Building a Cyber Fortress
About the Author
Most of my adult life is one way or another related with information security
and this book is the result of my passion for this field. I dedicate it to all who
see infosec as something more than just a job – especially those who see it
as their calling and mission to protect information in all its forms and to
master the art of defending against the ever changing threat environment. I
have no degree to show off.
Twitter: @xorred LinkedIn: https://linkedin.com/in/asverdlov
Preface
Cyber-crime changed the way businesses operate. A single breach can render a business bankrupt in
a minute, millions of users can lose trust in your business in the least – and their money and
identities – in the worst case scenario. The prospect of all of them filing lawsuits for their losses
against your company is and should be – scary. CISOs are under constant pressure of maintaining
secure business operations while at the same time being bombarded by sales pitches of ‘solutions’ to
their problems.
This book is going to equip you with the right knowledge and tools to build a real-life cyber fortress –
one which will be incredibly difficult to penetrate and exploit.
In order to make the most of its contents it is best to read it once and then apply the appropriate
changes to your environment one by one, based on priority, risk and criticality – this way it might
take you a year (or more) to go through the book, but it will result in measurable positive changes to
the security posture of your organization. I am confident that if any entity chooses to apply most of
the advice written here it will have a justifiable peace of mind when it comes to sustaining a longterm defense.
The traditional ways of dealing with cyber threats – buying more security appliances and products –
are not proving effective as cyber-crime seems to remain completely undeterred by them. This book
takes a different approach. Even though there are products and solutions which will do a very good
job if configured and maintained properly, the most effective measures to be taken are within the
organization itself and within the configuration of all devices and systems a business operates with.
This book aims to teach you real cyber warfare defense skills. It is tailored specifically towards
defense and nothing else – not a word was written on attacking others or retaliating. Do your best in
defending your own castle and your own people as one day they will need your expertise and you
better have it.
Some chapters will be short – some, even one page or less. In such cases usually I’ve included several
links of directions to go to – I promise, as soon as you read the suggested materials you will see why
the chapter was short – it is simply illogical to cover a complex topic in a single chapter, when a book
has perfectly explain the topic and a link to that book is given. If you read the book as a book and
don’t follow the links reading them – you will miss 90% of what it is about, guaranteed.
Page 1 of 112
Disclaimer:
All opinions in this book are strictly personal, derived from experience. Any advice you find in this
book is to be taken into consideration only after careful testing and evaluation – after all, it is your
network you are trying to secure – I am just trying to help and give you the right tools. What you do
with these tools is your responsibility – even the decision which tool is the right one. Any products or
solutions mentioned, recommended or dismissed in this book have been selected based on my
personal preference and them being in this book only means their presence – your responsibility is to
devise your own opinion based on your own testing and comparison.
This book is technical. It will benefit non-technical users, but they will not be able to use or
implement the advice given inside – and thus are recommended to provide the book to the heads of
IT and IT Security.
English: it is obviously not my native language and I beg your forgiveness for any spelling / other
mistakes.
URLs: It will be impractical to click on links on a Kindle, so I have created a PDF version of this book,
which you can read and use on your computer, for free. You can download it from here:
http://goo.gl/1pYBFJ
Finally, this version of the book is distributed completely free of charge in HTML/PDF format. My aim
with publishing it in this way is to help as many people as possible get their defenses into shape. If
you like the book, you may as well get a copy on Amazon:
Trademark Information
This book has not been authorized, sponsored, or otherwise approved by Google Inc. or any other
company or brand mentioned in it.
All product names are registered trademarks or trademarks of their respective companies
Copyright: Alexander Sverdlov
No part of this publication can be reused commercially without an explicit permission from the
author. Any use of material from this book should mention the author.
If you liked the book, you can get in on your Kindle here: http://www.amazon.com/dp/B00YBX4Y9K
Page 2 of 112
Table of Contents
The Cyber Fortress, Redefined ................................................................................................................ 6
Prepare for WAR and the new realities................................................................................................. 11
Intelligence operations against technologies we use every day ........................................................... 14
APT or APA and can APDs counter their attacks? ................................................................................. 17
Becoming a knight: learn! ..................................................................................................................... 19
Recommended books to build a solid foundation ............................................................................ 19
Philosophy / Military Art ............................................................................................................... 19
Cyber Security History ................................................................................................................... 20
Novels ............................................................................................................................................ 20
Technical books ............................................................................................................................. 21
Standards and Best Practices ........................................................................................................ 21
Survey the security posture of your company ...................................................................................... 24
Know your enemy ............................................................................................................................. 29
External Network Monitoring Services ......................................................................................... 31
Getting to know the Cyber Underground ..................................................................................... 32
Building your own intelligence of the attackers going after your organization ............................ 36
Your role as the guardian and infosec mentor in your organization .................................................... 37
Communicating with senior executives ............................................................................................ 37
Communicating with IT ..................................................................................................................... 38
Communicating with everybody else ................................................................................................ 38
Building a squad of brave defenders ..................................................................................................... 39
Information Security Awareness ........................................................................................................... 43
On Enterprise Password / Credential management.......................................................................... 45
Building a secure operating environment ............................................................................................. 47
Removing perimeter security is safe for a cyber fortress ..................................................................... 48
Defending against web-based attacks .................................................................................................. 49
Choosing and properly configuring a Web Proxy / Web Filter.......................................................... 50
Evaluating a web filter before purchasing the product / service .................................................. 50
Protecting the endpoint from web-based attacks ............................................................................ 52
Block exploits and malware by blocking ad networks and ads ..................................................... 52
Deploying a secure browser in the enterprise .............................................................................. 54
Hardening Flash: mission (im)possible .......................................................................................... 56
Sandboxed Browsers / Alternatives for the enterprise ................................................................. 57
Selecting operating systems according to your business needs ....................................................... 58
How to properly harden your operating systems ............................................................................. 61
Page 3 of 112
SRGs and STIGs .............................................................................................................................. 61
Application Whitelisting - SRP and AppLocker .............................................................................. 66
2-factor authentication for servers ............................................................................................... 72
Maintaining the operating systems................................................................................................... 73
Raise the cost of malicious code execution in your environment .................................................... 74
Preventing Exploit Execution ......................................................................................................... 74
Other server / workstation hardening ideas ................................................................................. 78
Choosing secure networking components ............................................................................................ 80
DNS .................................................................................................................................................... 80
Routing .............................................................................................................................................. 81
Firewall alternatives .......................................................................................................................... 82
Port Knocking – NSA is using this for the past 10 years, are you? ................................................ 82
Network Segregation / Isolation ....................................................................................................... 83
Host-based Network Whitelisting ................................................................................................. 84
DoS / DDoS protection ...................................................................................................................... 85
Advice for Security Services/Products Vendor Selection ...................................................................... 86
Security Monitoring and Logging .......................................................................................................... 88
Using open source tools for centralized logging management ......................................................... 89
Logstash, ElasticSearch and Kibana ............................................................................................... 90
GrayLog2........................................................................................................................................ 90
Security Onion ............................................................................................................................... 90
Feeding your SIEM with external threat intelligence data ................................................................ 91
Control the Insider Threat ..................................................................................................................... 94
Cyber Incident Response ....................................................................................................................... 96
Smoke and Mirrors ................................................................................................................................ 98
Mobile Device Security ........................................................................................................................ 100
Creating a personal cyber fortress ...................................................................................................... 101
Various tools ........................................................................................................................................ 111
References: .......................................................................................................................................... 112
Page 4 of 112
“Being unconquerable lies with yourself; being conquerable lies with the enemy.
Thus one who excels in warfare is able to make himself unconquerable, but cannot necessarily cause
the enemy to be conquerable.” – Sun Tzu
Page 5 of 112
The Cyber Fortress, Redefined
To build a cyber fortress one must know what it is and how it is different from the conventional view
of a fortress.
In our mind a fortress is the fortification surrounding a town or a castle – or the fortified building
itself. It has walls and towers allowing for passive and active defense.
Image credit: Wikipedia (http://en.wikipedia.org/wiki/Fortification)
A really good illustration is the image above. In traditional warfare it would be very difficult to get to
its core without destroying a large portion of its defenses. The nature of such a fortification allows
for concentration of resources from unaffected parts of it in case of a breach, giving the upper hand
to its defenders.
If the wall is breached its defenders can oppose incoming attackers from a small opening in the wall,
where the attackers must push significant amount of firepower and human force through that small
opening in order to overcome all the defenders concentrated to defend that small area. A ratio of 1
defender to 3 attackers is commonly accepted as enough to protect the fortress in such cases.
The wall in this sense is a passive but effective protection mechanism.
While I value and respect the “defense in depth” concept, if viewed from a single perspective it might
be viewed wrong. There are multiple perspectives and multiple points of view – in reality no 2dimensional map of the Universe is right, as the Universe has many dimensions.
The same applies to the security of an organization – defense in depth depicts a 2-dimensional view
where attacks come ‘from the outside’ and must penetrate multiple layers of defense to get to the
data or device, depending on the diagram you’re looking at.
In this book I would like to ask you to look from the inside out – try to look from the attacker’s point
of view. When planning their attack they will most likely focus on one thing – the end user device –
and their initial weapon of choice will target that device specifically without putting much weight on
attacking the other layers. The delivery mechanism and payload of their attack will be designed to
compromise the device itself. One point of view in this case, a different point of view, would reverse
the aforementioned diagrams and would place the data and the device as the outer layer of defense,
just because it is most exposed to attacks. While it is still valid that awareness and policies are the
first things guarding an organization, in reality both will be ineffective due to human nature and we
Page 6 of 112
must focus on protecting the device, making it fool-proof and secure enough to maintain the security
triad no matter who is working on that device, as much as possible.
The Node
Since the focus of this book is protecting ‘the node’ and by replicating this effort – protecting all
nodes and as a result – the whole enterprise, let me explain what I mean by it. Usually when speaking
about an endpoint or a node, I will imply the device operated by a user – be it a desktop, a laptop, a
tablet or a smartphone. Consider it as the device used by a human to access and operate with
information.
Any node which could be hardened against attack and which can be used by an attacker is the focus
of this book.
Most defense in depth diagrams place the device at the center and every other layer surrounding it.
And while the device usually is surrounded by multiple layers of defense, in a realistic attack scenario
the device operated by the end-user, their desktop – is and should be at the outer layer of these
diagrams, as the most likely attack will hit it first before hitting (from an attack / risk of penetration
point of view) the other layers.
In order to convey the concept of a Cyber Fortress, I will try to paint an image in your mind which is
almost impossible to generate in graphical form. I had to hire an abstract artist to draw the picture
below:
Abstract art by: Viktor Mazhlekov
What I am trying to convey through it: in this image there are no walls, no firewalls, all you have in a
modern environment are endpoints of various value and protection levels. Some are well protected,
Page 7 of 112
some are exposed or even compromised – all of them connected to the others in a 3-dimensional
network, interlinked with the Internet.
A cyber fortress is the conventional fortress turned inside-out – and as such, attacked from the
inside-out. Not all cyber-attacks happen from inside-out, but many of them do. At the same time
cyber assets are attacked from the outside – as external network elements do get attacked, there is
no objection to that. You could view a cyber fortress as a set of fortified individual elements, rather
than as a fortification with walls and towers.
If you remove the walls and towers from the first image above, you are left with one or many core
valuable points, which are unprotected and easily attacked.
In a cyber fortress, such removal should be impossible. Shutting down your firewalls and intrusion
detection systems should not render your defenses useless and your core digital assets should be
almost as protected and difficult to compromise as before. And penetrating a cyber fortress means
gaining access to one or more of its protected nodes. Ideally one breached node will trigger an
‘immune response’ (here Incident Response comes into play, but on that in a later chapter) and
disconnect all communication with the other nodes in the network. Such a breach does not mean a
breach of the whole organization and as a result would not mean losing the security of the whole
fortress.
Any attacks against a standard fortification can come from outside or using arrows and stones from
above.
The attacks against a cyber fortress are similar to a poisoned water well in the castle – they start
from ‘within’ and attack from inside out. Another abstraction would be a disease spreading among
the population of the castle – again, isolation and a good immune system is key.
In a way attacks are being ‘pulled’ from outside – or ‘downloaded’ by your own defenders and fellow
townsmen – onto their desktops, which is really close to where your most sensitive data resides.
In order to build a cyber fortress you need to fortify its individual elements and the communication
links between those elements. This is accomplished by centralized hardening according to standards
set per equipment type and operating system, per software version, confidentiality level, etc.
Or here is yet another analogy to differentiate the two concepts.
In order to defend a cyber fortress, you need to build and improve the immune system of its
habitants. That immune system though would need to include their mental and psychological power
to sustain constant attacks against their alertness, will and ability to recognize friend from foe. The
weight of defending shifts from shields to mind, from walls to immune reactions.
The small mechanisms on which the life in a fortress (business) depends are now fully exposed to
attack from outside. All the legitimate code which runs your processes today is vulnerable to
potentially harmful code coming from outside with the data your employees consume on a daily
basis – web sites, e-mails, exploits and exploit packs and attachments as well as exploits targeting
your externally accessible systems.
All communication happening inside the organization should be isolated from the outside via
encrypted channels – and all incoming and outgoing communication should be checked for signs of
data leakage or attack patterns.
Page 8 of 112
There are hosts in your network, for which full isolation must exist between them and the Internet –
and information to and from these nodes should be always moved manually and/or in a controlled
manner. These are the nodes where ‘the keys to the kingdom’ are stored – encryption/decryption
keys, the most critical company secrets, database backups, etc. These could be tapes, disks, storage
arrays – just make sure they are not accessible online. For example, tapes which can be picked up by a
robot controlled from outside are not ‘offline’, even though they are not physically connected to a
network device.
More and more organizations are migrating to the model of dual desktops per employee – one with
access to the internet but no access to the internal network and one with access to all needed
corporate resources, but without any access to the Internet. Information between the two should
pass through rigorous checking for various signs of danger. Ideally any detected executable code
should be stripped on the way in and any confidential information should be stripped on the way
out.
