Protecting Your Organisation from Targeted Cyber Intrusion



Similar documents
The Defence Signals Directorate Top 4 Mitigations Against Cyber Intrusion. An Implementation Guide for Project Managers

Specific recommendations

THE AUSTRALIAN SIGNALS DIRECTORATE (ASD) STRATEGIES TO MITIGATE TARGETED CYBER INTRUSIONS

Critical Security Controls

Malicious Mitigation Strategy Guide

Additional Security Considerations and Controls for Virtual Private Networks

Defending Against Data Beaches: Internal Controls for Cybersecurity

Why The Security You Bought Yesterday, Won t Save You Today

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Malicious cyber activity is on the increase at risk. This may involve the loss of critical data and consumer confidence, as well as profits

Where every interaction matters.

External Supplier Control Requirements

Multi-factor authentication

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Securing OS Legacy Systems Alexander Rau

A Decision Maker s Guide to Securing an IT Infrastructure

Targeted attacks: Tools and techniques

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

SPEAR PHISHING UNDERSTANDING THE THREAT

Locking down a Hitachi ID Suite server

New Zealand National Cyber Security Centre

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

IBM Security re-defines enterprise endpoint protection against advanced malware

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Ovation Security Center Data Sheet

IT HEALTHCHECK TOP TIPS WHITEPAPER

Defending Against Cyber Attacks with SessionLevel Network Security

Cisco Advanced Services for Network Security

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Seven Strategies to Defend ICSs

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Guidance Regarding Skype and Other P2P VoIP Solutions

Trend Micro. Advanced Security Built for the Cloud

I N T E L L I G E N C E A S S E S S M E N T

Common Cyber Threats. Common cyber threats include:

Proven LANDesk Solutions

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Passing PCI Compliance How to Address the Application Security Mandates

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Ovation Security Center Data Sheet

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Defending against modern threats Kruger National Park ICCWS 2015

Practical Steps To Securing Process Control Networks

IBM Security Strategy

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Global Partner Management Notice

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

September 20, 2013 Senior IT Examiner Gene Lilienthal

Centre for the Protection of National Infrastructure Effective Log Management

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

Cyber Essentials Scheme

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Top 4 Strategies to Mitigate Targeted Cyber Intrusions

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Effective Log Management

Reducing the Cyber Risk in 10 Critical Areas

SANS Top 20 Critical Controls for Effective Cyber Defense

Top 20 Critical Security Controls

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Web Engineering Web Application Security Issues

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Cisco Security Optimization Service

Security Controls for the Autodesk 360 Managed Services

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Networking for Caribbean Development

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Penetration Testing Report Client: Business Solutions June 15 th 2015

RSA Security Anatomy of an Attack Lessons learned

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Reference Architecture: Enterprise Security For The Cloud

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

The Business Case for Security Information Management

Protecting Sensitive Data Reducing Risk with Oracle Database Security

External Supplier Control Requirements

Managing internet security

OWASP Top Ten Tools and Tactics

PCI DSS 3.0 Compliance

How To Secure Your System From Cyber Attacks

FISMA / NIST REVISION 3 COMPLIANCE

Windows Remote Access

Transcription:

Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology platform.

Your Organisation is a Target Sensitive government information, corporate intellectual property, financial information and private personal data is being lost to cyber intrusions targeted at Australian government agencies and private enterprises. Hacking, defacement and denial-of-service attacks can severely disrupt your organisation s online presence, damage your customers confidence and even lead to loss of extensive customer information. More persistent threats, incorporating spear phishing and remote access technologies, selectively target individuals to gain a foothold in your network and then proceed to remove sensitive data or intellectual property. And it s not just the largest government and enterprise organisations at risk. Across Australia and globally, small and medium businesses along with state and local governments have suffered losses due to these types of attack. But there are very effective protections that can be put in place. They need not require new investment in technology or personnel. Defence Signals Directorate and CERT Australia have published guidance on the top 35 strategies to mitigate against targeted cyber intrusion and concluded that at least 85% of the intrusions they responded to in 2010 would have been prevented if only the top 4 of these mitigations had been put in place. Furthermore, CERT Australia recommends these same strategies across critical infrastructure and the private sector. These top 4 mitigations only require you to maintain current, patched applications and operating systems, employ application whitelisting technology and effectively restrict the use of administrative accounts. In this paper, we provide a brief overview of how these 35 mitigations can be implemented using Microsoft software. And by implementing the top 4 and then progressively choosing to implement the remaining controls, you will be in a stronger position to prevent and detect targeted cyber intrusions on your network.

