When operating IT systems it is important to design-in security, to “minimise the attack surface”, but it is also important to monitor activity for potential breaches so that any failures can be addressed before significant damage is done.
Vulnerability Scanning
It is worthwhile to try to find vulnerabilities and deal with them before an attacker does. Vulnerability scans are an automated approach using specialist software and commercial databases of vulnerabilities. Penetration testing involves hiring a specialist penetration tester who can perform more detail tests where each step can take into account the results of previous steps.
Vulnerability Scans
- Identify scan targets
- Determine frequency (each scan takes up resources)
- passive vs active (passive – watch traffic, active – send probing data)
- scope
- network scans vs credentialed scans (credentialed more powerful)
- server based vs agent scans
- scan perspective (internal / external / in DMZ)
Penetration Testing
4 stages of penetration testing
- Planning – timing, scope of tests, gain written authorisation
- Discovery – network & port scans, vulnerability scans, publicly available (web) information
- Attack – exploit vulnerability / gain access, privilege escalation, browse, install tools / root kit
- Report – report to client on activity
Types of Vulnerability Found
- missing patches
- old operating systems
- buffer overflows
- privilege escalation
- arbitrary code execution
- insecure protocols
- debugging mode
Remediation (corrective action) Prioritisation
- criticality of system
- effort required
- severity of vulnerability
- exposure (internal vs external)
Logging / Audit
- Key to visibility. Without logs no knowledge of what has happened or is happening
- Network logs: firewall, IDS/IPS, routers, web servers
- Application logs
- Server logs
- Wise to centralise logs for access and analysis
- Need to actively monitor
- SIEM: security information and event management
- log collector (from applications & network equipment)
- log aggregation
- correlation engine → alerts
- reports
- packet capture (link to the likes of wireshark https://www.wireshark.org/)
- user behaviour analysis (e.g. logging on at odd times / more often)
- sentiment analysis
- security monitoring → alerts
- triggers (e.g. call script to update configuration after 5 connection failures)
- event deduplication
- WORM (Write once read many times) – no updates
Incident Management
Incident Response
- Preparation – e.g. Risk Assessments, prepare playbooks & runbooks
- Identification – spotting an anomaly using logs & alerts, indicators of compromise
- Containment – isolate / cut-off the source of the problem
- Eradication – remove the problem
- Recovery – return to operable state (restore from back-up necessary?)
- Lessons Learnt
Policy (highest level) → Procedures → Playbooks → Runbooks (most detailed)
Indicators of compromise
- High network bandwidth usage
- High CPU utilisation
- High memory use
- Beaconing (unexpected outbound network connections)
- Unexpected outbound transfers
- Disk capacity overflow
- File system changes (unexpected 777 permissions)
- Windows: resmon & perfmon, registry changes
- Malware alerts
- Server restarts
- Memory overflows
SOAR (security orchestration, automation & response)
- Central management of threat & vulnerability scans
- Manages incident response
- Automates security operations
Managed Security Service Provider
Smaller organisations will have difficulty keeping the skills available to perform all these tasks. They may well outsource infosec operations to a managed security service provider that performs:
- patch management
- vulnerability scanning
- spam & anti-virus filtering
- data loss prevention
- VPN connections
- proxy services & web content filtering
- IPS/IDS
- Unified threat management / advanced firewalls