photo lineviral_1.png
» » » Advanced Persistent Threat Action Exploiting Managed Service Providers
,

Advanced Persistent Threat Action Exploiting Managed Service Providers

Organizations should configure scheme logs to let on incidents in addition to to position the type in addition to orbit of malicious activity. Properly configured logs enable rapid containment in addition to appropriate response.


Response


An organization’s might to speedily response to in addition to recover from an incident begins amongst the evolution of an incident response capability. An organization’s response capability should focus on beingness prepared to grip the most mutual laid on vectors (e.g., spearphishing, malicious spider web content, credential theft). In general, organizations should ready by



  • Establishing in addition to periodically updating an incident response plan.

  • Establishing written guidelines that prioritize incidents based on mission impact, thence that an appropriate response tin can hold upward initiated.

  • Developing procedures in addition to out-of-band lines of communication to grip incident reporting for internal in addition to external relationships.

  • Exercising incident response measures for diverse intrusion scenarios regularly, as portion of a preparation regime.

  • Committing to an travail that secures the endpoint in addition to network infrastructure: prevention is less costly in addition to to a greater extent than effective than reacting after an incident.


Mitigation


Manage Supply Chain Risk


MSP clients that create non behave the bulk of their ain network defense forcefulness should piece of work amongst their MSP to create upward one's heed what they tin can hold off inward damage of security. MSP clients should sympathise the provide chain adventure associated amongst their MSP. Organizations should deal adventure every bit across their security, legal, in addition to procurement groups. MSP clients should besides nurture to cloud safety guidance from the National Institute of Standards in addition to Technology to acquire virtually MSP damage of service, architecture, safety controls, in addition to risks associated amongst cloud computing in addition to information protection.[1] [2] [3]


Architecture


Restricting access to networks in addition to systems is critical to containing an APT actor’s movement. Provided below are key items that organizations should implement in addition to periodically audit to ensure their network environment’s physical in addition to logical architecture limits an APT actor’s visibility in addition to access.


Virtual Private Network Connection Recommendations



  • Use a dedicated Virtual Private Network (VPN) for MSP connection. The organization’s local network should connect to the MSP via a dedicated VPN. The VPN should job certificate-based authentication in addition to hold upward hosted on its ain device.

  • Terminate VPN inside a demilitarized zone (DMZ). The VPN should terminate inside a DMZ that is isolated from the internal network. Physical systems used inside the DMZ should non hold upward used on or for the internal network.

  • Restrict VPN traffic to in addition to from MSP. Access to in addition to from the VPN should hold upward confined to alone those networks in addition to protocols needed for service. All other internal networks in addition to protocols should hold upward blocked. At a minimum, all failed attempts should hold upward logged.

  • Update VPN authentication certificates annually. Update the certificates used to institute the VPN connexion no less than annually. Consider rotating VPN authentication certificates every 6 months.

  • Ensure VPN connections are logged, centrally managed, in addition to reviewed. All VPN connexion attempts should hold upward logged inward a primal location. Investigate connections using dedicated certificates to confirm they are legitimate.


Network Architecture Recommendations



  • Ensure internet-facing networks reside on variety out physical systems. All internet-accessible network zones (e.g., perimeter network, DMZ) should reside on their ain physical systems, including the safety devices used to protect the network environment.

  • Separate internal networks past times function, location, in addition to adventure profile. Internal networks should hold upward segmented past times function, location, and/or enterprise workgroup. All communication betwixt networks should job Access Control Lists in addition to safety groups to implement restrictions.

  • Use firewalls to protect server(s) in addition to designated high-risk networks. Firewalls should reside at the perimeter of high-risk networks, including those hosting servers. Access to these networks should hold upward properly restricted. Organizations should enable logging, using a centrally managed logging system.

  • Configure in addition to enable someone Virtual Local Area Networks (VLANs). Enable someone VLANs in addition to grouping them according to scheme business office or user workgroup.

  • Implement host firewalls. In improver to the physical firewalls inward house at network boundaries, hosts should besides hold upward equipped in addition to configured amongst host-level firewalls to limit communications from other workstations (this decreases workstation-to-workstation communication).


Network Service Restriction Recommendations



  • Only permit authorized network services outbound from the internal network. Restrict outbound network traffic to alone well-known spider web browsing services (e.g., Transmission Control Protocol [TCP]/80, TCP/443). In addition, monitor outbound traffic to ensure the ports associated amongst encrypted traffic are non sending unencrypted traffic.