Decentralization, differentiation, hardening
A distinctive quality of the cyber fortress, or the modern concept in the above definition would be
decentralization.
Or as Sun Tzu says:
“The general who is skilled in defense hides in the most secret recesses of the earth”
It is no longer necessary to keep all your eggs in one basket. You have hundreds of ‘cloud providers’
who will happily host your desktops and servers, who will host your databases and files – if properly
protected and encrypted and with good access controls, they will be much better protected than if
located in a single location.
Think about the benefits for disaster recovery and business continuity – a single devastating
geographically constrained event would be unable to cripple your operations as they would be
distributed across the globe. A single government would not be able to take you down and a single
attacker would definitely struggle to even find all your information strongholds, yet alone attack
them.
Decentralize everything you can as long as it does not threaten business operations and profitability:
your software (use different vendors for different purposes), your desktops (use different operating
systems and authentication schemes per function), your server operating systems (same), your
workforce (all hail for freelancing!), your selling grounds (who says you should only sell your services
on your website?), well… you get the point. Just make sure every decentralization step is well
thought out and planned – and that every decentralized location / point is well protected, well
connected (via an encrypted channel) and well concealed.
When creating ‘impossible to break’ defenses we should remember that there are fights and
adversaries against which we simply cannot win. Certain country states and threat actors possess
technology which allows them to syphon information from your equipment from hundreds of meters
away via the electromagnetic waves emanated from it – without utilizing any exploits or code-based
attacks, without resorting to social engineering or getting near your premises. Another way would be
to utilize the mic in your smartphone to decrypt the data passing through your laptop
(http://arstechnica.com/security/2013/12/new-attack-steals-e-mail-decryption-keys-by-capturingcomputer-sounds/ ). One solution to fully isolate your environment even from these actors is to work
from an underground facility – not impossible, especially if you only need to protect your most
Page 9 of 112
critical assets only. Another is to utilize tempest-proof equipment. The downside of that is the low
performance (it is updated much slower) and its price. Security is (almost) always a compromise with
usability – depending on the threats and risks, but that probably is an overkill for most and there is
no sense to go as deep in the defenses of a regular company, which will most likely never be of
interest to such an adversary.
Focus should be on the nodes, not on ‘protections’ and ‘appliances’. The nodes should be protected
from human mistakes (well backed up data), internal threats (sabotage, leakage), external threats
(random or advanced and targeting you adversaries) via rigorous planning and execution of
hardening steps.
This hardening should cover user awareness and education, OS settings, application settings,
networking settings, network communications, encryption, backup, updates of the OS and
application components, code execution control and lastly but maybe primary by importance –
usability and efficiency. Without usability and efficiency you will lose any and all of the benefits of
the above – as no matter how hard you try, if the measures you put in place are counterproductive
and illogical from a business point of view – these measures will be bypassed by even the least
qualified employees in the organization.
Remember what Alfred Hitchcock said: “There is nothing more dangerous and effective than a
motivated amateur”
Page 10 of 112
Prepare for WAR and the new realities
On Cyber War
War is destruction and loss of lives. The term became powerless and meaningless with so much
marketing hype from every vendor, blogger and their uncle’s dog. Throughout this book you will
often read the term and such associated with it – just remember that things are really serious and if
something bad hits the fan, it will really be devastating. We’ve seen examples of factories stopped,
whole production lines destroyed, fuel pipes blown up, the electricity of entire countries disrupted
(Pakistan and Turkey) – many of these were performed just as an exercise or as proving of a point
between big players.
The (western) media is portraying China and Russia as the most active players on the cybercrime /
cyberwar scene – when in reality the most active and effective cyber warfare actors are the Five Eyes
Alliance countries (FVEY - Australia, Canada, New Zealand, the United Kingdom, and the United
States, ref.: http://en.wikipedia.org/wiki/Five_Eyes ). Following them are China, Russia, France,
Germany, Japan, South / North Korea – and a countless number of other state and non-state
sponsored malicious code writers. Just for a sense of scale – the largest private intelligence
organization has almost 200 000 employees and private contractors under its belt. I would like to
emphasize that being active in this field does not necessarily means being evil or dangerous –
everyone has the right to pursue their business and state objectives, to defend and seek information
which would improve their nation’s wealth and security. The only downside for regular organizations
is being caught in the crossfire between two or more large actors as collateral damage.
One of the strategies utilized by FVEY when a target is acquired is to exploit it via the already
existing open links to the Internet. That includes any open website, primarily but not
necessarily limited to sites based under their geographic control.
Once the victim has an established session with said website (think social networks, e-mail) –
FVEY inserts their traffic into the stream – such as an exploit – and compromises the target.
Having this in mind – critical and sensitive systems should never open sessions outside of the
fortress – and never establish sessions with the Internet unless inside an encrypted secure
tunnel.
You don’t have to be on their list of targets to get hit or fall victim as collateral damage – your
company’s network can become just a temporary storage or a tunnel for their operations. Then the
weight of proving you were not involved will be on you – can you deal with that?
According to recently ‘leaked’ documents, the NSA considers using “fourth party” networks in their
operations as normal and acceptable – that is, using your company or your network as a stepping
stone during some operation, without your knowledge. The same policy most likely exists in other
countries and although I can’t judge if it’s right or wrong – it can harm innocent parties.
While I am fully supportive for any activity which preserves the lives and peace of any sovereign
nation, there are limits which should not be crossed. Such a limit is allowing unknown activities with
unknown motives and unknown consequences to the “fourth party”. Since there is nobody who
could enforce such fair behavior the weight of enforcing it lies within every organization desiring
safety and independence.
Page 11 of 112
Your objective is guarding your castle – and it does not matter who is the attacker and which
geographical border they belong to – your network is your territory. If it can fall victim to one player,
it can certainly fall victim to any other, using the same or another vulnerability.
Throughout this book I will mention quite a lot of techniques used by the NSA – not because they are
necessarily evil, but because no other intelligence agency has been a victim of so many public leaks
and as a result we have no other examples of how intelligence agencies work. Given the abundance
of information about the NSA though, we can safely conclude others act in a similar way, as they all
learn from each other on a constant basis.
We could all be thankful to the multitude of initiatives the NSA has taken upon itself – including
distributing free guides on cyber security – they could have kept these for themselves like most other
governments. In fact, many of these guides will be mentioned and used in this book – along with
leaked information, which can now be assumed public and no longer ‘top secret’.
Private cyber-gangs and armies
Organized crime has long ago switched to cyber-crime – the low risks and tremendous returns were a
no-brainer. If the NSA spends upwards of $25 000 000 per year on 0-day exploits, the total spent for
0-day exploits underground is definitely more – factoring the number of sellers and buyers and the
number of malicious specimens released every day. This underground market has existed since at
least 20 years. Think about Amazon – now realize that there are people dealing with selling and
buying malicious code for decades, long before Amazon was even conceived.
The malicious software economy depends on a snowball effect: as users are being infected via
various vectors (malicious ads on compromised ad networks, hacked websites, malicious software,
viruses hidden in pirated software, etc), their data is being siphoned and sold and re-sold to multiple
layers of buyers, who in turn monetize the information just to invest more money into more
infections and more infection vectors and brand new exploits.
Executing an exploit against your branded network router / switch / appliance became as easy as
sending it an inconspicuous packet, undetected by any IDS/IPS. Executing code at any computer in
your network became as easy as sending an e-mail with a PDF inside – followed by a tunnel leaking
all confidential information from that computer across the globe.
At this point it should be pretty obvious that your defense strategies need to change.
It does not matter which political side you are at or which country you operate from – the threats
became so mixed up and global that we must act as if we are attacked from multiple sides, multiple
nation states, multiple criminal vectors – all at the same time.
Is China your biggest enemy?
Or maybe it is Russia? Or Iran? Really, the media hype is for the masses, we are supposed to be
smarter than that. First, let’s remember the existence of the Five Eyes Alliance. Just the US cyber
army counts above 20 000 soldiers, trained in offensive and defensive skills. Now let’s think, are they
really the only ones with the capability of building a cyber army? Because what is a cyber army? Just
a number of people trained in offensive security techniques with a set of really expensive software
and hardware tools. Then anyone capable of shelling a considerable amount of money is also capable
of assembling a considerable amount of cyber arsenal and cyber warriors. This multiplies our list to
almost any nation in existence.
Page 12 of 112
And let’s not forget, there are criminal syndicates in possession of incredible amounts of money.
They are not even slightly behind technologically – I would say they were there a very long time ago,
waiting for us.
Then, there are the regular local gangs, dealing with power and information. The ones who would get
orders from your competitors to infiltrate your organization and steal information for as little as 4-5
digit sums.
In this environment it is no longer forgivable to hide your head in the sand and pretend you are small
and nobody will come after you. It’s no longer about someone coming after you. It is about everyone
going after everyone at the same time –either you fight and survive (if you do it well) or you fall as a
victim – there is no other option.
Page 13 of 112
Intelligence operations against technologies we use
every day
It is yet unknown which of these ‘leaks’ were planted as misinformation and which are real. From the
technical details of them and trusting the collective intelligence of the global infosec community it
can be concluded they are legitimate.
From the German Spiegel, at http://www.spiegel.de/international/world/nsa-documents-attacks-onvpn-ssl-tls-ssh-tor-a-1010525.html we can see the following categorized attacks:
Attacks against Crypto
Guide for Analysts on how to use the PRISM Skype Collection
GCHQ Briefing on the BULLRUN Program
GCHQ Presentation on the BULLRUN Programs Decryption Capabilities
NSA LONGHAUL program for end-to-end attack orchestration and key recovery service
BLUESNORT program on "Net Defense" from Encrypted Communications
Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and
techniques can be attacked and which not
NSA program SCARLETFEVER explaining how attacks on encrypted connections are
orchestrated
Description of VOIP Telephony Encryption methods and cryptanalytic and other ways to
attack
Attacks on SSL/TLS
NSA Experiment for massive SSL/TLS Decryption
Canadian Document from CES on TLS Trends
Details on how NSA uses the SCARLETFEVER program to attack Scure Sockets Layer
(SSL)/Transport Layer Scurity (TLS)
Analysis from SSL/TLS Connections through GCHQ in the flying pig database
Attacks on VPN
NSA High Level Description on TURMOIL / APEX Programs on Attacking VPN
Explanation of the GALLANTWAVE that decrypts VPN Traffic within LONGHAUL
Intro to the VPN Exploitation Process mentioning the protocols attacked - PPTP, IPSEC, SSL,
SSH)
Analytic Challenges from Active-Passive Integration when NSA attacks IPSEC VPNs
Overview of the capabilities of the VALIANTSURF program
MALIBU Architecture Overview to exploit VPN Communication
POISENNUT Virtual Private Network Attack Orchestrator (VAO)
NSA Presentation on the development of Attacks on VPN
NSA Presentation on the Analysis and Contextualisation of data from VPN
Description of existing projects on VPN decryption
Explanation of the Transform Engine Emulator when attacking VPN
Explanation of the POISENNUT Product and its role when attacking VPN
Explanation of the TURMOIL GALLANTWAVE Program and its role when attacking VPN
Processing of data from exploited VPN in the TURMOIL program
Decryption of VPN Connections within the VALIANTSURF program
Description on the processing of VPN data packets within the TURMOIL program
Explanation on the SPIN9 program on end-to-end attacks on VPN
Page 14 of 112
Deanonymizing
1.
2.
3.
4.
5.
6.
Explanation of a potential technique to deanonymise users of the TOR network
Analytics on security of TOR hidden services
Overview on Internet Anonymization Services on how they work
TOR deanonymisation research
TOR Overview of Existing Techniques
A potential technique to deanonymise users of the TOR network
Cryptanalytics
General Description how NSA handles encrypted traffic
Intercept with PGP encrypted message
Classification Guide for Cryptanalysis
Procedural GCHQ Document on how analysts are to handle encrypted traffic
NSA / GCHQ Crypt Discovery Joint Collaboration Activity
NSA Cryptographic Modernization (CryptoMod) Classification Guide
"National Information Assurance Research Laboratory (NIARL)": Newsletter, Keyword
TUNDRA
What Your Mother Never Told You About the development of Signal Intelligence
Intercept with OTR encrypted chat
We can also consider that every nation partnering or being part of NATO is using the same or similar
techniques. Just as well they could be used by any other sufficiently advanced nation.
But wait, there’s more. According to http://www.spiegel.de/international/world/ghcq-targetsengineers-with-fake-linkedin-pages-a-932821.html - intelligence agencies are planting malware into
websites their victims are using without the need to compromise the actual website. All they need is
a way to plug between the user and any point on the Internet on their path to the target site. Then a
fake webpage, just as the one the user expects is being inserted into their browser – with a little
‘present’ inside in the form of an exploit.
Going through the documents above leaves the impression no technology is spared and any
technology capable of providing privacy and confidentiality to the people is being actively researched
and attacked.
To top that off, seems NSA has been planting backdoors even in hard drive firmware, for years.
Nothing guarantees the same from not being valid for BIOS / other devices. More details here:
http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group
All this leads to the conclusion that there are just a few methods we could employ to stay safe from
exploitation. Some of them were mentioned above, but I will try to summarize them here and detail
them in the chapters following this one.
1. Usage of common software which could be easily exploited should be avoided. That
includes operating systems.
2. Usage of common network equipment should be avoided. Building your own router /
firewall appliances has never been more justified, especially with the abundance of open
source projects for that purpose
3. Mass distributed mobile phone (smartphone & tablets) usage should be careful and
restricted to situations when it is ok to know your device is being fully monitored –
content, location and code execution at will by an adversary. In all other cases tightly
Page 15 of 112
controlled devices should be used – with enforced encryption, enforced browsing
whitelisting by an external proxy, enforced application sandboxing and constant VPN
networking turned on. Communication on non-encrypted channels (GSM/4G) in the clear
(using only the encryption provided by the mobile operator) should be avoided where
and when privacy is concerned.
