My son graduated high school.
The 4th of July is our country's 247th birthday.
It is time to make some noise!
Besides the fireworks on the 4th, we must focus on configuring our networks to force attackers to be as noisy as possible. If they are lurking somewhere trying to map your network and launch an attack, we want them to stand out so they can be killed quickly.
The new reality of these Typhoon Volt "Living off the Land"-style attacks is that the attacker attempts to quietly move around your network, leveraging the standard, built-in network tools to map out their attack.
The first thing we need to do is some basic hardening. We don't want the bad guys to hide because we haven't completed some simple, inexpensive tasks.
The more we force an attacker to be more aggressive in their actions, the more likely some part of our network protection strategy will alert us. If they are noisy, it makes it harder to wander in secret.
Attackers despise having to get more aggressive. They know the noisier they are, the more likely they are to be found out quickly. Knowing they are going to be found out, they often get frustrated and give up.
Here are a few ways you can start making it harder to hide:
- Ensure you keep up with all your OS and third-party critical and security patches on all endpoints and servers. An attacker can quickly scan a vulnerability against a device they are attached to. In minutes, they can know exactly what software has vulnerabilities leading to local admin privileges and exploit the vulnerability. If they have local admin rights, they can launch a "pass the hash attack." If they have local admin access, the attacker *WILL* ultimately derive domain admin access. Once they have domain admin access, you are probably dead in around 4 hours.
- Make sure you can't hide DNS calls through neighboring computers.
- Make sure you turn off weak encryption (i.e., everything below TLS 1.2)
- Make sure you turn off SMBv1
- Make sure all your endpoints have a current, functioning EDR product.
If you have enough time to review and implement the appropriate controls, you can do all of that for free.
If you don't have the patience, the brain space, or the staff to implement and keep up with all this work, we have some solutions that allow us to identify and manage these issues:
- Our CyberCNS Advisory Service will identify OS and third-party vulnerabilities and prescribe the appropriate software patches. It will also identify less secure protocols and encryption levels.
- Our OS and VMware, patch management services, can help take much of this burden off your staff.
- Our EDR products, such as CSEDR, CSMDR, and Managed XDR, provide increasing levels of protection and Security Operation Center (SOC) oversight.
Enjoy the Fourth and the fireworks. Once you get back to work, let's discuss how we can make an attacker a very noisy, uninvited guest that can be quickly shut down and killed before any damage can be done.
Give us a call.
-Scott Quimby, CISSP
You must be logged in to post a comment.