Tuesday, May 21, 2013

Practical Tips to Improve Network Security with What You Already Have: Part 1 of 2

I think we as security experts need to stop focusing on who or what will attack us and start acting like we’re already owned. If we just started thinking in terms of “I’m already compromised” the security and monitoring of your network and systems would improve drastically. The initial fear of security experts was of being hacked or compromised, but in reality this is happening everyday while you’re on the clock. If you’ve ever had malware infect a workstation you’ve been breached. This is just a small example, but it’s true. There are two types of security professionals:
  1. Those that know they’ve been breached.
  2. Those who’ve been breached, but don’t know it.
With this being said, we need to start focusing on extrusion detection (coined by Richard Bejtlich, @taosecurity) as well as intrusion detection. We speak about security in layers a lot and this is just another way to detect threats. The problem is that often we immediately jump to shiny new objects out there such as Data Loss Prevention (DLP), Next-Generation Firewalls, SIEM, etc. to get the job done. While these are all helpful tools that can certainly improve your ability to monitor for the exfiltration of nefarious traffic, there are things you can do immediately to improve your security posture.

Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM,  but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:
  • Setup an alert every time the “Domain Admin Group” has a change made to it. If you’re a smaller company there should be a darn good reason this group’s just experienced a change. One of the things a bad guy want’s is complete control, and if he’s already gotten this far it may be too late, but it might give you the time needed to shut things down and save your data from leaving.
  • Setup fake accounts that you think hackers will try and access. An example of this is an account named “administrator” in Active Directory. I’m assuming and hoping that you’ve already renamed the original one. On this account you can set the lockout threshold really low and alert every time someone logs into it improperly. In this example if a bad guys looking for low hanging fruit he’s going to tip you off right away.
Read the rest of the article, including other tips, here at Algosec:

No comments:

Post a Comment