4. VPN is to be trusted only when both endpoints can be trusted as well and when the
protocol used is implemented properly. Some of the leaks mentioned above indicate that
a simple misconfiguration on the part of a system admin can leave gaping holes in the
security of a VPN connection. The definition of a proper VPN configuration can be found,
luckily, in documents and configuration guides posted by IASE DISA (SRG/STIGs),
mentioned later in this book.
5. Get your equipment only from trusted vendors. Remember that certain vendors were
proven to have planted (willingly or unwillingly) hardware and software backdoors into
their appliances. If you can’t find a trusted vendor, try to build the server/network
service yourself. Buy from countries where the Five Eyes Alliance has no control over
vendors – you could buy directly from China and deliver the equipment yourself from the
factory, if the situation requires utmost certainty that nobody has tampered with it on its
way to you.
You could read even more and use a search engine to search through ‘leaked’ documents on
https://www.eff.org/nsa-spying
Please don’t get me wrong – I am all for the fight against terrorism and combating the criminal
underground through legal surveillance. But this has already gone too far and we need to at least
return the balance of power to the people – remembering that the government exists (by definition)
to serve its people – it is not the opposite.
In present times our communications and data must travel through de-facto compromised networks
from source to destination – compromised by various actors for their own agenda. Sending data
across the globe means it may be intercepted and possibly an attempt to decrypt it will be made.
There is a solid chance that it may as well be modified and an exploit – inserted so that it
compromises the target on arrival.
Malware is no longer using files (the one written by APTs) – now it’s being stored in the BIOS, in GPUs
(for a good example, check out https://github.com/x0r1/jellyfish), in RAM, in the registry, in HDD
firmware… if you’re looking to detect malicious code planted in your system after an exploitation by
an APT, you will fail. Malware written in 2008 was detected in the end of 2014 – we can expect
malware written by intelligence agencies written in 2015 to be discovered in 2020 or later, if ever,
following the same logic that their knowledge is X years ahead of the general public experts.
So we must strive to harden our endpoints and de-centralize our infrastructure elements in order to
prevent exploitation. We must also up our game – what was enough to maintain the security of our
data 10 years ago is merely a speck of what is needed in terms of equipment, knowledge and
experience today. This book will not provide them for you completely – but it will give you very good
starting points in the various topics it touches.
Page 16 of 112
APT or APA and can APDs counter their attacks?
APT. Oh, how I love this term. It became the fashion among security vendors so much that they
started including it in every single page of their marketing materials. Every single vendor out there
will come to a sales meeting saying their appliance magically defends against “APTs”. Do they even
know what that means?
I would like to use an image to illustrate the idea:
Image credit: https://www.flickr.com/photos/soldiersmediacenter/8144569645
APT is not a ‘threat’ by itself. It is not the danger of being shot, it is the sniper, patiently waiting for
your head to align with the crosshair of their sniper optics.
You can read the following book to thoroughly understand the meaning of it: Advanced Persistent
Threat: Understanding the Danger and How to Protect Your Organization. I will just try to share my
ideas below, to augment the rest of the content of my book with the term. After all, what good is a
security book if it does not mention APTs?
No vendor can prevent APT
This is like saying that a band aid will prevent bullet wounds – when what you should really be
focusing on is to avoid being in the way of a bullet in the first place, as in this analogy the APT is the
shooter, not the bullet. No vendor or appliance can prevent motivated, well-funded and trained
individuals from having an interest and motivation to attack you. What you can do though and what
this book is about is to raise the adversary’s cost to attack you by focused, patient and persistent
work on becoming an Advanced Persistent Defender.
APT is a bad term. I would say a better term is Advanced Persistent Attacker (or Advanced
Persistent Adversary). Detecting them has become much more difficult because they (since 2008) no
Page 17 of 112
longer use files to store their backdoors on your systems – or at least avoid storing non-encrypted
files.
You cannot detect apt activities with your AV nor can you spot their running code with a task
manager. A good idea would be to dig into a memory dump from a suspicious machine - but are you
going to do that continuously for all your machines?
What is left is network activity. But are you monitoring your power lines? Because APAs could be
using your power lines to exfiltrate information - they will not (in many cases) use your networking
equipment. Or they will install their own gateways inside your network and the traffic will never even
touch your gateways.
Motivation is what drives them and while that motivation is backed by enough resources to justify
pushing until a successful breach – and while the reward from that breach for them is bigger than the
expense of pushing through your defenses – they will push.
Simple mathematics dictate that as long as your adversary’s resources and motivation are greater
than your resources and motivation, they will prevail. That means one thing – use your resources
wisely, stop spending humongous amounts of money on newer appliances and start thinking how to
do more with less, as I am sure with proper configuration and hardening you can achieve more than
if you buy and plug in all the security appliances on the market. Hopefully if you do your job in the
best way possible you will raise the cost of breaching your defenses enough to deter as many
adversaries as possible with the resources at hand.
In my opinion spending time and effort on proper configuration results in a higher security yield than
spending money on products.
Being a persistent defender means creating invisible and difficult to penetrate data stores and user
endpoints, hardening your servers and network devices according to military-grade best practices,
controlling code and application execution, etc.
The process of creating a single well hardened desktop could take up months of your time – the
benefits though will be quickly visible when you start deploying it across the enterprise.
It is faster and easier to buy somebody’s well sold promise, especially if it covers all your bases in
terms of compliance to your favorite standards – but it has nothing to do with being a persistent
defender and it will not help you keep your job when that promise fails to deliver.
Being an Advanced Persistent Defender is yet another animal and requires a never-ending process of
reading and learning, as your adversaries never stop advancing their skills to the next level – just
please don’t mistake learning with obtaining certifications. Can you imagine an advanced cyber
attacker boasting a certificate as their skill to penetrate your defenses? Then why would you feel
more capable to defend by being certified? As one of my very good friends pointed recently – a
certificate is a beautiful packaging, nothing else. Make sure you pack a punch in that packaging or
don’t go to the fight in the first place.
A bit part of being an APD is knowledge – that is why the next chapter will focus on obtaining the
knowledge necessary to build a good foundation.
Page 18 of 112
Becoming a knight: learn!
Constant improvement is what your adversaries master at. Even though you might go for a new
certificate from time to time – this is not the improvement I am talking about. Webinars are not
improvement. Good, old-school reading and putting what you learned into practice is going to make
you a master of your craft. Let the others go for the certificates – you will not be competing on their
low level anyway.
Your mastery of the Cyber Defense craft is imperative to your own success and the success of your
organization.
I cannot promise you many things – but I can promise you this: if you dedicate the time to read this
list of books you will be on your way to becoming a Master among your peers. Just trust me on this
one. Every book will move you forward, every book will build your mindset and every book will drive
you to learn new things – even ones not mentioned inside. It does not matter which field are you
trying to excel at – pentesting, auditing, managing a security team, secure programming, security
monitoring, etc. – the books below will provide an incredibly solid foundation on which you can build
further.
Finally – please stop making blogs and blog posts your primary source of infosec news and start
reading well written books and military-grade papers on security – they are not that difficult to find.
Let the “certified professionals” post and read on blogs – this book is for the ones who want to go
beyond a certification or a degree (if you hold any certificate please do not get offended – I’ve seen
the good and the bad from people holding them and can say it only depends on the person – some
people know what they’re doing, many don’t). Remember the golden rule of being an expert – read
the books the authors of your bestseller books had to read to become good enough to write your
bestseller books! Do you really think they would have written them by reading blog posts? Don’t
think so.
Recommended books to build a solid foundation
The list is not comprehensive – and is a personal recommendation. Yet I still trust that after reading it
you will be miles ahead of people who only study what they have/need to. Your understanding of the
core concepts in this field will allow you to make much wiser decisions.
Philosophy / Military Art
There were times when warriors (and defenders) had to prove themselves in battle as opposed to
paper degrees, certifications or LinkedIn profiles. And in order to become victorious in your daily
battles, you need strategy – strategic thinking they do not teach you on the certifications tracks and
in universities. Military insight collected over the centuries and distilled into books is invaluable for
infosec professionals.
The Art of War – Sun Tzu – let this be your foundation. Many know about this book – but not
everyone knows that it has an amazing successor. Sun Tzu had a great-grandson (some say greatgreat-great grandson) – Sun Pin, and his book (Sun Pin: The Art of Warfare) is a must-read, too.
There is actually one book on Amazon which has both in one. The best you could do is to buy the
“The Complete Art Of War: Sun Tzu/sun Pin (History & Warfare)” – as it contains both books and a
Page 19 of 112
very good commentary by people who have spent years in studying the books, as without them you
would have a hard time understanding some of the specific ancient Chinese concepts.
The Book of Five Rings
If you liked “The Art of War” you will like this one. It is Japanese – and it is said that Yakudza are
governed at large by the rules of this book.
Please do not be alarmed by the large quantities of fighting techniques, sword and other weaponry
usage guidelines – yes, there is a lot of that, but it is definitely not useless and can be applied to
modern cyber attack / defense tools. Think of it in this way: both you and your attacker possess
defensive and offensive capabilities. While many see cyber defense as their only legal option, cyber
offense is possible and can be legal.
Yes, you cannot hack back. But you can track down and capture with the help of any local police. You
cannot steal their information, but you can provide local (to the attacker) law enforcement with ways
to obtain that information, and so on. Just as the attackers can use strategy to break through your
defenses, so can you. And they are not as scary as their tools are to your security vendors – in most
cases hackers are much less protected than an enterprise. It is surprisingly easy to track them down
and capture them if you have the right people, tools and resources at hand.
The books above are the Foundation. Reading them once is a good start. Reading them for a second
time after a year is necessary. You will understand, after time, that you cannot fully comprehend
what a military master has accumulated over a lifetime and compressed into a book, over a single
reading. And when you read them for the second/third time your brain will eventually start to build
connection between the cyber world and the real world, between ancient fighting strategies and
modern cyber war strategies.
Diplomacy (Touchstone Book) - this book will give you many good examples on diplomacy, and this
skill is critical in our daily work.
Cyber Security History
The Best of 2600: A Hacker Odyssey
This one is a gem. Not actually a book – but a collection of quite a lot of issues of the 2600 magazine
– starting from the earliest. The whole cyber security culture, a lot of its mindset are compressed
inside.
I can’t think of any other book which would give you such a good of a perspective on the history of
our craft as it developed through the years.
Novels
Yes, you read that right. Novels. Severely underestimated in the benefits and knowledge they provide
– the books below are a must-read.
You are really lucky the series below are available as a single Kindle purchase for under $50. Back in
the day, I had to order them book by book and ship them to Europe – the price was much higher.
Stealing the Network: The Complete Series Collector’s Edition and Final Chapter
Page 20 of 112
This is one of the most important readings one could have as an INFOSEC professional. It will open
your eyes and mind to an incredible amount of real-life attacks. Through a captivating story the
books will guide you through hundreds of techniques cyber criminals use to compromise their targets
and stay undetected.
Trojan Horse: A Novel
A book by Mark Russinovich and Kevin Mitnick. And amazing combination.
Rogue Code: A Jeff Aiken Novel (Jeff Aiken Series) is another one worth the read. You will have fun
and keep learning – can it get any better?
Hacking a Terror Network: The Silent Threat of Covert Channels – this book will open up a whole
new world of data exfiltration / steganography in a very realistic way.
The Art of Deception: Controlling the Human Element of Security – a classic by Kevin Mitnick. An
absolute must when it comes to understanding social engineering.
Followed by…
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers –
another great read by Kevin Mitnick, this time on a more technical side. Very realistic – although
slightly dated – exploitation today happens in a very different way. Still, very much worth a read.
Technical books
Just 2 titles here – we are laying the foundation. There are many ways to focus on a specific areas of
expertise – but a certain foundational technical level is still needed to get started.
Hacking Exposed, 7th edition – no doubt, you SHOULD read this book, if you haven’t already. It will
build a solid foundation for whichever direction you decide to develop in.
Security Intelligence: A Practitioner's Guide to Solving Enterprise Security Challenges – the second
technical book you should get. Much deeper and tougher to digest. Note: not available in some
countries, but guess what: you can buy it from O’Reilly directly as an e-book:
http://shop.oreilly.com/product/9781118896693.do
Standards and Best Practices
Try and stay away from cyber security standards which are built around an auditing / compliance /
security certification industry, same as ‘best practices’ being offered by educational entities for
marketing purposes. I mean, surely you will not be able to if you work at a large organization, but you
should definitely not rely on them for any practical usefulness beyond protection on paper.
The ones which are focused on practical controls are tough to implement and really tough to control
– that is why there are very few consultancies specializing on auditing non-US companies against
NIST 800-53v4 or US DoD 8500 controls.
Most focus on ISO standards – well, I personally dislike them for the damage inflicted on
organizations believing to be secure after being declared “compliant” to some brand standard or the
sorts of them. Not that ISO standards are bad – they are not. But the way they are being enforced
and audited against is not right. There must be much stricter control over which proofs of compliance
should be accepted, because a control on paper is not the same as an effective practical control
Page 21 of 112
which is tested and working against real threats. Often the auditors themselves lack basic infosec
knowledge and can’t see beyond their checklist.
Then again, there is nothing wrong with checklists. Take this one for example http://www.klcconsulting.net/diacap/DoDI_8500-2_IA_Control_Checklist_-_MAC_2-Sensitive__28_March_2008.pdf - as long as the controls and the proofs of their existence are checked properly.
“Is a port closed?” – run nmap and check. Don’t just accept ‘yes’ as an answer from the network
engineer. “Do you perform information security awareness trainings” – interview several employees
from multiple departments, check their knowledge, test them with a fake phishing page, see how
many report it and how many submit their domain credentials… Do you see now, how different that
is from the audits most organizations are used to? And then they wonder why their compliance does
little for their real-life security. It’s all about proper verification.