  • Ensure internal in addition to external Domain Name System (DNS) queries are performed past times dedicated servers. All systems should leverage dedicated internal DNS servers for their queries. Ensure that DNS queries for external hosts using User Datagram Protocol (UDP)/53 are permitted for alone these hosts in addition to are filtered through a DNS reputation service, in addition to that outbound UDP/53 network traffic past times all other systems is denied. Ensure that TCP/53 is non permitted past times whatever scheme inside the network environment. All attempts to job TCP/53 in addition to UDP/53 should hold upward centrally logged in addition to investigated.

  • Restrict access to unauthorized populace file shares. Access to populace file shares that are non used past times the organization—such as Dropbox, Google Drive, in addition to OneDrive—should hold upward denied. Attempts to access populace file portion sites should hold upward centrally logged in addition to investigated. Recommended additional action: monitor all egress traffic for possible exfiltration of data.

  • Disable or block all network services that are non required at network boundary. Only those services needed to operate should hold upward enabled and/or authorized at network boundaries. These services are typically express to TCP/137, TCP/139, in addition to TCP/445. Additional services may hold upward needed, depending on the network environment, these should hold upward tightly controlled to alone ship in addition to have from for sure whitelisted Internet Protocol addresses, if possible.


Authentication, Authorization, in addition to Accounting


Compromised job concern human relationship credentials conk along to hold upward the publish ane agency threat actors are able to penetrate a network environment. The accounts organizations create for MSPs increment the adventure of credential compromise, as MSP accounts typically require elevated access. It is of import organizations’ adhere to best practices for password in addition to permission management, as this tin can severely bound a threat actor’s might to access in addition to displace laterally across a network. Provided below are key items organizations should implement in addition to routinely audit to ensure these risks are mitigated.


Account Configuration Recommendations



  • Ensure MSP accounts are non assigned to administrator groups. MSP accounts should non hold upward assigned to the Enterprise Administrator (EA) or Domain Administrator (DA) groups.

  • Restrict MSP accounts to alone the systems they manage. Place systems inward safety groups in addition to alone grant MSP job concern human relationship access as required. Administrator access to these systems should hold upward avoided when possible.

  • Ensure MSP job concern human relationship passwords adhere to organizational policies. Organizational password policies should hold upward applied to MSP accounts. These policies include complexity, life, lockout, in addition to logging.

  • Use service accounts for MSP agents in addition to services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.

  • Restrict MSP accounts past times fourth dimension and/or date. Set expiration dates reflecting the halt of the contract on accounts used past times MSPs when those accounts are created or renewed. Additionally, if MSP services are alone required during job concern hours, fourth dimension restrictions should besides hold upward enabled in addition to laid accordingly. Consider keeping MSP accounts disabled until they are needed in addition to disabling them ane time the piece of work is completed.

  • Use a network architecture that includes job concern human relationship tiering. By using an job concern human relationship tiering structure, higher privileged accounts volition never bring access or hold upward found on lower privileged layers of the network. This keeps EA in addition to DA flat accounts on the higher, to a greater extent than protected tiers of the network. Ensure that EA in addition to DA accounts are removed from local administrator groups on workstations.


Logging Configuration Recommendations



  • Enable logging on all network systems in addition to devices in addition to ship logs to a primal location. All network systems in addition to devices should bring their logging features enabled. Logs should hold upward stored both locally in addition to centrally to ensure they are preserved inward the trial of a network failure. Logs should besides hold upward backed upward regularly in addition to stored inward a rubber location.

  • Ensure primal log servers reside inward an enclave variety out from other servers in addition to workstations. Log servers should hold upward isolated from the meshing in addition to network environs to farther protect them from compromise. The firewall at the internal network boundary should alone permit necessary services (e.g., UDP/514).

  • Configure local logs to shop no less than vii days of log data. The default threshold for local logging is typically 3 days or a for sure file size (e.g., five MB). Configure local logs to shop no less than vii days of log data. Seven days of logs volition embrace the additional fourth dimension inward which problems may non hold upward identified, such as holidays. In the trial that alone size thresholds are available, NCCIC recommends that this parameter hold upward laid to a large value (e.g., 512MB to1024MB) to ensure that events requiring a high amount of log data, such as beast forcefulness attacks, tin can hold upward adequately captured.

