By Josh Paape
More than twenty years ago, the National Security Agency conducted an exercise to test the response capabilities of critical Department of Defense information systems in the case of a breach. The exercise was named Operation Eligible Receiver 97, and it concluded with startling results. Utilizing only hacking techniques available publicly, the NSA was able to completely infiltrate the DoD network and gain superuser access into high-priority devices; however, one of the only known cases of prevention from the NSA reaching their targets occurred when a marine noticed suspicious traffic on the network and immediately changed configuration settings to lock down permissions.
After a two-year review of the exercise, recommendations were made for an increased focus on configuration management for all entities. Though best practices were not formally codified, the configuration management practices within compliance frameworks reflect the results of the exercise. These frameworks include NIST 800-53 and Security Technical Implementation Guides (STIGs).
Operation Eligible Receiver highlighted the importance of organizations understanding what systems they have, how they are configured, what has changed, and who made changes. With this knowledge security teams are better equipped to meet regulatory compliance and identify configuration drift.
Today’s Common Mistakes
In order to improve security posture, organizations must understand what they have, and in doing so, should conduct a reliable asset inventory. It is essential for security teams to know how their network is configured and what has changed over time. When done manually, the process of keeping track of configuration changes can take large amounts of time which many security professionals do not have. A manual approach will typically rely on guesswork when answering questions such as, “Who added a workstation to a domain?” or “When did this user receive administrative privileges?”
These questions pose many potential answers. Configurations may change due to user modifications, settings being misconfigured initially, or machines being turned off when group policies are entered. When configuration changes go unnoticed, organizations are left facing easily exploitable vulnerabilities. These vulnerabilities are one of the main reasons security frameworks recommend that security teams utilize a form of configuration management automation that provides consistent security metrics, as opposed to a manual process.
Setting a Standard
A majority of today’s security frameworks, such as NIST 800-53, include configuration management requirements that reflect the results of Operation Eligible Receiver 97. Guidelines within NIST 800-53 suggest practices such as setting a configuration baseline and limiting systems to only provide essential capabilities in a control known as “least functionality.”[1] Frameworks provide a basis for general requirements but do not provide details on how configuration should be set.
Security teams utilize validated standards, such as Security Technical Implementation Guides (STIGs) from the Defense Information Systems Agency (DISA), for specifics of how configurations should be set. These STIGs are required configuration standards for all Department of Defense devices and systems and have provided a guideline to secure areas of risk within networks since 1998.[2] Following these established standards provides security teams with clear direction in their configuration management process, while ensuring compliance with frameworks and improving the security posture of their organization.
Monitoring Configuration Drift
Even when organizations follow a configuration guideline like STIGs, without a proper monitoring solution, the risk for configuration drift remains. Drift occurs as devices, software, or users are added to a network and can be almost impossible to track manually. An example of drift affecting an organization’s security posture can be seen when looking at user rights assignments, specifically the ability to debug a program. Debug rights are typically only granted to administrative accounts, but misconfigurations and drift lead to regular users receiving them unnecessarily. Another common case is insecure software requiring SeDebugPrivilege to be turned on. When partnered with an inability to properly set permissions, organizations are put in danger of Ransomware. Attackers often use these debug rights assignments to run hash tools against files and collect passwords.
(The User Privileges Report in Aristotle Insight lists all user privileges across all domains or only specified domains. The report may be filtered by a specific user and/or computer. The image above shows an example of viewing which user accounts have permission to debug programs.)
To overcome configuration drift, organizations require a solution to continuously monitor current configurations, along with a history of changes. Security teams need to be able to immediately determine what changed, when the change occurred, and who made the change. Although the importance of this information was learned over twenty years ago during Operation Eligible Receiver 97, accessing these details is an area in which most organizations still struggle today.
Accessing the Details with Aristotle Insight
Aristotle Insight continuously identifies risk, directs remediation, and documents results from security functions such as Configurations, Vulnerabilities, Privileged User Management, Asset Inventory, and Threat Analytics.
Utilizing the revolutionary UDAPE® technology, Aristotle Insight collects reliable data from the process level from users, devices, applications, and endpoints. A unique Bayesian Inference Engine sorts through the kernel level data highlighting actionable items to help organizations save time and better manage cybersecurity posture.
Aristotle Insight is based on Operation Eligible Receiver 97 and is the solution for cybersecurity teams attempting to implement their security process. Whether completing an audit or addressing internal policies, mature cybersecurity professionals find that Aristotle Insight is a next-generation Cyber Diagnostics solution.
About the Author
Josh Paape is an Online Marketing Specialist at Sergeant Laboratories, a leader in security and compliance solutions that allow businesses, governments, and healthcare institutions to comply with regulations and stay a step ahead of criminals. As a graduate of the University of Wisconsin – La Crosse, Josh has experience marketing products from a variety of industries. As a contributor to CDM, he hopes to spark new thought and discussion topics in the information security community