Now, if you really want the “big guns” – review the US DAG (Defense Acquisition Guidebook, all 1248
pages of it) which defines in great detail the requirements towards systems and processes, before
being accepted to service. https://acc.dau.mil/docs/dag_pdf/dag_complete.pdf (I hope it stays
online longer, if not – well, all PDFs mentioned in this book will be available on request, too). After
you go through it you will see the difference with popular standards and requirements for yourself.
There is no way to catalogue all best practices worth reading here – but I am making a point. There
are ones built by commercial organizations and ones built by defense engineers. Choose the latter
every time you have the opportunity.
One good starting point to refer to cyber security standards and best practices is the CyberSecurity
Reference Tool, developed by NIST, located here:
http://www.nist.gov/cyberframework/csf_reference_tool.cfm – which can be used not only to refer
controls to their respective standards / best practice references, but also when needing to explain
why a certain control needs to be implemented to higher management. Backing your words with
control details, names and referencing best practices and standards linked to these controls you have
a stronger convincing power.
It provides you with a really handy XLS file, listing all relevant references per category and subcategory:
http://www.nist.gov/cyberframework/upload/framework-for-improving-critical-infrastructurecybersecurity-core.xlsx
For example, for the Asset Management category, it lists the subcategory of “ID.AM-1: Physical
devices and systems within the organization are inventoried” and the references for this
subcategory:
·
CCS CSC 1
·
COBIT 5 BAI09.01, BAI09.02
·
ISA 62443-2-1:2009 4.2.3.4
·
ISA 62443-3-3:2013 SR 7.8
·
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
·
NIST SP 800-53 Rev. 4 CM-8
You can also use Google to find valuable guides and information.
Page 22 of 112
For example: a simple google search “Information security New Zealand filetype:pdf” returns the
following document: http://www.gcsb.govt.nz/assets/GCSB-Documents/NZISM-2011-Version1.01.pdf - “New Zealand Information Security Manual” - all 297 pages of it.
The Australian Government Information Security manual page is an incredibly good resource, too:
http://www.asd.gov.au/infosec/ism/index.htm - and the 3 documents – Executive, Principles and
Controls – are incredibly well written. Even though most of this book is focused on what the US
government infosec teams have provided to the world for free, the Australian teams are breathing in
their necks in terms of quality and usefulness.
Strive to read the best information possible.
And since the following is totally free, you could attend and pass every single training which matches
with your interests from the list here:
http://iase.disa.mil/eta/Pages/online-catalog.aspx
These are web-based training materials (WBT), containing hundreds upon hundreds of the highestquality security training you could ever find for free online. These are not vendor-based, not created
for profit, but created with the sole purpose of efficiency. I could not recommend them high enough.
Some of them might be applicable to all your colleagues (like the Phishing or Cyber Awareness
Challenge), others might be relevant to your IT team.
The second course you can see on the screenshot above – “Mission Assurance for Senior Leaders” is
also an excellent materials for you as the reader of this book.
Page 23 of 112
Survey the security posture of your company
Knowing the strengths and weaknesses in the defenses of your organization is crucial to its survival.
There is a solid reason for quoting Sun Tzu when it comes to knowing yourself. The actual quote is:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you
know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in every battle.”
― Sun Tzu, The Art of War
In the beginning of my career I hated audits – all of them. IT audits, IT Security audits, compliance
audits – they seemed like a waste of time. They seemed to get in the way of my “work”, stopping my
“productivity” and waste everybody’s time just to produce spreadsheet reports. I am sure a huge
percentage of IT personnel today and tomorrow will continue seeing them that way. In reality they
are an excellent and probably the best way of ‘knowing yourself’. Every audit can provide you with a
ton of information and if you look at it from different angles you will see the bigger picture. Instead
of forcing them on your fellow colleagues it is a good idea to spend some time and explain their value
once and for all – you will get better data and better results if you do it.
Situational awareness
Knowing by heart the exposure of your organization to external and internal threats is crucial. At any
point in time your officers need to know the currently open vulnerabilities for any system under their
command – that includes public exploits as well as configuration weaknesses which would make
lateral movement or data exfiltration easier once a breach occurs.
Maintaining an internal, well-protected database of all systems and their current state of exposure is
critical. This would be done best by integrating a 3rd party system with a CMDB (configuration
management database) containing all of your equipment and all of your logical business systems and
software systems, database systems and file storage systems, automatically updated over time when
new equipment is added.
Information on current exposure is best gained from manual and automated audits.
Larger organizations are usually forced to pass yearly audits to maintain compliance and can audit
each other before establishing trust. If you are part of such an organization then this chapter will
help you find alternatives to what you use today and who knows, maybe you will find the alternatives
more effective than what you use today?
The reason I somewhat lack trust in the popular standards – such as ISO/IEC 27001, is that many
times the auditors try to ‘help you pass’ – they accept paper proof without validation or sometimes
themselves do not see the difference between a realistic control and the control they see on paper. If
a control is ‘there’ it is not necessarily effective – but they will write a “yes” on their checklist and
move on. They will not discuss with you the effectiveness of said control – as a result you will have a
false sense of security after ‘passing’. This is risky.
Besides the most popular information security audit standards there are ones which are less popular
and in a way more powerful. I don’t know how they didn’t get to the market and why aren’t they
accepted by the majority as primary information security assessment methods – but I personally
Page 24 of 112
strongly recommend them. A likely reason is the lack of a significant marketing and sales effort – not
their value or effectiveness.
NSA-ISAM
The first in my list by importance is NSA-ISAM, which is short for NSA Information Security
Assessment Methodology. If you read the book, you might just be able to perform it yourself,
following the book, granted you have the manpower and expertise necessary. You can find the book
on Amazon: http://www.amazon.com/Security-Assessment-Case-StudiesImplementing/dp/1932266968
This book goes hand to hand with http://www.amazon.com/Network-Security-Evaluation-UsingNSA/dp/1597490350/ - “Network Security Evaluation Using the NSA IEM”
Having been developed by the NSA with the purpose of protecting the US Government networks and
contractors I can assure you it is less full of BS than other auditing standards out there.
The reason this information security assessment methodology is so powerful is that it covers
everything – including blue and red teaming assessments. Real assessments and not just a checkbox
“do you perform pentests – yes / no”, like in other ‘standards’.
Having risk-based approach rather than a checkbox-based approach is yet another benefit of passing
through NSA-ISAM.
Since this methodology is not mandatory and is almost unknown outside the USA it has made little
commercial impact and had no chance of becoming the pillar of information security assessment it
deserves.
There are, however, multiple organizations and individuals capable of getting our organization
audited according to NSA-ISAM. The price for such an audit can begin in the range of $20 000 – but
that figure can be significantly lower or higher based on the size of your organization or its
complexity / perceived risk.
Most experts in the field have heard or used to some degree the NIST 800 series of standards and
best practices. Not many have performed audits based on them, though – and that is a really big
miss. You will rarely see auditors with experience in NIST 800-53 v4 as one of their areas of expertise
– meaning you might have to organize the workforce to deal with this task yourself. Luckily, there are
tools to help you with that.
TOOLS
There are tools which might help you perform complex assessments without having to pay auditors
who would basically do the same thing – asking you questions and marking down check-boxes in
their notebooks. You can easily ask the same questions to your IT team and fellow colleagues.
Page 25 of 112
CSET
This actually is a set of usable assessment programs
generating very useful, readable and actionable
reports. It is called CSET (Cyber Security Evaluation
Toolkit), and can be found at https://ics-cert.uscert.gov/Downloading-and-Installing-CSET
Mounting and installing from the ISO file leaves you
with the most powerful free infosec assessment
manual audit tool ever created.
My recommendation: install it on a secured laptop,
the auditor can pass through the various
departments of your company – the program is
designed to collect verbal answers (with the option
to attach evidence) and produce reports based on
checklists and questions.
CSET allows for a full audit of your company’s
practices against NIST 800-53 or DoD 8500, as well
as several other standards:
You and your team can have weeks of fun with this tool! I would like to reiterate: it’s FREE. It would
be a sin not to use it.
Note: this is NOT a scanner. It is meant to manually (questions and answers, collecting evidence to
support these answers) audit your company’s cyber security posture.
Page 26 of 112
Please remember: an audit is useless without validation. For every answer you get require proof – in
the best case scenario, the person answering the question should be able to show you the exact
setting / control in place, not just on paper. In the worst case scenario, accept documents – but never
accept an answer as “yes” without evidence.
I am oversimplifying the complexity of this application – its user manual is 250 pages long and is
worth reading.
Automated scanners and penetration testing
Now that is an entirely different field. I would like to avoid turning this book into a catalogue of links
and tool names - just remember, that a free tool is as effective as its price – for example, HP’s
WebInspect is much more powerful than most freely available web vulnerability scanners, but its
price will likely mean it will be cheaper for you to hire a professional services firm to run it for you
rather than buy the license, unless you are on the Fortune 500 list.
Important: When purchasing / leasing an automated scanner to assess your environment, check if it
supports STIG compliance checking. You will learn why later on in the book.
Another very important feature you should be looking for is vulnerability remediation tracking,
unless you want to do all that work in Excel.
Automated scanners are the most basic level of assessment you could run in your environment. A
manual assessment by a professional penetration testing team will uncover logical errors and
weaknesses which a tool can never find.
But there is also a caveat to penetration testing: the technology I mention again and again and again
throughout this book – STIG/SRG – is unknown to most penetration testers. That means that the
intricate details of system hardening up to the deepest configuration settings are also not well
known to them. Penetration testers focus on finding the weakest link or the easiest exploitable hole
in your defenses – their target is not finding ALL of them. So even after a pentest uncovers
tremendous weaknesses in your defenses and you fix all of them – remember, 90% of the remaining
vulnerabilities are still there. Please remember that and work on hardening as many devices as
deeper as possible. If you can afford a team of a few penetration testers who will find 10% of the
existing vulnerabilities in your defenses there are countless others working individually and in teams
doing the same and looking to break the other 90% around the clock, if left unchecked.
How to choose a penetration testing company
Disregard the brochures and sales presentations given by big name organizations. I have seen very,
very big names deliver ‘penetration testing’ in the form of heavily branded vulnerability scan reports
and a couple sql injections. Same organizations charge in the range of $1000 per day for their
services.
Try and find the company employing infosec professionals with a different set of skills. They don’t
like wearing suits and you could see them in jeans and black T-shirts, covered in tattoos – but what
differentiates them from ‘suited pentesters’ is they know what they’re doing. They present regularly
at security conferences because they have something to say – and people listen to them time and
time again. The same people often create open-source security tools – tools which then are used by
everyone, even by the ‘suited pentesters’.
This is the one solid sign your potential vendor can deliver on a penetration testing engagement –
involvement and usefulness to the infosec community, as well as name recognition of their
Page 27 of 112
employees in the same. And just because I love examples, I will allow myself to gift some shameless
advertising to my friends from TrustedSec - https://www.trustedsec.com/may-2015/egressbuster-v02-and-github-goodies/
They are just one of the hundreds of properly trained teams around the world – but looking for the
right ones just got easier for you.
Page 28 of 112
Know your enemy
Knowing your environment (yourself) is half the way. You should know your enemy as well. One way
of keeping in touch with what is happening on the Dark Side is keeping updated with information
security news. And keeping a list of RSS feeds is no longer relevant – where keeping yourself updated
once or twice per day was OK in 1999, it is no longer acceptable. News dashboards updated in real
time from Twitter and CERT teams around the world are a must.
Missing security news even for an hour could have devastating consequences for your and your
organization (well, the company will survive, but will you keep your job for letting the bad guys in
because you missed a critical exploit in the wild?)
Doing your due diligence is your and your company’s insurance.
Twitter
You might get away with just following popular infosec people, but how are you going to know which
ones to follow? Hashtags (##) to the rescue!
In the Twitter search box, type #infosec, #InformationSecurity, #Malware, #Vulnerability (many
emotional tweets might sneak into this search, but still), #dfir (Digital Forensics and Incident
Response related tweets).
The users I highly recommend following: @USCERT_gov, @QatarCERT, @enisa_eu, @xorred (me, of
course!) –you can find the others while browsing tweets from the aforementioned hashtag searches.
Twitter on Steroids – TweetDeck!
Now comes the interesting part. After you’ve mastered Twitter, you should create your first real-time
infosec news dashboard, and I will show you how.
Go to https://tweetdeck.twitter.com/ - sign up if you have to, authorize the app – and click on the big
Plus (+) sign, which says “Add column” when hovering over it. From there, click on “Search”:
Then enter the following settings:
In the Engagement settings, enter at least 1 retweets and at
least 1 favorite. This way you will get rid of most of the spam
on these hashtags. Additional blocking / muting on
TweetDeck of spammy users is necessary, even after these
tweaks – but you will get much less spam that way. Tweak to
your liking.
You can rinse and repeat the same for hashtags or usernames – US Cert is one which I always keep
on there.
The end result should look something like this:
Page 29 of 112
You don’t need to refresh the page – it auto-scrolls newer entries for you. It can’t get more userfriendly and optimized than that.
Note: be careful to spot the twitter and other social accounts of people and ‘organizations’ which
might become or are your cyber enemies and devise a way to monitor them anonymously, with a set
of separate, unrelated social accounts.
Websites with cyber security news you can add to your refresh list:
•
http://www.rootsecure.net/?p=secnews_rss_feeds – if you still are into RSS, this is your
website, dinosaurs!
•
http://www.reddit.com/r/netsec - Reddit is an awesome community of like-minded people.
You can also find a job or hire the right person (really, cool people gather around cool
people) in the infosec hiring threads there. The power of this platform is the voting
mechanism, instantly pushing important and valuable material to the top – a very democratic
society which optimizes your reading experience if you value your time.
•
https://www.us-cert.gov/ncas/current-activity - one of the most advanced CERT teams in
the world. Certainly worth to monitor the whole website, not just that link.
•
http://cert.europa.eu/cert/filteredition/en/CERT-LatestNews.html - similar, but European.
