Transcription
SecurityCenter Continuous Viewand the Australian SignalsDirectorate’s Strategies to MitigateTargeted Cyber IntrusionsSeptember 3, 2014(Revision 1)
Table of ContentsIntroduction . 3How SecurityCenter Continuous View Can Help . 3Top 4 Mitigation Strategies . 6Mitigation Strategy #1 – Application Whitelisting . 7Mitigation Strategy #2 – Patch Applications . 8Mitigation Strategy #3 – Patch Operating System Vulnerabilities . 9Mitigation Strategy #4 – Restrict Administrative Privileges . 10Additional Mitigation Strategies . 12Mitigation Strategy #5 – User Application Configuration Hardening . 12Mitigation Strategy #6 – Automated Dynamic Analysis . 12Mitigation Strategy #7 – Operating System Generic Exploit Mitigation . 14Mitigation Strategy #8 – Host-based Intrusion Detection/Prevention System . 15Mitigation Strategy #9 – Disable Local Administrator Accounts . 15Mitigation Strategies #12 and #13 – Software-Based Application Firewall . 16Mitigation Strategy #14 – Non-Persistent Virtualised Sandboxed Trusted Operating Environment . 17Mitigation Strategy #15 – Centralised and Time-Synchronised Logging of Events . 18Mitigation Strategy #16 – Centralised and Time-Synchronised Logging of Network Activity . 19Mitigation Strategy #17 – Email Content filtering . 20Mitigation Strategy #18 – Web Content Filtering . 21Mitigation Strategies #19, #32, and #34 – Web Domain Blacklisting/Whitelisting . 21Mitigation Strategy #21 – Workstation and Server Configuration Management . 22Mitigation Strategies #22 and #30 – Antivirus Software . 22Mitigation Strategy #23 – Deny Direct Internet Access from Workstations . 23Mitigation Strategy #24 – Server Application Configuration Hardening . 24Mitigation Strategy #25 – Enforce a Strong Passphrase Policy . 25Mitigation Strategy #26 – Removable and Portable Media Control . 25Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS . 27Mitigation Strategy #31 – TLS Encryption between E-Mail Servers . 27Mitigation Strategy #33 – Network-based Intrusion Detection/Prevention System . 28The Next Steps . 29Scanning Methodology . 29Continuous Network Monitoring . 29Asset Lists . 30Analysis and Reporting . 30Summary . 31About Tenable Network Security . 322
IntroductionIn February 2014, the Australian Signals Directorate (ASD, formerly DSD) updated the publication Strategies to MitigateTargeted Cyber Intrusions (available here). The publication contains a list of 35 strategies to mitigate targeted cyberintrusions, ranked in order of overall effectiveness. According to ASD, over 85% of the cyber intrusions that ASD respondsto could be prevented by following the top four mitigation strategies on the list.The threat of targeted cyber intrusion has reached an all-time high and by implementing these mitigations, an organisationcan reduce the impact to Australia’s economic well-being and thereby to all Australian citizens. A finite number ofresources are available to organisations, thus requiring management to use staff and monetary assets to their fullpotential. The Top 4 mitigation strategies, when implemented as a package, provide a large reduction of risk for arelatively small investment of time, effort, and money. ASD recommends implementing these Top 4 mitigation strategiesfirst on workstations of users who are most likely to be targeted by cyber intrusions, and then on all workstations andservers across the organisation. As resources become available, ASD recommends selecting and implementing additionalmitigation strategies from the remaining 31 on the list until an acceptable level of residual risk is achieved.ASD notes that organisations should perform continuous monitoring and mitigation, using automated methods to regularlytest and measure the effectiveness of the implemented mitigation strategies. As required, additional mitigation strategiesshould be implemented to further protect information, workstations, servers, and other critical assets.Tenable Network Security’s SecurityCenter Continuous View (SC CV ) provides an organisation with a proactivemethod of discovering cyber intrusions, so the organisation will not have to just rely on individual products reporting partialfindings. SC CV provides the unique ability to correlate vulnerabilities, configuration audits, and event logs in a singlelocation, enabling a proactive approach to continuous network monitoring.The objective of this guide is to demonstrate to Tenable customers and prospective customers how SecurityCenterContinuous View can support and enhance their implementations of the ASD mitigation strategies.How SecurityCenter Continuous View Can HelpSecurityCenter Continuous View (SC CV) is the market-defining continuous network monitoring platform that provides aunique combination of detection, reporting, and pattern recognition to deliver the most comprehensive and integrated viewof network health. SC CV continuously monitors the network to identify vulnerabilities, reduce risk, and ensurecompliance, enabling organisations to react to advanced threats, zero-day vulnerabilities, and new regulatory compliancerequirements. SC CV offers tight integration with a large number of SIEMs, malware defences, patch management tools,BYOD, firewalls, virtualization systems, and an API for extending this integration to other devices and applications.Organisations using SC CV have a wide variety of prebuilt dashboards, reports, and assets available to them to aid innetwork administration, incident response, and reporting.As an organisation embarks on the journey to implement the ASD Strategies to Mitigate Targeted Cyber Intrusions, SCCV can assist in three main ways.First, SC CV can discover vulnerabilities and track remediation progress. SC CV uses the Nessus vulnerability scannerto actively detect vulnerabilities, the Passive