Stages of a Targeted Cyber Intrusion Targeted cyber intrusions can take advantage of a variety of technical and human weaknesses, such as Web servers susceptible to injection of code, unpatched browsers that inadvertently enable malware downloads or users who succumb to opening malware laden email attachments. There is no single pattern of attack, nor is there an entirely predictable sequence of events. An attack might be a single event that lasts for minutes or a sustained progression of intrusions that last for months or even years. However, it is useful to conceptualise a targeted cyber intrusion in terms of three stages: code execution, network propagation and data exfiltration: 1 Code Execution! An adversary performs reconnaissance to select a target user, and sends this user a malicious email containing a malware-laden attachment or link to a Web site. This reconnaissance is easier if the user s email address and additional information is readily available via agency Web sites, social networking Web sites, or if the user uses their email address for purposes unrelated to work. By opening the attachment or visiting the Web site, malicious code is executed on the user s workstation and is typically configured to persist by automatically executing every time the user restarts their computer and/or logs on. The malicious code is remotely controlled by the adversary, enabling them to access any information that is accessible to the user. 2 Network Propagation The adversary moves through the network to access information on other workstations and servers. Such information typically includes Microsoft Office files, PDF files as well as information stored in databases. Adversaries also typically access system information including computer and network configuration details, as well as details about users including organisation hierarchy and usernames and passphrases. Although passphrases might be stored as cryptographic hashes to frustrate adversaries, cracking such passphrase hashes to derive the passphrases may be fast, cheap and easy unless all users have selected very strong passphrases that are appropriately hashed. The appropriate use of multi-factor authentication may hinder adversaries. 3 Data Exfiltration The adversary exfiltrates information from the network using network protocols and ports allowed by the organisation, such as HTTPS, HTTP, or in some cases DNS and email. The adversary typically leaves behind several compromised computers as a backdoor to facilitate further exfiltration of information in the future.

Top 4 Mitigations 1 Patch and deploy current applications Unpatched applications have become the most common vector for exploitation primarily due to significant vulnerabilities discovered in versions of Microsoft Office, Adobe Acrobat, Oracle Java and all common internet browsers. Frequently, the vulnerabilities exploited by attackers have been public for some time with protective updates already available from vendors but not yet deployed within the targeted organisation. This time delay between availability of an upgrade and its deployment within an enterprise must be minimised, especially for critical updates. Unfortunately, many applications have unique patching methods and requirements that can be challenging to integrate into a single, managed process. Microsoft provides update tools for the enterprise called Windows Server Update Services and guidance for the patching process in the Microsoft Security Update Guide. This guide was designed to help IT administrators develop a repeatable, effective deployment mechanism for testing and releasing security updates. Furthermore, Microsoft System Center Configuration Manager 2012 can provide an integrated update mechanism for all software applications from any vendor. 2 Patch and deploy current operating systems Effective system hardening begins with the deployment of current, fully updated operating systems, and it is important to recognise that modern operating systems are far more secure than legacy platforms. Against a determined attacker, a fully patched Windows XP operating system does not provide anywhere near the equivalent security protections of a fully patched Windows 7 operating system. This reduction in security risk in Windows 7 is primarily due to features such as user account control, feature lockdown by default and memory protections along with support for security controls like data encryption (Microsoft BitLocker ) and application whitelisting (Microsoft AppLocker ). To help with assessing a migration to current operating systems, Microsoft provides a free tool called the Microsoft Assessment and Planning Toolkit. This toolkit can be used for agentless inventory of an IT environment, assessment of hardware and software readiness for migration, and custom reports detailing hardware, device and operating system readiness. 3 Restrict administrative privileges Administrative privileges need to be tightly controlled and restricted to a small number of known users who must abide by strong authentication policies. Attackers will typically work towards obtaining the credentials of an administrator as this enables them to extend their network access, gain higher levels of access to resources and even cover their tracks. Minimising administrative privileges makes it more difficult for the adversary to extend their intrusion or hide their existence on a system. Microsoft Forefront Identity Manager 2010 provides a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments. It can help with restricting administrative privileges and enabling stronger authentication. 4 Whitelist applications Application whitelisting is about identifying specific executables and software libraries that should be permitted to execute on a given system, then enforcing a policy so that only those identified components can operate. A system protected by explicit whitelisting of allowed applications will typically block malware such as a remote access tool from executing, providing an effective mitigation against the first stage of a targeted attack. Microsoft AppLocker is a set of policy settings and software components within Windows 7 that effectively allows multiple levels of enforcement as well as several methods of recognising whitelisted executables.