You will often find mentions of new open-source tools to optimize your infosec work on the
aforementioned twitter feeds and on reddit, too. As soon as an author releases a new tool they
usually post it with the right hashtag (#infosec, for example). By following the right people and
reviewing the suggestions by Twitter you will never be behind in your situational awareness.
Page 30 of 112
External Network Monitoring Services
Sometimes you cannot trust your own defenses, especially if you properly assume that your network
has been compromised.
All IDS/IPS appliances have the same weakness: they rely on what is known and rarely on some basic
behavior analysis. But when an attacker uses a new technique (which happens quite often) it will
pass as a legitimate traffic. In such cases you need to rely on someone with an eye on the criminal
networks, someone, who sees malicious traffic from the attackers end.
In such cases you should use services such as ShadowServer https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
They monitor malicious networks from multiple locations and can alert you if they see traffic from
your network leaving towards a botnet command & control server, for example.
Some security software vendors will charge you 5-digit prices per year for “appliances” which
basically do the same thing – ShadowServer does it for free as a community service.
As per their website:
The reporting service monitors and alerts the following activity:
Detected Botnet Command and Control servers
Infected systems (drones)
DDoS attacks (source and victim)
Scans
Clickfraud
Compromised hosts
Compromised websites
Proxies
Spam relays
Open DNS Resolvers
Malicious software droppers and other related information.
Setting up an arrangement with this non-profit organization is really simple. All you need to do is get
your ASN from your network administrator and send them an email, as per the above link’s
instruction (hopefully by the time you read this book the service is still available).
If you find this service useful, please consider donating. They’re not even asking for it – which is an
even better incentive for you to be generous to such a good service.
Another useful service is Have I been Pwned:
https://haveibeenpwned.com/
As the name implies, this service monitors sites such as PasteBin for information containing your
domain, e-mail addresses, etc. – and as soon as it detects a ‘leak’ you will get notified via e-mail.
When signing up, you will need to confirm your domain ownership – so coordinate on that with your
IT team.
Page 31 of 112
Other external monitoring services:
http://www.google.com/safebrowsing/alerts/ (need your own AS)Safe Browsing Alerts for Network
Administrators allows autonomous system (AS) administrators to register to receive Google Safe
Browsing notifications. The goal is to provide network administrators with information of malicious
content that is being hosted on their networks.
•Team CymruTC Console - https://www.team-cymru.org/Services/TCConsole - no cost, *in most
cases* (more info: https://www.team-cymru.org/Services/TCConsole/tcconsole_trifold.pdf ) It is a
good collaboration platform, if you collaborate it will be free for you.
• https://postmaster.live.com/snds/index.aspx - detect data coming from their network towards
your network after verifying your AS. “By providing data such as mail traffic statistics seen by
Windows Live Hotmail to IP block owners (ISPs, in a broad sense), organizations are empowered to
prevent spam, viruses, and other malicious activity from originating from their IP space.”
• https://spyeyetracker.abuse.ch/index.php - mostly check your IP addresses / domains for c&ctraffic
towards c&cservers. Interesting statistic: Average SpyEyebinary Antivirus detection: 27.94%
• https://www.team-cymru.org/Services/BINFeed/ -for banks and financial institutions, showing if
malicious traffic or leaked data on the Dark Nets contains any data related to that specific bank (must
be your bank, you cannot monitor 3rd party organizations).
Getting to know the Cyber Underground
Being updated on recent news is just one piece of the puzzle. You should at least know how the
underground world looks like, how the underground economy operates, what kind of information
they buy/sell, what is the price of the ‘services’ being sold, among many others.
As soon as you understand all of the above you might get a little bit scared – but this is an important
part of your knowledge of your enemy and one of the first steps in building adequate defenses.
Rule: never visit underground cyber-crime websites / communities from work. Never do it using an
unprotected desktop or via an unprotected network – a VPN service is a must and a minimum. Use
hardened sandboxed browsers and / or virtualized operating systems.
Most of the underground communities operate in closed forums and in the Tor network under
domains ending with .onion – which are only accessible if you are on the Tor network as well. There
are TOR search engines and other sites – if you get creative with your searches you will surely find
what you’re looking for. Hint: criminals operate with digital and non-digital goods – finding a digital
marketplace for one usually leads to a seller selling the other.
Below you will find an excerpt from such an online forum, where a ‘seller’ is offering their ‘goods’ in
the open. The excerpt is provided so you would get a glimpse of the prices and products being
offered and the way they’re being offered.
- I'm is Professional seller,more than 5 and half years experience,i have sold cvv credit card to many
customers all over the world. Selling cvv, fullz many country as: Canada,USA,Australia,UK...all And many
country in Europe: Fr,Ger,Spain,Ita...I hope we will work together for a long time.
- Always sell cvv quality with high balance. I have a website but if you want buy cvv good price please
contact me. Contact me: number: xxxredactedxx {pls just text,dont want my phone ringing everywhere}
- Mail: xxxredactedxx@gmail.com
Page 32 of 112
________ CCV !! CCN _______
- Ireland = 20$ per 1 (fullz info = 35$)
List cc and my price..
- Mexico = 15$ per 1 (fullz info = 30$)
- Us (Visa,Master) = 5$ per 1
- Asia = 15$ per 1 (fullz info = 30$)
- Us (Amex,Dis) = 6$ per 1
__i Only Exchange WU to PM , WU to
WMZ__
- Us Bin 10$ , US Dob 15$
- Us fullz info = 25$ per 1
-------------------------------- Uk (Visa,Master) = 10$ per 1
- Uk (Amex,Dis) = 15$ per 1
- Uk Bin 15$ , UK Dob 20$
- Uk fullz info = 30$ per 1
-------------------------------- Ca (Visa,Master) = 15$ per 1
- Ca (Amex,Dis) = 20$ per 1
- Ca Bin 15$ , CA Dob 20$
- Ca fullz info = 30$ per 1
- 100$ WU = 100$ PM
- 200$ WU = 200$ PM
- 100$ WU = 110$ WMZ
- 200$ WU = 210$ WMZ
____ Do WU transfer ___
- 700$ for MTCN 8000$
- 550$ for MTCN 6000$
- 400$ for MTCN 4000$
- 200$ for MTCN 1500$
__ Bank Logins Prices US UK CA AU EU
_____
--------------------------------
.
Bank
Us
:
(
Bank
america,HALIFAX,BOA,CHASE,Wells
- Au (Visa,Master) = 15$ per 1
Fargo...)
- Au (Amex,Dis) = 20$ per 1
. Balance 3000$ = 150$
- Au Bin 17$ , AU Dob 25$
. Balance 5000$ = 250$
- Au fullz info = 30$ per 1
. Balance 8000$ = 400$
--------------------------------
. Balance 12000$ = 600$
- Eu (Visa,Master) = 20$ per 1
. Balance 15000$ = 800$
- Eu (Amex,Dis) = 23$ per 1
. Balance 20000$ = 1000$
- Eu Bin 25$ , AU Dob 30$
Bank
UK
:
TSB,BARCLAYS,Standard
- Eu fullz info = 40$ per 1
-------------------------------- RDP = 20$
- SMTP = 25$ ( All Country )
- Italy = 20$ per 1 (fullz info = 35$)
- Spain = 20$ per 1 (fullz info = 35$)
- Denmark = 25$ per1 (fullz info = 35$)
(
of
LLOYDS
Chartered,HSBC...)
. Balance 5000 GBP = 300$
. Balance 12000 GBP = 600$
. Balance 16000 GBP = 700$
. Balance 20000 GBP = 1000$
. Balance 30000 GBP = 1200$
- Sweden = 20$ per 1 (fullz info = 35$)
__________________ PayPal
_______________________
- France = 20$ per 1 (fullz info = 35$)
= Account Paypal 1500$ = 200$
- Germany = 20$ per 1 (fullz info = 35$)
= Account Paypal 2500$ = 250$
account
= Account Paypal 4000$ = 350$
- Dumps,Tracks 1&2 Eu = 110$ per 1
= Account Paypal 7000$ = 550$
-Sample Dump + Pin:
_____________ Dumps track 1 track 2 with
pin _____________
Track1
B4096663104697113^FORANTO/CHRI
STOPHER
- Dumps,Tracks 1&2 Us = 70$ per 1
- Dumps,Tracks 1&2 Uk = 80$ per 1
:
M^09061012735200521000000 ,
- Dumps,Tracks 1&2 Ca = 100$ per 1
Track2
:
4096663104697113=0906101273525 21
- Dumps,Tracks 1&2 Au = 100$ per 1
Pin : 1783
___________________________________________________________
-WARRANTY time is 10 HOURS. Any cvv purchase over 10 hours can not warranty. If you buy over 30
cvvs, i will sell for you best price. I will discount for you if you are reseller or you order everyday many on
the next day. I will prove to you that I am the best sellers. And make sure
you will enjoy doing business with me. I accept PM (Perfect money) ,WU (western union) , WMZ
(webmoney) orMoneyGram...
You can see everything being sold underground. For example, this recent 0-day exploit:
If it’s not clearly visible on the image above: this is the MS15-034 Microsoft IIS Remote code
execution exploit, sold for 517 Bitcoins, or roughly $121 000 at the time of this writing.
On the side-bar of the image you could see 4 other 0-day exploits being sold, along with 1 1Day
private exploit.
Page 34 of 112
Considering the money which could be made having this exploit and being able to remotely execute
code on almost all IIS installations globally this price is peanuts compared with the return on
investment for whoever buys it.
To gain a glimpse into this world, just download the Tor browser from here:
https://www.torproject.org/projects/torbrowser.html.en
Once done, you will be able to access all Tor resources and browse privately and of course, will be
able to see all Tor hidden service websites, such as this underground search engine:
http://grams7enufi7jmdl.onion
If you search for “private exploit” the search engine returns 417 results at the time of this writing.
This is no Google and the results are not as reliable – some are for underground guides on hacking
ATMs, others on cashing out stolen credit cards, selling guns, drugs and all the likes you would see on
a criminal market place.
Recently (well, more than 2 years ago) criminals started using the I2P (https://geti2p.net/en/)
network for their operations as well. Installing the client and getting around in the network gill give
you some idea of what to expect – data from your organization may be extracted towards tor or i2p
networks – you must be prepared, recognize and control this traffic coming in/out of your network.
The closed communities are usually forums with a pre-approved list of members – you could only
enter if you are invited by a member. Some of them offer paid membership. Just remember that in
some countries even accessing such a forum might get you in trouble with the law and be informed
of the local laws before even attempting to visit them.
Some underground communities operate using the SILC protocol – which is similar to IRC in
operation but much better protected from snooping.
Some still operate on IRC though – and you will still find plenty of criminals communicating via IRC.
If you are not new in this field you should have plenty of experience in communicating this way. If
you are new – and we should accept the fact that there are youngsters who have never even used
this protocol – start with the program called NetTalk - http://www.ntalk.de/Nettalk/en/ - as it is one
of the few free and feature rich applications for Windows for that purpose – and work your way
through it. Useful channels to join on the FreeNode network are ##security and #linux. A word of
advice: do NOT start talking when you join an IRC channel. Spend a few hours reading how others
communicate and follow their example. Do not start messaging random people. Be polite and people
will help you with your questions.
Once you get used to the IRC channels on FreeNode you will be able to explore the deeper web and
join other networks and other channels – just keep quiet and listen as a rule – criminals will sniff you
in a second as soon as you start talking and you will be kicked out and banned in no time.
Knowing foreign languages or using Google Translate efficiently will help as well.
I am not willing to share links to underground criminal sites here for various reasons – but simple
searches should serve you well, just imagine what would they be willing to sell and how would they
“market” their services online – it’s easy.
Note: it is a good idea to block unauthorized VPNs, encrypted channels, IRC/SILC and / or TOR at the
firewall level, both egress and ingress.
Page 35 of 112
Encrypted connections originating inside your network and connecting to the outside must exist only
on a whitelist basis and preferably connect only to whitelisted addresses.
Building your own intelligence of the attackers going after your organization
Here’s a working idea.
Set up a set of fake personas supposedly working for your company. Do it with all the social
indicators – Facebook, Twitter, LinkedIn profiles, e-mail addresses and active e-mail boxes,
presentations containing their names and e-mails, comments – the whole thing.
Once ready, set up a set of physical boxes (so malware would not distinguish them as honeypots or
virtual boxes) utilizing the corporate image used for all other computers – but do NOT connect them
to the corporate network. Instead, connect them to a honeynet – where your honeypots will capture
any additional malicious activity.
Note: don’t focus on VIP only. Attackers often target their personal assistants / team
members – as such, you would benefit greatly if you create such accounts and such boxes,
containing the appropriate fake documents, fake e-mails, etc.
Create a set of pages on your website accessible only in the case of an attacker profiling your
organization – not linked from anywhere else but from the set of fake documents you have published
for your fake personas. Carefully log all accesses to these web pages and act immediately on
containing the treat from these adversaries – or to begin monitoring closely any related activity.
Make sure Google and other search engines are forbidden access to these pages based on user agent
/ other indicators – think about blocking crawling in robots.txt but keep in mind this measure is a
double-edged sword – it makes it too easy to spot your fake pages and their purpose and you will
have lots of fake positives if non-compliant search engine start crawling based on your robots.txt file.
On the fake boxes themselves, regularly open the arriving e-mails and their attachments in a
controlled manner. Establish complex sandboxes and monitoring solutions to capture every kind of
system and network activity. Have swift roll-back systems in place (system image restoration or
freeze/unfreeze time-machine like solutions).
Have all attachments sent analyzed by a malware analyst / reverse engineer – or at least do basic
static analysis if you don’t have the personnel.
NEVER! run any of the attachments / executables in Virustotal or other public sandboxes – if the
attacker is half-advanced they will immediately spot that they’ve been detected – and will make your
life much more difficult by changing / improving their behavior.
Documenting your findings
I highly recommend using tools such as Maltego (and / or CaseFile) and CherryTree https://www.paterva.com/web6/products/download.php and http://www.giuspen.com/cherrytree/
These tools allow for the creation of structured information lists and it is tremendously helpful in
visualizing links between elements and their meaning and preparing a final report based on your
findings.