Vulnerability Scanner (PVS ) to passively detect vulnerabilities, and theLog Correlation Engine (LCE ) to detect vulnerabilities ascertained from log events. With this information, SC CV canidentify the biggest risks across the organisation and assist in prioritising and tracking remediations.The vulnerability discovery aspect of SC CV is particularly applicable to these mitigation strategies in the ASD document: Mitigation Strategy #2 – Patch Applications Mitigation Strategy #3 – Patch Operating System VulnerabilitiesSecond, SC CV can monitor the network for unauthorized or malicious activity, such as botnet activity, intrusions, dataleakage, and suspicious user behaviour. PVS continuously monitors network traffic for any suspicious activity, while LCEcan accept logs in real-time via syslog from PVS and many other network devices and applications, normalize the events,and correlate these logs to discover unauthorized or malicious activity. Note that if a device or application is not yetsupported with normalized events by LCE, the organisation can contact Tenable Customer Support and the LCE team willcreate appropriate normalization rules.3
To properly gain all relevant log information, the organisation should deploy the Tenable LCE Client to both workstationsand servers. Monitoring of systems with the LCE Client provides the detailed information needed by the LCE to properlycorrelate events and discover vulnerabilities. LCE policies can be configured to perform actions such as tail log files andmonitor files for changes. The LCE Client can also be configured to monitor specific files and directories where log eventsmay be stored.To optimally monitor network traffic, PVS must be placed in a strategic location. In some cases, more than one PVS willbe required. The LCE NetFlow and/or Network Monitor should also be installed in strategic locations. For more detailedinformation, see the Log Correlation Engine Best Practices.SC CV retains all the collected log data. Any future analysis, such as forensic analysis, can easily access this log history ifneeded.Many mitigation strategies in the ASD document involve monitoring the network to determine if the mitigation strategy isworking correctly. The network monitoring aspect of SC CV is particularly applicable to these mitigation strategies: Mitigation Strategy #1 – Application whitelisting Mitigation Strategy #4 – Restrict administrative privileges Mitigation Strategy #6 – Automated dynamic analysis Mitigation Strategy #8 – Host-based Intrusion Detection/Prevention System Mitigation Strategy #9 – Disable local administrator accounts Mitigation Strategy #14 – Non-persistent virtualised sandboxed trusted operating environment Mitigation Strategy #15 – Centralised and time-synchronised logging of events Mitigation Strategy #16 – Centralised and time-synchronised logging of network activity Mitigation Strategy #17 – Email content filtering Mitigation Strategy #18 – Web content filtering Mitigation Strategy #19 – Web domain whitelisting for all domains Mitigation Strategy #22 – Antivirus software using heuristics and reputation Mitigation Strategy #23 – Deny direct internet access from workstations Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS Mitigation Strategy #30 – Signature-based antivirus software Mitigation Strategy #32 – Block attempts to access websites by their IP address Mitigation Strategy #33 – Network-based Intrusion Detection/Prevention System Mitigation Strategy #34 – Gateway blacklistingThird, SC CV can measure compliance, using audit files that cover a wide range of major regulations and other auditablestandards. Tenable provides over 500 audit files, available for download from the Tenable Support Portal, in categoriessuch as operating systems, applications, databases, and network devices. Tenable products can be used to auditsystems based on SCAP content, and many Tenable audit policies have been certified by the Center for Internet Security(CIS). For more information on using audit files, see the Nessus Compliance Checks: Auditing System Configurations andContent document.4
After download, audit files can be customized to match the values defined in the organisation’s corporate policies. Theorganisation can review several audit files and then create a specific audit file that applies directly its policies.When an audit is performed, for each individual compliance check, Nessus attempts to determine if the host is compliant,non-compliant, or if the results are inconclusive and need to be verified manually. Unlike a vulnerability check that onlyreports if the vulnerability is actually present, a compliance check always reports a result. This way, the data can be usedas the basis of an audit report to show that a host passed or failed a specific test, or if it could not be properly tested.Many mitigation strategies in the ASD document involve verifying that recommended actions have been taken. Thecompliance measurement aspect of SC CV is particularly applicable to these mitigation strategies: Mitigation Strategy #5 – User application configuration hardening Mitigation Strategy #7 – Operating system generic exploit mitigation Mitigation Strategy #12 – Software-based application firewall, blocking incoming traffic Mitigation Strategy #13 – Software-based application firewall, blocking outgoing traffic Mitigation Strategy #21 – Workstation and server configuration management Mitigation Strategy #24 – Server application configuration hardening Mitigation Strategy #25 – Enforce a strong passphrase policy Mitigation Strategy #26 – Removable and portable media control Mitigation Strategy #31 – TLS encryption between email serversA few of the mitigation strategies in the ASD document involve actions that SC CV cannot monitor or measure. SC CV