Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/22/2015
11:00 AM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

To Find The Needle, Chop Down the Haystack: 5 Steps For Effective Threat Monitoring

Would bank security screen everyone entering the building then leave the vault door open with no one watching the money? Of course not!

At what point does the proverbial “haystack” get too big to find the “needles”? Many of the best security teams have hit that breaking point. They simply have too many sources and event types to process. It’s impossible to manage information at this scale and accurately decide which are truly the important events requiring action.

It is time to narrow the aperture of data collection in your environment. This will help remove as much “hay” from the “haystack” and allow for the “needles” to come to the surface. To do this, I recommend a five-step process.

Step 1: Consider Your Environment Contested Space
The banking industry has become quite good at fighting fraud from their customer base by operating as if their customers’ home systems are contested. Banks and financial institutions also have placed advanced login analytics on their online banking sites and highly encourage two-factor authentication for customers.

Enterprise IT teams can take this same approach to protecting data from compromised employee systems. In fact, most have even more control by ensuring their hosts are using hardened, updated operating systems and are following sound patch management processes. (That said, if an organization still has instances of Microsoft Windows XP in the user environment, it will live in a constant state of compromise.)

If you execute on this strategy, many (or all) of the host-level security events detected can fall to the cutting-room floor. This is because you can assume your user devices are compromised. This is a very effective strategy for companies supporting a mixture of BYOD, corporate-provided devices and Internet of Things (IOT) solutions.

Step 2: Ensure Proper Remote Access Authentication
Remote access is only safe through multifactor authentication. Period. No exceptions. Most successful advanced persistent threat (APT) attacks over the last four years have used this vector to such an extent that once they have a remote user account (normally username and password), threat actors pull back their tools and just log in as a valid user with elevated privileges.

Some will argue that multifactor is no longer effective; that it is merely a speed bump. I review every intrusion I hear about where multifactor is allegedly compromised. In each case, there was a mistake in how the multifactor authentication controls were applied. The threat actors took advantage of the flawed implementation.  

When properly implemented, multifactor authentication presents a significant challenge for attacks. It helps eliminate the need to track all remote user login activity and focus on specific events to narrow the “haystack.”

Step 3: Take Control of Elevated Privileges
Threat actors are compromising elevated privileges and creating accounts with admin rights at will. This, in turn, requires security teams to closely monitor login activity at critical points in the infrastructure. This generates an astounding number of events to assess.  

For access to critical systems, all admin users should be required to log in via a proven method of multifactor authentication to a single “jump host” (e.g., Bastion host). From a jump host, admins should connect to a permission access manager (PAM) that monitors and records all activity. This method also will help limit elevated access to match the amount of time the administrator needs to accomplish their task.  

In short, we should eliminate any and all scenarios where elevated privileges are open-ended and unmanaged.

Step 4: Direct Traffic  
Shape your network traffic to filter out as much known malicious traffic “on the wire” as you can without impacting business. This may be effectively achieved via an aggressive Internet protocol address reputation management (IPRM) program. Such an approach will help limit the amount of bad traffic — sometimes by as much as a factor of 10 — that layered security devices must inspect. 

Step 5: Learn from ‘Successful’ Events
No security posture is 100 percent impenetrable. But for events that do circumvent established controls, it’s critical to learn from the experience. By turning an eye toward network-layer events, we can better understand what’s successful against a given environment. Monitoring “traffic blocked” messages from the firewall provides little context and can serve to distract from real issues. Truly dissecting and studying successful events will serve organizations far better in the long run.

Unfortunately, many security departments expend too much time and energy managing alerts from their user base, remote access, elevated privilege use and network traffic. As a result, , they have  little time to focus on the most important events occurring on critical applications and databases that overload security information event management (SIEM) systems or mask real issues. Would banks security screen everyone entering a bank then leaving the vault door open with no one watching the money? Of course not. And it’s why it’s critical we fine-tune our focus. 

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/22/2015 | 2:53:31 PM
3. Elevated Account Permissions
Even with RBAC you run the risk of things being lost in transition unless you have a CMDB. When someone transitions, especially in larger companies there transition may not be well represented at the account level if their superior did not follow the proper protocols, etc.

My RFC is, of those of you who have used a CMDB first hand what was your experience? Success stories, pain points, etc.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.