Page 36 of 112
Your role as the guardian and infosec mentor in your
organization
Your role as CISO (or whatever the title is, the infosec officer of your company) in every security
project is to ensure a constant, smooth transition to a more secure state, maintaining the usability
and effectiveness of all business processes.
It is not that of an enforcer or a policeman – but rather that of a mentor and correction guide when
such is needed.
Forget about mail and spreadsheets when it comes to convincing people and executives about what
is better for the organization.
Forget about FUD (fear, uncertainty and doubt) methods – they usually create more resistance than
you need and are really negative in the long term.
A positive note with a clear visibility of the benefits and decreased risks along with a solid evidence of
the necessity of any measure you propose will always win against a “the sky is falling” approach.
Communicating with senior executives
Every idea you have which has the potential to impact the whole organization (in any way – positive
or negative on success or failure) will have to be discussed with your boss and other senior
executives in the organization.
Make sure you do your homework before speaking with them.
Have with you examples of successful implementations of the same or similar ideas in the companies
of your competitors (not necessarily in the same country).
Prepare the list of people who will need to be involved, the amount of time your project is going to
take from their working hours and the list of other resources needed – keep in mind the license cost
is not always the highest cost a project can incur on your company.
Have a list of alternatives, with the respective cost and consequences of each choice. Make sure
what you say and explain is done in their language – that of investment and return on investment.
Remember, your company exists to create profits, not to implement all the new security
technologies in town.
Make sure to discuss your ideas with your direct manager and your team before presenting them to
senior execs.
Have a good vision of the threats (current and incoming) to your business and the benefits to
mitigate those threats and risks with the suggestion / idea / product you have in mind.
Once you are ready with all of the above, comes the difficult part: create a one or maximum two
page summary of everything, explained in a clear way. These 2 pages of text are sometimes your only
chance of making a positive security change in your organization, so use them wisely and show them
to your direct manager before speaking with higher levels.
Page 37 of 112
Once in the meeting, speak clearly, calmly and let them ask their questions – if your homework is
done properly, you will be prepared for all of them and will walk out of the meeting with the feeling
you have left your management calm and confident in your ability to protect their business. You are
not there to cause panic – you are there to guard and protect.
Communicating with IT
Now… that is a whole different animal to deal with. People in IT often have the mindset of “this
cannot be done” – think of it as their defense from accepting more work in their already way too
busy schedules.
Always try to walk in their shoes before suggesting new things and always try discussing it with
several people in the IT team (including their management) over a cup of coffee or during a lunch
break. It is much better to hear their side of the story before presenting yours – besides, it is a
psychological thing – you need to work with them, not pour work on them and expect them to just
deal with it.
You will be surprised how much helpful advice you will get from your IT team and how much easier it
will become working with them the moment you start collaborating with them in the above way.
Instead of “you have to do this task” you could approach them with “can you help me with ideas how
to properly implement this task?” See? Much better!
Creating a step-by-step plan
You don’t have to create it alone – you can even engage one of the IT team members to help you,
with the approval of their manager – in that case you get even more bonus points and an even
greater chance of success.
Every security change in the IT environment needs to be properly tested on small scale. The results of
this test will help in the implementation of a larger test. Rinse and repeat until the whole company is
transitioned to the new product, technology, configuration change or whatever else you’re
implementing.
Hint: it is a good idea to start any configuration change tests in the IT team – that way you can easily
tweak settings and discuss them directly with the implementers who will also be the people affected –
much more effective.
Communicating with everybody else
There are two ways you can be seen in your organization. The first is the one who always enforces
unbearable burden upon people, and the second is the one who does their best in order to help
people do their job safely and effectively.
Which one do you choose?
Now think about this every time you write an awareness e-mail or choose an awareness poster.
Positive is better than negative – remember it. There have been multiple psychological studies
proving the effectiveness of a positive message over a negative one.
Page 38 of 112
I highly recommend reading the following book: “Usable Security: History, Themes, and Challenges”
– as it will forever change the way you try to get your message across. Not only that – it will teach
you that complex and difficult is usually less secure than simple and easy to use. It will change the
way you approach security forever.
Building a squad of brave defenders
2 quotes from Sun Tzu:
“Attack is the secret of defense; defense is the planning of an attack.”
“Invincibility lies in the defense; the possibility of victory in the attack”
You need a team built at least partially of people who have had cyber-attack experience, preferably
penetration testing and / or a past in the criminal underground. Degrees and certifications have little
to no value whatsoever when your opponents play on a different level. While your ‘educated’ paper
tigers build diagrams and battle with excel, your attackers are mapping your entire infrastructure and
human workforce, trying to find the easiest way in. You need at least someone on your team who
would have an idea who is out there and how your organization could try and stop them.
Building a team starts with finding the right individual elements for it and if I could sum up the whole
chapter into one sentence, it would be “Hire for passion”, adding one more word: discipline.
The kind of passion which is visible throughout the career or personal development path of an
individual – in their favorite projects, tools, participation in events, courses taken, projects
completed, achievements, favorite books, the focus of their studies.
Any skill for any job can be learned and trained within reasonable amounts of time, granted the
person is smart and motivated. But passion for a specific field is hardly learned – it is either there or
it isn’t.
Coupled with discipline, passion generates tremendous results in the mind of an individual and as a
result in their professional and personal life.
How do you recognize passion?
Look beyond the recognizable certifications on their resume. Ask them when they’ve first gotten
interested in security, what has drawn them towards it, what keeps them interested and how do
they see the state of information security in the world in 5 years. Look for understanding beyond
mere knowledge of facts.
Recognizing discipline
Discipline is easy to notice. From the first glance at someone you could see if they’re disciplined or
not – their dress code, haircut, hygiene, manner of communication, to their resume, their past life
experiences, education (where self-motivated learning gains more points than a degree).
Give them a practical task to complete
Always give tasks right there during the first conversation with the candidate. You don’t have to
waste your and their time in asking about their greatest weaknesses or their hobbies – going straight
to the point first will allow you to filter out quicker and help unfit candidates find their matching job
faster.
Page 39 of 112
Don’t just focus on technical or programming tasks – try and give them real life business problems to
solve. Look for the way they solve problems – do they introduce even more business obstacles by
suggesting impractical and difficult, exotic solutions? This way of thinking is very difficult to change
and you should avoid people who behave in this way.
Even if they don’t have the answer or solution it is very important how they will approach solving the
problem. Being startled and puzzled is one thing, starting thinking logically and seeking multiple
solutions is better. If the candidate puts business first and builds their secure solution around that,
you’ve got a hit.
Have a baseline
Have a list of questions, defining the baseline which would eliminate those who are unable to answer
them. For example, not being able to differentiate between a hash and an encoded string or explain
the difference would mean the interview stops then and there with no further questions, no matter
what level you’re hiring for.
Have a list of funny questions
Why not ask what is the difference between Chuck Norris and Bruce Schneier? If they laugh, you’ve
got a hit. If they look puzzled and don’t recognize the second name, it is probably a good time to ring
someone else.
Their favorite books
Any professional who is serious about their job reads books on the topic all the time. Their complete
infosec reading list should be huge if they’re over 30 – and if they’re 20-something, it should be at
least 10 books long with at least 2-3 favorite classics, one of which should definitely be “The Art of
War”. Generally I would not hire anyone who does not read – not necessarily only security-related
books, but books in general are incredibly important. I’ve heard people saying that books are
overrated and they get all their information from blogs – no comment on that.
Building the team itself
This is probably the most difficult task – as interpersonal relationships are sometimes very tricky and
seemingly perfect candidates for different job roles might be completely personally incompatible.
Mature people work together ignoring their personal differences, while the young and inexperienced
generally tend to participate in conflicts. Having this in mind, look for team members with life
experience – even though the term is hard to define, you most likely understand what I mean.
People who are able to express themselves well also tend to be good team players, but don’t forget
that sometimes introverts who prefer being left alone can be extremely productive, too.
Team building events are extremely important – not just going out, but giving the whole team tasks
such as working on the new firewall design every day of a week for an hour builds a collaboration
environment, at the same time showing weak spots and opportunities for improvement in the team
relationships.
The checklist
Years ago I created a ‘checklist’ for hiring infosec professionals – which does just that. It checks for
specific signs of passion for the infosec field. Yes, it does not apply to everybody and yes, it is not a
measuring stick to compare against every single hire you are going to make – but you could use at
least some of the questions in it to gauge someone’s involvement in the field.
Page 40 of 112
Some points in the checklist might seem very irrelevant or silly – but please remember they are there
for a reason. For example, the nickname ‘muts’ would be recognizable to anyone who has worked
with the Auditor, later BackTrack, later Kali – linux distribution for a number of years. Recognizing
this nickname means that the person has been active on IRC in those early years – and participating
in IRC while working with security tools at the same time means being a part of the community,
knowing people in that community on a level which is beyond ‘connecting on LinkedIn’ and reading
blog posts of famous authors. That is why this point is there – the same applies to the other points in
this checklist. This specific point is applicable for penetration testers and security auditors and is not
applicable for forensic specialists, for example. That is why you should only apply the questions
which are relevant to the position you’re hiring for and for which you understand the underlying
reasons. It is a very tricky checklist, I understand that – but it is at the same time valuable in finding
people passionate for the infosec field.
INFORMATION SECURITY PROFESSIONAL HIRING CHECKLIST AND SCORES
This checklist can successfully determine the real-life applied skills of an information security professional
beyond the regular, standard questions asked at an interview. This checklist is “cheat-proof” as there are no
online interview questionnaires containing any of these questions.
The value of each question is in the meta-knowledge supposedly existing if answered positively. You can use
it as a pre-screening tool – anyone who cannot get to the passing score (which is 50%) should never be hired
in the Information Security Field.
Any technical skill can be learned in a limited amount of time – becoming a part of the infosec community
and breathing security is not learnable – this is what this checklist “checks” for.
NAME RECOGNITION AND COMMUNITY COLLABORATION
1.
2.
3.
4.
5.
6.
Bruce Schneier
1.1. Knows who he is – 1 point (famous cryptographer, security and privacy expert, security author)
1.2. Knows the title of at least one book written by him – 1 point
1.3. Has read at least one book by him – 3 points
1.4. Can name at least one “Bruce Schneier Fact”, or at least the meaning of the phrase – 3 points
(http://www.schneierfacts.com/, a humorous fan site dedicated to Bruce depicting him as Chuck
Norris – an example is “Bruce Schneier's secure handshake is so strong, you won't be able to
exchange keys with anyone else for days.”)
HDM (H.D. Moore)
2.1. Knows who he is – 1 point
2.2. Has spoken / interacted with HDM at least once in his life (virtually or live) – 1 point
2.3. Has used Metasploit and can describe how Metasploit works – 3 points
Knows who is the author of S.E.T., Social Engineering Toolkit – 3 points
Knows who Joanna Rutkowska is – 3 points
Knows which IRC channels to use to reach the infosec professionals who present regularly at DefCon,
BlackHat, BruCon, CCC, etc. conferences – 5 points
Recognizes the company “Offensive Security” and knows what it does (created the Kali (BackTrack)
distribution, runs the Offensive Security training courses” – 3 points
7. Knows who “muts” is (Mati Aharoni) and where to find him (creator of Offensive Security, can find him
on IRC) – 3 points
BOOKS
1.
2.
Has read 2600 – 3 points
Has read “Stealing the network…” series of 3 books – 3 points
Page 41 of 112
3.
4.
Has read “Aggressive Network Self-Defense” – 6 points
Has read at least one book by Kevin Mitnick – 1 point
5. Has read “The Art of War” by Sun Tzu – 6 points
PRACTICAL SECURITY SKILLS
1.
2.
3.
Has ever penetrated (or “knows a friend who did it”) a network / computer system – 10 points
Has helped a company suffering from an ongoing attack, securing it from further hacking attempts
– 10 points
Has collaborated in the international infosec scene, creating tools, helping with bug hunting, overall
helping the community – 5 points
4. Has created and / or analyzed viruses / malware / exploits – depending on the motivation – 25
points if done for educational purposes or -25 points (minus 25 points) if creating exploits
irresponsibly, publishing them before they get patched (be careful not to disclose the purpose of
the question during the interview).
PRACTICAL KNOWLEDGE
1. Knows the difference between BIND and DJBDNS – can name which one is more secure and why –
10 points (The answer is DJBDNS – if he/she knows which one, they will know why, as well)
2. Can name the most secure Operating System (Integrity OS), can name the open-source alternative
by level of security (The O.S. created by Joanna Rutkowska – Qubes OS) – 10 points
3. Can name at least one sandboxing application (Sandboxie, Invincea or Bufferzone Pro, etc) – 10
points
MINIMUM PASSING SCORES
Name recognition and community collaboration – 15 points
Books – 10 points
Practical Security Skills – 25 points
Practical Knowledge – 10 points
Total minimum passing score: 60 points
Page 42 of 112
Information Security Awareness
Learning the art of communicating your message across is very important before you begin
distributing your information security awareness ideas.
Image credit: this image was found on a social media, I’m glad there is a signature, but the author is
unknown to me
The image above is an excellent illustration of why information security awareness training is
important. But not trying to shove EVERYTHING in one go of 1-2 hours or even a full day – but
constant and frequent small doses of information delivered in a way similar to the image above.
It is a good idea to not embark training anyone before reading at least 2 books on social engineering
(plus all of the novels mentioned in an earlier chapter) and a couple of books by Dale Carnegie (for
example, “How to Win Friends & Influence People”). Then just search Amazon (or your favorite
bookstore) for “Security Awareness” – and with that combination of knowledge go and create the
security awareness program in your company – it will be successful.
It is easier to purchase posters and training materials from vendors, but their effectiveness if you’re
not well prepared to deliver the message properly will be close to zero. The investment will not be
worth it – unless all you’re after is a checkbox in an audit report.