willnot be able to assist with these mitigation strategies: Mitigation Strategy #10 – Network segmentation and segregation Mitigation Strategy #11 – Multi-factor authentication Mitigation Strategy #20 – Block spoofed emails Mitigation Strategy #28 – User education Mitigation Strategy #29 – Workstation inspection of Microsoft Office files Mitigation Strategy #35 – Capture network trafficIn this guide, the details of how SC CV supports each of the ASD mitigation strategies are described. For some strategies,specific relevant dashboards or components of dashboards are emphasized. For each strategy, a table of additionalrelevant SC CV resources (components, dashboards, and reports) is displayed. Note that there are some mitigationstrategies that are similar, so that SC CV would support their implementation in the same way; these strategies have beencombined in this guide.All of the dashboards, components, and reports mentioned in this guide are available in the SecurityCenter app feed, astore of dashboards, reports, and assets. For each dashboard, component, or report, its category and tags are given so itcan be easily found in the feed. These dashboards, components, and reports can be used as provided or custom-tailoredas desired.5
Top 4 Mitigation StrategiesSC CV’s ability to continuously monitor the network to identify vulnerabilities, reduce risk, and ensure compliancedifferentiates Tenable from the competition and provides organisations with the ability to be proactive while implementingthe Strategies to Mitigate Targeted Cyber Intrusions. This section provides a detailed overview of how SC CV can helpwith implementing the Top 4 mitigation strategies.Figure 1 - ASD Top 4 Mitigation Strategies DashboardThe ASD Top 4 Mitigation Strategies dashboard provides an organisation with detailed information on the implementationof each of the Top 4 mitigation strategies: application whitelisting, patch applications, patch operating systemvulnerabilities, and restricting users with administrative privileges. More details on each of the components on thisdashboard will be provided in the next few pages with the applicable mitigation strategies.The ASD Top 4 Mitigation Strategies dashboard and its components are available in the SecurityCenter app feed. Thedashboard can be easily located in the feed by selecting category Threat Detection & Vulnerability Assessments, andthen selecting tag asd, patching, regex, remediation, software, cpe, and accounts.Read more about the ASD Top 4 Mitigation Strategies dashboard here.6
Mitigation Strategy #1 – Application Whitelisting“Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programsincluding DLL files, scripts, and installers, implemented at least on workstations used by most likely targets.”The foundation of application whitelisting is knowingwhat applications are installed within the organisation.SC CV can collect information on installed applicationsusing the List Software tool, and by collecting logsfrom several sources such as workstations, servers,and enterprise application whitelisting products. TheASD Top 4 Mitigation Strategies dashboard containscomponents that support the application whitelistingmitigation strategy: List of Software - This table lists all softwarecurrently discovered on the network. This listcan be used to verify that no unauthorizedsoftware is installed. A best practice with thiscomponent is to create several copies and apply assets or subnets to each, to provide the organisation with thedetails for installed software for each segment of the network. Software Modification Events - This component provides indicators for several normalized events collectedfrom systems with LCE clients installed, or from systems from which syslogs were collected. For each indicator,when a pattern match is found, the indicator will turn purple. Listed below are some examples of normalizedevents flagged by these indicators:-Application Change - The LCE encountered a log that indicated that an application had a change.-Daily Command Summary - The LCE has generated a report of all commands run in the past day.-LCE-Windows Executable Modified - The LCE Client has detected a Windows library file modification.-Bit9 - Bit9 Carbon Black is an endpoint protection suite that specializes in application whitelistingtechnologies.-Tripwire - Tripwire Enterprise is a security configuration management suite.Additional SC CV resources that can provide information applicable to this mitigation strategy:Dashboard, Component, or Report, with Summary DescriptionFeed CategoryFeed TagsUnknown Process - Known Installed SoftwareThis component utilizes the List Software tool in SecurityCenter toprovide a table of known installed software.Threat Detection &Vulnerability Assessmentssoftware,windowsFile and Directory - Software Installed EventsThis component graphs the last seven days of file and directorychange event details.Monitoring7 days,complianceSoftware Inventory ReportThis report lists software installed on Windows, Unix, and Linuxhosts. Read more here.Discovery & Detectiondiscovery,software7
Mitigation Strategy #2 – Patch Applications“Patch applications especially Java, PDF viewer, Flash Player, Microsoft Office, web browsers and web browser pluginsincluding ActiveX. Also patch server applications such as databases that store sensitive information as well as web serversoftware that is Internet accessible.”This mitigation strategy focuses on applicationbased vulnerabilities. SC CV uses the Nessu
standards. Tenable provides over 500 audit files, available for download from the Tenable Support Portal, in categories such as operating systems, applications, databases, and network devices. Tenable products can be used to audit systems based on SCAP content, and many Tenable audit policie
