[BreachExchange] Launch your own cybersecurity sprint: 30 days to improved security

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 17 20:45:25 EDT 2017


https://www.helpnetsecurity.com/2017/07/17/cybersecurity-sprint/

Whether it’s well-publicized cyber attacks on government organizations or
widespread ransomware that threatens to halt business operations, attackers
continue to target privileged credentials as a quick and easy means to
reach critical assets and steal sensitive data.

Based on what we’ve learned from working with organizations that have
suffered a major breach, once attackers break into the network – often
through targeted phishing and weak passwords – they must find a way to move
through the network and escalate privileges to complete their mission.
Stealing privileged credentials – or taking the “privileged pathway” – is
the most common way to do this. As a result, securing privileged
credentials is one of the first actions organizations take following a
breach.

In today’s cyber threat landscape, every organization is susceptible to a
breach. Furthermore, each breach teaches us more about what we can, and
should, do before we’re attacked to prevent or reduce the impact. Using
these lessons to establish a realistic plan for achieving “quick wins” to
prioritize risk reduction, quantify progress, and retain support from
executive management and the Board is of vital importance. We call this a
sprint – the first leg of a longer-term security program.

So what if you had to start your own cybersecurity sprint – rapidly
implementing proactive security measures gleaned from the hard luck of
others? Where would you start as an organization?

Based on research conducted with Global 1000 CISOs and security executives
from major organizations that have experienced large data breaches, we’ve
developed a framework that can be implemented rapidly to help shut down the
privileged pathway and significantly reduce the privileged account attack
surface. It prioritizes the implementation of controls for protecting
privileged credentials to drive tangible results within 30 days. From there
– armed with these quick, demonstrable successes – organizations can scale
efforts and turn the sprint into a sustainable cyber security program.

Gearing up: Get focused

For attackers, privileged accounts are considered low-hanging fruit – the
obvious first choice for expanding their reach within an organization. Most
companies have primarily focused on implementing security controls to keep
attackers out of their network. But, breach after breach has shown that
motivated attackers will find a way past these perimeter defenses. Once
inside, attackers can use hijacked privileged credentials to move
throughout the network and complete their mission.

It’s important to remember that attackers often take this path of least
resistance – like all of us, they want the biggest return with the least
investment. The sprint framework focuses on the Windows environment, on
what attackers know, want, and don’t have to write sophisticated malware to
get – administrative accounts for Active Directory (AD) and member
computers. Starting with this small, targeted set of accounts will enable
the implementation of key controls, without requiring major time, resource,
and technology investments.

The first four controls to implement to quickly protect your most powerful
(and most vulnerable) accounts include:

1. Isolate and monitor access to domain controllers and member computers

Enterprise workstations (used for email, web browsing, and more) are
frequently the point of initial infiltration for attackers. To limit
exposure of privileged credentials, administration of Active Directory and
member computers must only be permitted from a trusted environment without
internet access and with strong control of what applications can run. This
environment serves as a barrier between the sensitive asset and the
workstation, denying the attacker the ability to steal privileged
credentials.

2. Protect privileged credentials with multi-factor authentication

As demonstrated by its inclusion in the federal cyber security sprint
following the breach at the U.S. Office of Personnel Management,
multi-factor authentication (MFA) is vital to stopping attackers,
especially for privileged users. If an attacker manages to compromise a
credential, MFA can stop them from being able to use it to inflict harm.

3. Eliminate unnecessary accounts and privileges

Ideally, organizations should have the smallest reasonable number of
privileged accounts to minimize the attack surface and to simplify identity
management. Reality is far from this ideal, as years of lax controls have
led to the proliferation of accounts and privileges. The sprint prioritizes
the elimination of unnecessary domain and enterprise administrator
accounts, as these privileges are commonly overextended and pose the
greatest risk to the enterprise.

4. Establish credential boundaries

One key to defending the privileged pathway is to break the cycle where
lateral movement leads to privilege escalation. This is done by “tiering”
machines (domain controllers > servers > workstations) and disallowing
credentials used in one tier of machines to be used in a different tier.
For example, domain administrator accounts should only be used to manage
domain controllers, not servers or workstations. Implementing this control
restricts privilege escalation, preventing the attacker from compromising a
credential in one tier and leveraging the credential to access an asset in
another.

Showcase success and create your to-do list

Adopting a “sprint mindset” – quickly applying lessons from breaches and
prioritizing effectively – are some of the most important factors in being
able to achieve rapid risk reduction, making it more difficult for
cybercriminals to carry out their goals. This intensive, 30-day effort to
implement targeted security controls establishes the framework for
everything else that happens through the life of the privileged account
security program. It is the first key metric of success.

Bolstered by this momentum, your team can then turn its attention to the
next leg of the security program journey. This typically involves expanding
the four core controls to more accounts within the enterprise and
increasing the depth of the controls, by eliminating personal privileged
accounts or removing embedded passwords in applications, for example, and
formalizing the program to ensure ongoing maintenance and support for these
new controls.

While starting to sprint can seem overwhelming, a strong start sets the
business up for success, and creates a repeatable framework that can be
used to demonstrate measurable milestones and enterprise resiliency.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170717/6865653b/attachment.html>


More information about the BreachExchange mailing list