But if you do read the books and learn how to positively influence people – things will dramatically
change for the better for you and your organization.
Page 43 of 112
Then the posters and e-mails you use, the meetings and every conversation you have with every
employee who has accidentally slipped for a phishing message will deliver an effective result. When
you actually know what you’re talking about you can give very good examples and people will believe
you and will understand you.
Remember: if you don’t believe and deeply understand your message nobody else will.
When ready, you could search for online / offline video courses for your colleagues. So far the best
one I’ve found is developed by IASE DISA (Defense Information Systems Agency), located here:
http://iatraining.disa.mil/eta/cyberchallenge/launchpage.htm
This is the standard you should be aiming for and I sincerely hope it stays online and accessible for
everyone for longer.
At one of the companies I worked for, the Security Awareness training was mandatory for all new
hires. It was almost 2 hours long, very detailed, very… boring. Guess what people did? They clicked
the Next button on every slide without even listening to what the videos had to say. At the end, they
got a “passed” grade. Please don’t do this, it’s utterly useless. It is not only useless – it is dangerous.
If your security awareness program is as boring or passing it is as easily fake-able, you are in a
situation worse than if you had no security awareness training at all. Conducting interviews in person
with random difficult questions about the material they just watched is one good control – asking
them to write 30-60 word descriptions of every topic they just ‘passed’ on the training instead of
giving them a-b-c-d style questions is another good control. That means you would have to review
the answers – but consider this as your own visibility into the infosec awareness of your colleagues.
If you’re a techie, you could even go to lengths of developing your own ‘challenges’.
Here is a nice exercise you can perform once in a while.
Prepare a .bat file with scary colors and blinking “You have been hacked” or something of the sort.
Compile it to .exe.
With a resource editor, add a Word or PDF icon to it. Give it a believable (very long, to hide the
extension) name.
Zip it and send it in a business-style e-mail.
Then explain to the victims specifically and to everyone else how to check for viruses in e-mail
attachments, how to check file extensions prior to opening, how to upload to virustotal, etc.
It is very important for you to explain to your fellow coworkers how to recognize suspicious e-mails,
how to recognize suspicious links, websites, how to check a link without opening it (for example by
pasting it on VirusTotal), etc. They should know how to check the real extension of a file and why a
file with a double extension malicious in 99.999% of the cases. These are simple and essential skills
which are easy to show, teach and remember.
Users should also remember to send any suspicious files to the IT Security / Incident Response team
for analysis instead of just deleting them.
You should be able to build the infrastructure to support these activities – as moving files via e-mail is
dangerous, a simple web form with a file upload box will do an excellent job.
Page 44 of 112
On Enterprise Password / Credential management
Credential management is a mess at many organizations. Even though password changes are (in the
best case scenario) enforced, this is done without understanding of the underlying risks and
concepts.
Password complexity is being set without understanding or taking into account the psychological
constraints preventing people from remembering such passwords – which automatically leads to
people writing them down or otherwise bypassing the purpose of setting complex, frequently
changed passwords.
In relation to the above, I just love this XKCD comic: https://xkcd.com/936/
It explains the idea pretty well: people don’t understand complex passwords and complex passwords
are not necessarily more secure.
INFOSEC professionals need to understand that more complex does not equal more secure. More
usable and reasonably secure is much better.
Helping people remember passwords or providing them with additional usable forms of
authentication is important. This is especially valid for system administration personnel, who need to
remember dozens if not hundreds of passwords for all kinds of enterprise systems.
Page 45 of 112
If you do not provide them with a well maintained, usable and secure system to manage the different
passwords for all the servers and devices they manage – people will always reuse passwords. It is
inevitable.
The idea of using a sentence (with the spaces) has surprised many of my non-technical friends in its
effectiveness in terms of memorization and security.
Also… why do you really need to change a password every month / 3? Do you really think that forcing
people to change their passwords every one or three months is making their passwords more
secure? It is the opposite. At some point people start writing them down or using very insecure and
easy to guess changing patterns, such as adding a digit and rotating from 1 to 12 through each month
of the year… please stop this practice, it’s dangerous. A well-chosen password changed every 6 to 12
months is more secure than an easy to guess pattern changed every month.
That is why using an enterprise-level password management application essential. One example of
such software is PasswordState - http://www.clickstudios.com.au/
Web-based, well integrating with Active Directory – one could not ask for much more. Look for wellmaintained and frequently updated password management systems, evaluate, test – you know how
the process works.
Page 46 of 112
Building a secure operating environment
In a recent report, the Australian Department of Defense states that 85% of the targeted breaches
could have been prevented by implementing just 4 controls
(http://www.asd.gov.au/infosec/mitigationstrategies.htm).
Quoting the report:
At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD)
responds to could be prevented by following the Top 4 mitigation strategies listed in our
Strategies to Mitigate Targeted Cyber Intrusions:
use application whitelisting to help prevent malicious software and unapproved programs
from running
patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
patch operating system vulnerabilities
restrict administrative privileges to operating systems and applications based on user
duties.
And that is exactly what this book is focused on, with some additional measures, which should help
you mitigate up to … I will be bold and say 98% of the attacks you might encounter.
It is essential to properly harden the nodes in your network – servers and endpoints. The stricter the
policies on what can be used, how and where – the more difficult would it be to introduce a
malicious element and disrupt your operations security.
Establish some ground rules, the first and foremost of which should be performing everyday tasks on
any OS as a limited account. This applies to all users but especially and primarily for IT
administrators.
Policies should be set to prevent the execution and installation of unknown executables / software
when running with a limited account. And when running as an admin, the administrative user should
be barred from accessing the Internet on the proxy level.
There should be NO EXCEPTIONS to the above rule, no matter how much riots and complaints you
receive – I can confirm from experience that IT Admins can used to working this way and they do
used to it – after time, they not only accept it – but if you do your job and explain the reasons
properly, they will enforce it upon their non-compliant and rebellious peers.
The reason for this is contradictory, but nevertheless real. The users with admin power are
considered knowledgeable and experienced – that is why they got administrative rights in the first
place, right? Wrong. Often administrators are overconfident and browse the internet as admins with
no clue of the risks in the simple act of browsing. Then some of them download applications ‘to make
their life easier’, as a result introducing malicious software into the company. Hence, the need to
restrict internet access for administrative accounts and the need for administrators to work as
limited users. If they need to download and execute something, they can download it as a limited
account and execute as administrator.
Rule number two: no external devices allowed whatsoever, except company-issued ones, encrypted
and allowed by Device ID, mapped to a user ID. Connecting a smartphone or tablet to a corporate
laptop for file transfer should be impossible.
Page 47 of 112
Code execution from external devices should be forbidden by policy. Copying executable files from
an external device to the local drive should be immediately detected, if allowed at all – and an alert
should be sent to the IT administrative team if that happens, followed by the creation of a security
incident. Disabling AutoPlay/AutoRun should be a no-brainer and supposedly implemented a long
time ago.
Rule Number 3: every user’s “My Documents” folder should be located on a network share, if
possible. The purpose of this effort is to enable centralized backup (unless you have other solutions
in place) and prevent the “Sony Disaster”, in case your organization is attacked by destructive /
encrypting malware. If this happens, you should have a backup to quickly restore the encrypted files
to their original versions.
Rule Number 4: backup *everything* you can, as often as you can.
Rule Number 5: This one is more of a recommendation – but if you can, build a clone of a standard
desktop machine, ready to be logged on to and having auto-configuring mail client, etc – based on
the user account logged on. Have that one deployed on Amazon or another cloud vendor – ready to
be cloned to as many copies as you need in the event of a disaster. Do the same for critical servers. If
your organization is hit by a disaster, you will be able to quickly power on and run from the cloud.
Having powered-down copies of virtual machines in the cloud, ready to be cloned and powered on is
extremely cheap compared to maintaining a cold, warm or hot site with physical machines.
Removing perimeter security is safe for a cyber fortress
In December 2014 Google published a paper titled “BeyondCorp: A New Approach to Enterprise
Security”. This paper put in words what the community has been saying for years – namely, that
perimeter security is obsolete.
Endpoints should not depend on an external entity for their protection – nor should enterprise
applications and services. Each one of them should behave and be protected as if connected directly
to the Internet – and their underlying security principles should reflect that.
The paper is located here http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43231.pdf
and it has an accompanying video description (a must:
https://www.usenix.org/conference/lisa13/enterprise-architecture-beyond-perimeter plus
https://www.usenix.org/conference/lisa13/managing-macs-google-scale)
Google, being a pioneer in security, made a huge step forward towards this concept and made their
enterprise applications public. But do not get confused – they made it right. Their act of removing the
perimeter defenses was preceded by carefully planning and turning the infrastructure inside out –
protecting the applications and users from external threats by limiting access to the applications and
services only to authorized users and devices.
An interesting consequence is the lack of a need to use a VPN when accessing corporate resources –
if the request to access a resource can be identified to belong to an active employee and is
performed from a secured, corporate device – the connection established will be encrypted by
default and the need for VPNs disappears.
This is one of the most important and at the same time, the shortest chapter in this book – simply
because all I would like to share with you on this topic is in the link to the Google paper.
Page 48 of 112
Defending against web-based attacks
The most widely used vector of attack against your endpoints is and in the near future will continue
to be the World Wide Web. Attacks might come from a compromised advertisement provider
(malvertising), from a compromised website (as in the case of forbes.com), from a website created
specifically for that purpose (on a fast-flux domain algo or manually) – in any case you will need solid
defense.
It is especially challenging to defend against these attacks as they are in essence generated and
initiated by your own users – an actor located on the web cannot act unless in response to an action
of an internal user (or in other words, there has to be a GET or POST request originating on the inside
of your network for the attack to be successful).
There are 2 objectives to pursue in order to achieve solid defense:
1.
2.
Protecting from malicious traffic before it reaches the endpoint
Protecting the Endpoint
Objective N1 is achieved by the proper choice of a web filtering (proxy) solution, its proper
configuration and maintenance.
There must be a dashboard (or several rotating ones) displaying the web filter statistics in the IT / IT
Security team room, showing traffic spikes, traffic anomalies, number of blocked sites per host/total,
egress/ingress traffic, etc.
The following chapter will be focused on choosing and setting up a web filter properly, as well as
configuring and maintaining it. Your web filter appliance is a crucial point in the security posture of
the organization and it might become an invaluable tool if used optimally.
The chapter following the web filter will focus on Objective N2 – protecting the endpoint from webbased attacks, specifically choosing and configuring a browser, hardening it and preventing common
exploitation techniques.
These 2 chapters should become the foundation of your defense mechanisms, building upon them
will be essential. For example, you could improve the web filter chapter in your own organization by
adding additional layers of defense – integrating the web filter with an advanced threat intelligence
solution such as FireEye or TrendMicro – especially if the solutions of these companies are placed in
front and block / prevent any malicious traffic before it reaches your proxy and your end users.
When configuring your web proxy remember that a large amount of incidents come from insiders
sending documents to their own mailboxes and web-based file hosting services such as Mega, Google
Drive, Dropbox, Box.net, etc. That is why the option to block POST requests unless pre-approved per
user / website is so important (will be explained later). Setting up and configuring a DLP (data leakage
prevention) solution is outside the scope of this book – but is surely an important point to consider.
Page 49 of 112
Choosing and properly configuring a Web Proxy / Web Filter
The WWW (Word Wide Web), or the Internet, is the most widely used vector of attack targeting your
users directly, in a way opening a tunnel from the attacker to your endpoints through all your
defenses.
That is why choosing your web-filter wisely is of utmost importance. The presentations which sales
engineers perform are attractive and interesting but most times they don’t understand the threats
you are facing and rarely can offer a complete solution – very few are the vendors which can cover
most bases in the checklist below.
Whitelisting is no longer the ‘too difficult to achieve’ methodology of keeping your users secure. It is
not even the high target – it has become the minimum norm, as even whitelisted sites get
compromised and you have to think how to defend against that, focus on this, rather than spread
your attention on defending your users from millions of potential attack vectors by blacklisting
known bad sites.
Actually it is much tougher to deal with the consequences of constant breaches and exploitation due
to malvertising / exploit packs on hacked sites / phishing sites than maintaining a whitelist. Please
don’t hide your head in the sand and implement a whitelisting policy – it is very difficult initially but it
does pay off tremendously in terms of protection.
A simple ‘statistical run’, building a baseline of the most visited sites in a month, followed by an
assessment which ones are safe and business-focused will give you a good list of sites to whitelist.
Then just move further down the funnel, reviewing requests to add sites as they come in.
Evaluating a web filter before purchasing the product / service
Out of the hundreds of features / capabilities you could look for in a web filtering appliance you
should focus on the following:
1. Support – when you attend the first technical sales presentation have a list of difficult
questions based on your past experience / needs. Look for the confidence and speed you
receive answers with – if you keep getting the ‘we will get back to you on that’ – expect
worse support in the future. Actually, always expect worse support than what you’ll get
during the technical sales meetings – and base your assessment on that. Support should be
able to modify settings on the fly and when needed, even tweak undocumented features.
When you get promised a feature ‘which is being worked on’ – demand the exact stage at
which the feature development is and demand hard dates for implementation with financial
penalties if the promise is broken – if they were honest when promising it, it would not be a
problem for them.
2. The ability for users to request the unblocking of a web resource right on the page where it
says “blocked”, which would then be entered in a database allowing the admin to quickly and
easily check / uncheck requests. It is very important to avoid e-mail notifications on a
blocked site unblock request and only focus on products which offer seamless integration of
that page with the back-end administrative system.
3. Demand a demonstration of the web filter ability to filter malicious pages – with malicious
javascript on them, for example. Find new malicious URLs – for example, from
http://www.malwaredomainlist.com/mdl.php - and TEST the newest entries there right
during the sales demonstration to test the ability of the solution to ‘think on the fly’ without
relying on a database of known bad hosts. This is very, very important.
