When the 2017 Verizon Data Breach Investigations Report (DBIR) came out last week, I read through it like I do every year. Each time I go through the report, I challenge myself to find something new and interesting. This year, I was intrigued by the "Things to consider" and "Areas of focus" at the end of each section. These two blurbs gave tips on either how to prevent the attacks from hitting a specific industry or how to protect against a specific incident type. Interestingly enough, none of the recommendations are very complex. In fact, most of them are part of the basic foundational controls found in the CIS Top 20 Critical Security Controls. Upon seeing this, I went through and mapped out every recommendation in their report to one of the Top 20 Controls. Even though all of the controls are critical by name, I gathered the top six into three categories: critical, important and moderate. Don't be fooled by my naming convention; this was a simple exercise of putting them into buckets based on how often they are found in the DBIR.
Critical Controls
CIS 4.5 – Deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe. Patches should be applied to all systems, even systems that are properly air gapped.
The importance of installing patches is clear. Attackers are going to go after known vulnerabilities first – no sense in wasting a good zero-day exploit if the victim has failed to install basic patches. Getting patches installed comes up so often in the DBIR because it is a component of so many successful attacks. One of the interesting statistics from the report was the "time to patch" data. Unsurprisingly, education ranked last in getting patches installed on time. These departments are often underfunded, if funded at all, to tackle a continuous problem like getting patches installed. What I did find surprising was the fact that Finance was the second lowest-ranked market for time to patch. Considering that this is a targeted market with lots at stake, I would have thought they would have been higher. What this data shows is that the finance market has many other compensating controls in place to reduce their risk. One such control is the use of robust vulnerability scanning tools to provide insight into the exploitability and criticality of vulnerabilities across the environment. Just because a patch isn't installed doesn't mean that the system is exploitable.
CIS 5.6 – Use multi-factor authentication for all administrative access, including domain administrative access. Multi-factor authentication can include a variety of techniques to include the use of smart cards, certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods.
Two-Factor or Multi-Factor Authentication is absolutely critical for any entity that is serious about security. So many high profile breaches could have been prevented by having two-factor authentication, even if only on internet-facing systems. If your organization hasn't implemented 2FA/MFA yet, I recommend starting with the VPN service. In looking at breaches, such as Target or the Office of Personnel Management, having two-factor authentication on the VPN would have stopped the attack or at the very least made the attack much more difficult. The reason this critical control isn't in place everywhere is by the statement made in the DBIR:
"It may be easier for them to notify and force password changes than to implement two-factor authentication, conduct penetration testing, or ensure the Content Management Platform is up to date." – Verizon 2017 DBIR page 25
Important Controls
CIS 3.5 – Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes).
File Integrity Monitoring is a core component of detecting even the most sophisticated attacks. Whether it is traditional malware or advanced file-less malware creating persistence, something somewhere will be written to the file system. This is particularly interesting in low change environments, such as retail and industrial. When new files are being placed on one of these systems, it usually will warrant a second look. Being able to detect change in real-time and determine if the change is business as usual versus something odd will go a long ways in your security program.
CIS 5.1 - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.
Systems administrators have the power to control the entire company. In order to perform their duties, they need unfettered access to the systems supporting the business. This access makes them a prime target for attackers trying to access confidential information. Part of what makes this a popular recommendation in the DBIR is the concept of separation of duties and the concept of least privilege. Giving employees only the access to what they need to perform their jobs will reduce the risk that a compromised user account can take control of the entire network. The next step beyond controlling user permissions is logging everything administrative accounts do. This will serve as an early detection mechanism for account abuse as well as be incredibly valuable when responding to potential incidents later on down the road.
Moderate Controls
CIS 5.3 - Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts.
What we're trying to accomplish here is changing default passwords. While this is more of an issue in the consumer world, it can still plague enterprises as well. Even though this is a highly stated recommendation in the DBIR, I would say for enterprises the more important control to consider is CIS 5.6, which was included above. Where two-factor or multi-factor authentication isn't feasible, implement CIS 5.7 instead. This control simply states that you should be using long and complex passwords, which is good advice even if you do implement 2FA/MFA.
CIS 3.1 - Establish standard secure configurations of operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.
Secure Configuration Management is an easy win for most organizations. The Center for Internet Security provides benchmarks for a plethora of operating systems, applications, and devices that provide guidance on how proper hardening configurations. These are taken from experienced incident responders and industry experts on how to prevent attacks seen in the real-world. While it can be a painstaking task to do this manually, tools are available to help make this an easy process. I spend quite a bit of time looking at attacks determining how they worked and the lessons we as an industry can learn from them. My research is confirmed by the findings of the DBIR. Foundational controls really do work. Just implementing the first five controls can prevent 85% of the most common cyber attacks. Implementing all 20 controls will prevent 97% of the most common cyber attacks, all by following guidelines that are at your disposal. I'm curious to hear from everyone else who reads the DBIR, even if this is your first time. What are your key takeaways from this wealth of knowledge?