  • Configure primal logs to shop no less than ane yr of log data. Central log servers should shop no less than a year’s worth of information prior to beingness rolled off. Consider increasing this capacity to 2 years, if possible.

  • Install in addition to properly configure a Security Information in addition to Event Management (SIEM) appliance. Install a SIEM appliance inside the log server enclave. Configure the SIEM appliance to warning on anomalous activity identified past times specific events in addition to on pregnant derivations from baselined activity.

  • Enable PowerShell logging. Organizations that job Microsoft PowerShell should ensure it is upgraded the latest version (minimum version 5) to job the added safety of advanced logging in addition to to ensure these logs are beingness captured in addition to analyzed. PowerShell’s features include advanced logging, interaction amongst application whitelisting (if using Microsoft’s AppLocker), constrained linguistic communication mode, in addition to advanced malicious detection amongst Antimalware Scan Interface. These features volition assist protect an organization’s network past times limiting what scripts tin can hold upward run, logging all executed commands, in addition to scanning all scripts for known malicious behaviors.

  • Establish in addition to implement a log review process. Logs that acquire unanalyzed are useless. It is critical to network defense forcefulness that organizations institute a regular wheel for reviewing logs in addition to developing analytics to position patterns.


Operational Controls


Building a audio architecture supported past times potent technical controls is alone the commencement portion to protecting a network environment. It is simply as critical that organizations continuously monitor their systems, update configurations to reverberate changes inward their network environment, in addition to maintain relationships amongst MSPs. Listed below are key operational controls organizations should contain for protection from threats.


Operational Control Recommendations



  • Create a baseline for scheme in addition to network behavior. System, network, in addition to job concern human relationship demeanor should hold upward baselined to acquire inward easier to rails anomalies inside the collected logs. Without this baseline, network administrators volition non hold upward able to position the “normal” behaviors for systems, network traffic, in addition to accounts.

  • Review network device configurations every 6 months. No less than every 6 months, review the active configurations of network devices for unauthorized settings (consider reviewing to a greater extent than frequently). Baseline configurations in addition to their checksums should hold upward stored inward a secure location in addition to hold upward used to validate files.

  • Review network environs Group Policy Objects (GPOs) every 6 months. No less than every 6 months, review GPOs for unauthorized settings (consider reviewing to a greater extent than frequently). Baseline configurations in addition to their checksums should hold upward stored inward a secure location in addition to hold upward used to validate files.

  • Continuously monitor in addition to investigate SIEM appliance alerts. The SIEM appliance should hold upward continuously monitored for alerts. All events should hold upward investigated in addition to documented for hereafter reference.

  • Periodically review SIEM warning thresholds. Review SIEM appliance warning thresholds no less than every 3 months. Thresholds should hold upward updated to reverberate changes, such as novel systems, activity variations, in addition to novel or one-time services beingness used inside the network environment.

  • Review privileged job concern human relationship groups weekly. Review privileged job concern human relationship groups—such as DAs in addition to EAs—no less than weekly to position whatever unauthorized modifications. Consider implementing automated monitoring for these groups.

  • Disable or take inactive accounts. Periodically monitor accounts for activity in addition to disable or take accounts that bring non been active inside a for sure period, non to transcend thirty days. Consider including job concern human relationship management into the employee onboarding in addition to offboarding processes.

  • Regularly update software in addition to operating systems. Ensuring that operating systems in addition to software is up-to-date is critical for taking wages of a vendor’s latest safety offerings. These offerings tin can include mitigating known vulnerabilities in addition to offering novel protections (e.g., credential protections, increased logging, forcing signed software).


It is of import to banker's complaint that—while the recommendations provided inward this TA aim at preventing the initial laid on vectors in addition to the spread of whatever malicious activity—there is no unmarried solution to protecting in addition to defending a network. NCCIC recommends network defenders job a defense-in-depth strategy to increment the odds of successfully identifying an intrusion, stopping malware, in addition to disrupting threat instrumentalist activity. The finish is to acquire inward as hard as possible for an assaulter to hold upward successful in addition to to forcefulness them to job methods that are easier to let on amongst higher operational costs.


Report Unauthorized Network Access


Contact DHS or your local FBI business office immediately. To study an intrusion in addition to asking resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local land office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).


Buat lebih berguna, kongsi:
close