Mitigation Strategies against Targeted Cyber Intrusion

Defence in Depth Strengthen workstation defences beyond the top 4 mitigations by deploying antivirus software, firewall restrictions, device encryption, and controls on removable media within a managed operating environment. Microsoft System Center 2012 along with Windows 7 provides a complete platform for end-to-end host protection along with guidance in the Microsoft Deployment Toolkit and Microsoft Security Compliance Management solution accelerators. 1 2 4 5 12 13 14 17 21 25 26 29 Harden web and server applications by addressing the most common and easily mitigated web application vulnerabilities such as SQL injection, cross-site scripting and broken session and authentication management. Mitigating these vulnerabilities is best done at design time by leveraging guidance like the OWASP Top 10 along with the extensive tools and guidance available within the Microsoft Security Development Lifecycle Methodology. 20 28 31 Enforce strong user authentication by progressing towards enforcement of strong passphrases and the use of multi-factor authentication such as smart cards. Technologies like Microsoft Forefront Identity Manager 2010 provide a broad platform for identity management and strong authentication. 3 16 Protect your email service from spoofed emails, spam, targeted phishing and email interception by whitelisting allowable attachment types so that vulnerable content types or executable files are prohibited, implementing Sender Policy Framework controls and enabling additional authentication between email servers (TLS). These protections can be enabled in Microsoft Exchange Server 2010 and complemented with online filtering from Microsoft Forefront Online Protection for Exchange server. 6 7 30 Defend the web gateway by filtering the allowable content types and whitelisting allowable domain names for both normal and encrypted traffic. Firewall technology at the gateway should implement application layer protections, stateful inspection and content filtering. 9 10 11 19 32 34 Monitor your system infrastructure by maintaining central configuration and asset management database, automated management processes along with centralised monitoring of server, device and network equipment. Microsoft System Center Configuration Manager 2012 along with Microsoft System Center Operations Manager 2012 provide these capabilities in an integrated platform. 22 24 27 Monitor your network by centralising logging and using network based intrusion detection to identify and respond to anomalies. Network segmentation is also crucial along with network protections enforced by technologies like Network Access Protection in Windows Server 2008 R2. 15 23 33 35 Educate users about social engineering including how they can be targeted and how they should respond to suspicious requests, be careful of the information they release and report any incident. In turn, it s important to have a social engineering response process to identify if the threat is real and alert users to prevent an eventual successful breach from a sustained attack. 8 18

Guidance & Tools Microsoft Technical Security Guidance: technet.microsoft.com/security Microsoft Safety & Security Centre: microsoft.com/security Microsoft Security Update Guide Second Edition: microsoft.com/security/msrc/ whatwedo/securityguide.aspx Open Web Application Security Project (OWASP): owasp.org Microsoft Security Development Lifecycle (SDL): microsoft.com/security/sdl Microsoft Solution Accelerators (including Microsoft Deployment Toolkit, Microsoft Assessment & Planning Toolkit and Security Compliance Manager): technet.microsoft.com/en-us/solutionaccelerators Additional information about implementing the 35 mitigation strategies is available from Defence Signals Directorate at http://www.dsd.gov.au/infosec/top35mitigations.htm May we help? If you need assistance with improving the security of your organisation, talk to your Microsoft account representative or a Microsoft partner. With proven technologies, global experience and local expertise, we can help you select and deploy the most cost-effective solutions to meet your needs. To speak with your Microsoft account representative or a Microsoft Partner, call 13 20 58. To locate your nearest Microsoft partner, visit www.microsoft.com.au/findapartner/solutionfinder 2012 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, AppLocker, BitLocker, Forefront, Internet Explorer, the Internet Explorer logo, the Office logo, the Server logo, Windows, Windows Server and the Windows logo are trademarks or registered trademarks of the Microsoft group of companies. 15372-0112/MS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information