- pretty much anything an assailant can get his hands on.
References and Resources: