By Josh Paape
More than 20 years ago, the NSA conducted an exercise named Operation Eligible Receiver
- The purpose of the exercise was to test the response capabilities of critical Department of Defense information systems in the case of a breach. The exercise concluded with startling results. Utilizing only publicly available hacking techniques, the NSA was able to completely infiltrate the dod network and gained superuser access into high-priority devices. However, one of the only known cases of the NSA being prevented from reaching their targets occurred when a marine noticed suspicious traffic on the network and immediately changed configuration settings to lock down permissions.1
After a two-year review of the exercise, recommendations were made for an increased focus on configuration management for all entities. Though best practices were not formally codified, compliance frameworks were developed and include configuration management practices. These frameworks include NIST 800-53 and Security Technical Implementation Guides (stigs).
Operation Eligible Receiver highlighted the importance of organizations knowing what they have, how it’s configured, what’s changed, and who changed it. With this understanding, security teams are better equipped to meet regulatory compliance and identify configuration drift.
Today’s common mistakes
Organizations need to know what they have in order to improve security posture. In addition to a reliable asset inventory, it is essential for security teams to know how their network is configured and what has changed over time. When done manually, the process of keeping track of configuration changes can take large amounts of time that security professionals do not have. This approach will typically rely on guesswork when answering questions such as, “Who added a workstation to a domain?” Or “When did this user receive administrative privileges?”
1 Eligible Receiver 97 After Action Report. Retrieved from: https://www.youtube.com/watch?V=ii3izaq0nh0
There are many different potential answers to these questions. Configurations can change due to users modifying them, settings being misconfigured initially, or machines being turned off when group policies are entered. When configuration changes go unnoticed, organizations are left facing easily exploitable vulnerabilities. This is the reason security frameworks recommend security teams utilize a form of configuration management automation providing consistent security metrics rather than a manual process.
Setting a standard
Most of today’s security frameworks include configuration management requirements. Frameworks such as NIST 800-53 implemented specific guidelines for configuration management following the results of Operation Eligible Receiver 97. These guidelines suggest practices such as setting a configuration baseline and limiting systems to only provide essential capabilities in a control known as “least functionality.” NIST 800-53 and other frameworks are great outlines for general requirements but do not provide details on how configurations should be set.
For specifics of how configurations should be set, security teams utilize validated standards such as Security Technical Implementation Guides (stigs) from the Defense Information Systems Agency (DISA). Stigs are required configuration standards for all Department of Defense devices and systems. These standards have provided a guideline to secure areas of networks at risk since 1998.2 Following an established standard such as stigs provides security teams with clear direction in their configuration management process while ensuring compliance with frameworks and improving the security posture of their organization.
Monitoring configuration drift
Even when organizations follow a configuration guideline such as stigs, there is still a risk for configuration drift without a proper monitoring solution. Drift occurs as devices, software, or users are added to a network and can be almost impossible to track manually. An example of drift affecting an organization’s security posture can be seen when looking at user rights assignments, specifically the ability to debug a program. Debug rights are typically
2 Security Technical Implementation Guides (stigs). Retrieved from: https://iase.disa.mil/stigs/Pages/index.aspx
Only granted to administrative accounts, but misconfigurations and drift will result with regular users receiving these rights. Another common case is insecure software requiring sedebugprivilege to be turned on. When this is partnered with an inability to properly set permissions, organizations are put in danger as Ransomware often uses debug rights assignments to run hash tools against files and collect passwords.
(The User Privileges Report in aristotleinsight lists all user privileges across all domains or only specified domains. The report may be filtered by a specific user and/or computer. The image above shows an example of viewing which user accounts have permission to debug programs.)
To overcome configuration drift, organizations need a solution to continuously monitor current configurations along with a history of changes. Security teams need to be able to immediately determine what changed, when the change occurred, and who made the change. The importance of knowing these details was learned over twenty years ago during Operation Eligible Receiver 97, yet most organizations still struggle with them today.
Accessing the details with aristotleinsight
Aristotleinsight was developed to meet the needs identified by Operation Eligible Receiver
- The system continuously identifies risk, directs remediation, and documents results from security functions such as Configurations, Vulnerabilities, Privileged User Management, Asset Inventory, and Threat
Utilizing the revolutionary UDAPE® technology, aristotleinsight collects reliable data from the process level across all devices on an organization’s network. A unique Bayesian Inference Engine sorts through the kernel level data highlighting actionable items to help security teams identify risk, direct the remediation process, and document results. This helps security teams save time and better manage cybersecurity posture.
Aristotleinsight is the perfect solution for an organization attempting to build their security process. For organizations with a mature cybersecurity process in place, aristotleinsight is an effective hunt tool.
About the Author:
Josh Paape is an Online Marketing Specialist at Sergeant Laboratories, a leader in security and compliance solutions that allow businesses, governments, and healthcare institutions to comply with regulations and stay a step ahead of criminals. As a graduate of the University of Wisconsin – La Crosse, Josh has experience marketing products from a variety of industries. As a contributor to CDM, he hopes to spark new thought and discussion topics in the information security community.