Page 50 of 112
4. The ability to block executables within archives for certain users / groups
- The reason behind this requirement: only system admins / designated personnel should be
able to download executables or executables within archives. All other users should be
denied this right – and you should have a formal process to allow employees to request a
download of a certain executable, for which a request should be filed and which request
should go through a security review process. No executable should enter your network
without proper authorization and risk assessment.
5. The ability to detect mismatching MIME types and block them (executable with a .jpg
extension, for example).
6. Ability to block downloads from untrusted (non-whitelisted sites).
7. Ability to block advertisement networks and ads. Very important.
8. Ability to block POST requests larger than X bytes for all sites except a list of users, accessing
a list (whitelist) of allowed websites.
- this requirement effectively prevents data exfiltration and / or phishing. If you block ALL
post requests except a list of whitelisted sites for a list of users (a user should request access
to submit POST requests to a specific site and every request should be pre-approved).
9. Ability to block websites based on reputation and age. You should NOT!!!! Allow access to
any website younger than 1 month and having no reputation or classification in the web filter
database.
10. Ability to block encrypted sessions to IP addresses and URLs not present on a pre-approved
list.
This is obvious – only pre-approved sites and hosts should be able to establish encrypted
sessions with your endpoints.
11. Ability to block based on regular expressions
12. Ability to integrate 3rd party AV engines
- this requirement allows for the use of multiple AV engines at once, as opposed to a single
AV engine.
13. Ability to integrate with the mobile devices managed by your company.
14. SSL inspection should be on by default. There should be a capability of raising an alert on first
SSL connection to a non-SSL whitelisted (allowed) host. SSL whitelisting should be possible.
This is a very short list – but a very important one. The final list you should be going to vendors with
should include several times as big a list – just remember that many vendors might not have all of the
features you request. But the above are almost mandatory.
Generally no proxy connection should be possible in a ‘transparent’ mode. All devices wanting to
connect through the proxy should have it manually configured, explicitly.
No server or workstation on the internal network should be able to bypass the proxy and connect
directly to the Internet.
One additional note… ask your web proxy vendor if they can prevent data exfiltration over encrypted
channels and how. If their answer is unsatisfactory, you could implement your own box for that
purpose following the guide here:
http://resources.sei.cmu.edu/asset_files/TechnicalNote/2013_004_001_40234.pdf
Page 51 of 112
Protecting the endpoint from web-based attacks
In this chapter we will focus on making it extremely difficult to deliver malicious payloads to your
endpoints (focusing on workstations) from the Web.
Our first priority is to block *all* ads regardless of their source (if the ad network is considered safe
or not) – hopefully you have followed the previous chapter and ads are already blocked to a large
degree on the web proxy level.
Now is the time to block them on the endpoint level, in the browser.
Block exploits and malware by blocking ad networks and ads
Exploits and malware – sometimes even highly advanced ones - are distributed via ad networks and
hacked websites. And while you can't control the latter even if you have a whitelist policy on your
web proxy, you can control which ads are seen in your network.
Malvertising
The term means serving malware via ad networks. Recent news reports have proof of malware being
served even on Youtube via AdSense (Google). If even Google can't control what its ad network is
showing to your employees, isn't it time to do something about it yourself?
From my experience at least 30% of all malware incidents in a company are generated from malicious
ads. If you can decrease the malicious incidents at your company by 30% just via blocking ad
networks you should.
Not to mention an added benefit: better browsing experience, less tracking for your users, better
privacy and last but not least – less bandwidth utilization, by as much as 5-10%!
Blocking ads via browser extensions
Browsers cannot block ads on their own as they can’t distinguish advertising from non-advertising
elements and in order to block ads in your browser you will need an extension (which should also be
easy to distribute in corporate environments, just follow your browsers manual).
Many are already using ad blocking extensions on personal devices - it is time to convince
management and IT to start adopting it across the board.
https://adblockplus.org is readily available for most browsers out there. So far it has been the most
widely adopted and the most effective measure against ads and malvertising. AdBlock, however, has
a little ‘issue’ – some people say it has signed contracts with major advertising networks in order to
‘whitelist’ their ads for a certain payment… They don’t advertise this fact on their project’s website,
but for me personally that means a red sign. Even though AdBlock is effective, I would use uBlock.
As an alternative (some say it is much better) - you could try out
https://github.com/gorhill/uBlock/wiki/%C2%B5Block-vs.-ABP:-efficiency-compared
uBlock for Firefox can be found here: https://addons.mozilla.org/firefox/addon/ublock-origin/
uBlock for Chrome can be found here: https://chrome.google.com/webstore/detail/ublockorigin/cjpalhdlnbpafiamejdnhcphjbkeiagm
An un-official port for the Safari browser can be found here: https://chrismatic.io/ublock/
Page 52 of 112
Advertising networks are getting smarter, just as malware writers got smarter with time – and the
blacklist approach really starts to lag behind, but we should continue doing our best. Even though AV
detection rates are diminishing we must use antiviruses at work. The same applies to blocking ads –
even though there might be new and unknown delivery hosts every day, we should and must use ad
blocking techniques all the time to prevent at least the most widely used ad distribution networks
and prevent malicious code distribution in this way.
Blocking ads via a HOSTS file
On Linux and Windows (as well as FeeBSD, Mac OS and other operating systems) you can block ads
by redirecting ad network domains to localhost.
You can read more about this extremely effective technique at
https://github.com/StevenBlack/hosts
Use a different browser?
Many of you have not heard of it, because it is produced by a Chinese company - the 360 Safe
Browser. It has ad blocking built-in, besides having 3 browsing engines inside and full compatibility
with Chrome extensions. One added benefit is the usage of their intelligence network and blocking
known phishing / malicious websites. With 500+ million hosts as their client base the detection rate
is not bad.
Block redirects
Often malicious scripts redirect the user from a legitimate website (hacked or not) to malicious
websites using 302 redirects. This type of a redirect is crucial to the operation of the Web, but since it
is not always critical to your users, I would say go ahead and disable them.
I have not yet found a way to block redirects in the Chrome browser, but on my Firefox browser I use
the following extension: https://addons.mozilla.org/en-US/firefox/addon/noredirect/
It works well, I am happy with it and recommend it.
If you must deploy a solution for this across the enterprise, just block 302 redirects on your web
proxy appliance, as that would take care of the problem company-wide.
Talk to your corporate proxy administrator
Your web proxy appliance (or your handy proxy admin) can should be able to block ad networks
without you having to modify yours or every computer on the network. This has the added benefit of
centralized management and easy troubleshooting, in case some domain needs to be unblocked.
Block ads at the gateway level
There is a really nice tutorial on http://www.bsdnow.tv/tutorials/dnsmasq on blocking ads using
DNSMasq & Pixelserv. The setup takes less than 30 minutes and can be performed on any gateway
provided they run an OS capable of running these packages. Pixelserv is used to serve 1x1 gif pixels to
prevent 404 errors from the blocked ads and to enhance the user experience – otherwise you will
see all kinds of nasty rendering bugs on your web pages. Note: this method does not block text ads
and it is still recommended that you use some of the browser add-ons mentioned above.
Besides blocking malware there are other benefits to blocking ads - less traffic and faster, safer
browsing experience. After all, why would you want to load a 10 second clip of someone selling you
stuff you don't want, thousands of times per day for every single employee of your company?
Page 53 of 112
Deploying a secure browser in the enterprise
While we are on the topic of WWW, let’s talk about a very important topic – the browser your
employees are using to access the Web (and your own Intranet).
It is a sad fact that many organizations are still using IE (some even avoid updating to the newer
versions of it for ‘compatibility reasons’).
While IE can be kept relatively secure (with ad blocking at the gateway level, emet, removing Flash,
switching to a different PDF reader, implementing the proper STIG and securing its settings to the
maximum level possible), it is still a good idea to replace it with something modern.
Microsoft Edge is coming out with Windows 10 – but until then I recommend switching to Google
Chrome.
You don’t even have to re-invent the wheel for the deployment phase – NSA has already written the
most comprehensive guide on a secure deployment of Google Chrome here:
https://www.nsa.gov/ia/_files/app/deploying_and_securing_google_chrome_in_a_windows_enterp
rise.pdf
It is from 2012 and a bit outdated but the basic principles are still valid.
The policy templates for deployment can be found here:
https://www.chromium.org/administrators/policy-templates - specifically,
https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
If you need a detailed description of any policy mentioned in the guide or in Chrome’s about:policy,
the folder above contains a help html file: policy templates\common\html\enUS\chrome_policy_list.html
The ADM policy template can be imported to your domain controller or to a workstation locally.
It is a very good idea to combine the NSA manual with the IASE DISA Google Chrome STIG:
http://www.stigviewer.com/stig/google_chrome_current_windows/
by generating a matrix in Excel or your favorite spreadsheet application where you could map the
matching / overlapping / unique configuration settings per guide and decide which ones to test and
implement. Focus on the red and yellow findings in the STIG.
Implementing a blacklisting/whitelisting policy in Chrome
I’ll show you a very clever trick. It is recommended that you implement a whitelisting policy, which
will greatly improve your security – but if that is not possible a blacklist is an option, too.
Navigate to the Google section in the policy editor, find Google Chrome, in the right pane you should
see a list of policy settings. Find the following 2 settings:
(Block access to a list of URLs and Allow access to a list of URLs)
To enable a whitelisting (only specific hosts can be reached) policy, enable both. In the Block access
setting, you will see an option to show the editor box for entering new URLs to block:
Page 54 of 112
For a Whitelist, block ALL websites (careful, settings apply immediately) here by entering an asterisk
character and saving: *
Then in the “Allow access to a list of URLs”, enter the list of URLs you want to allow (up to 1000, the
rest will be ignored):
In the above example, the website and all sub-domains and folders – coursera.org – will be allowed.
The about:* and chrome://policy/ need to be whitelisted if you want to be able to display the current
policy settings by typing about:policy in the address bar. If you don’t want to enable your users
seeing the list of blocked sites (good idea to disallow that), remove the aforementioned entries.
To enable just a list of blocked sites, instead of an asterisk just enter up to 1000 blocked domains.
Any domains after 1000 will be ignored.
Another very useful set of settings can be found in the Google Chrome > Content Settings branch.
Specifically “Allow JavaScript on these sites” and the respective “Block JavaScript on these sites”.
Their logic is the same as above.
In “Content Settings”, the “Default plugins setting” should be as in the screen below:
If Chrome is not your favorite, you can and should still refer to the IASE DISA Application Security Browser Guidance: http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx
Page 55 of 112
Hardening Flash: mission (im)possible
Oh, Adobe Flash, why are you so insecure. But in corporate environments we (most of the time) just
can’t get rid of Flash – for backwards compatibility, to prevent complaints (including from higher
management who just will not back away from viewing their favorite flash sites and would be willing
to risk the security of the organization for it)… whatever the reasons, we just have to put up with this
amazing piece of software, for now (and let’s hope HTML5 gains traction faster).
If you are one of the many who need to keep Flash on all user machines, then there is some limited
relief – in the form of the official Adobe Flash 17 (could be newer at the time of you reading this)
Administration Guide http://www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_17_0_admin
_guide.pdf
For some unknown reason there are no STIGs or NSA security guides for configuring Flash, so we are
on our own here.
First of all: are you updating Flash across all your computers every time a new version comes out?
Are you sure – are you checking the version after each update on all computers? Are you disabling it
every time an exploit comes out, until a new, patched version is out?
Second: after the above is done and integrated into the daily processes and procedures at your
workplace it is time to think about hardening it.
If you look at the payload of any flash exploit, you will see, in almost all cases, imports to functions
relating to network and file system access, among others. So our objective will be to limit the access
Flash has to file and network resources – so it would be unable to download 2nd stages of any
payload or store it / modify it / decrypt it on the file system, effectively rendering the exploits
useless.
Ignoring the deployment options from the guide above as they’re not relevant to this book, let’s
focus on the security configuration settings described in it, specifically page 24 and the file
“mms.cfg”.
In general as you go through the settings, you should follow a whitelisting rule, meaning allowing
network connections and file activity (downloads, for example) only for explicitly approved domains
and locations. Pages 28, 33 and 35 of the guide above are most interesting for our purposes.
From all the settings, the following are almost mandatory, bold are the preferred settings (and
remember: test, test, test. Some settings may and will break needed functionality, play at your own
risk!):
LocalFileReadDisable = [ 0, 1 ] (0 = false, 1 = true)
FileDownloadDisable = [ 0, 1 ] (0 = false, 1 = true)
FileUploadDisable = [ 0, 1 ] (0 = false, 1 = true)
SilentAutoUpdateEnable = [ 0, 1 ] (0 = false, 1 = true)
DisableSockets = [ 0, 1 ] (0 = false, 1 = true) (read the manual description, use the next option)
ProtectedMode = [0, 1] (0 = off, 1 = on)
Page 56 of 112
Sandboxed Browsers / Alternatives for the enterprise
Sandboxing is a term coming from the times when guns were tested by firing shots in a box filled
with sand – effectively making the practice safe for the shooter.
In the same way if you protect the browsers of your users and isolate them in a sandbox (treating the
browser and the exploits which might attack it as the bullets which could otherwise kill your
security), you will achieve significant security benefits – some malware even gives up from running if
it detects a sandbox. But… other malware is capable of escaping sandboxes – so keep that in mind
and do not depend just on the sandbox.
Out of all the well marketed and advertised solutions, let me introduce a few of the less popular but
in my opinion, more effective solutions.
Browser in a box
The enterprise-ready version of this gem by Sirris AG
(https://www.sirrix.com/content/pages/home_en.htm) is capable of delivering incredible sandbox
isolation for your most sensitive machines, where simple sandboxing in the form of
Invincea/Sandboxie and their likes is not enough.
The same company offers full-disk encryption solutions, mobile security solutions – they are
not paying me to advertise them, I am genuinely impressed by the quality of their products
and would like to pass on the respect through my book.
The difference between the commercial, enterprise version
(https://www.sirrix.com/content/pages/BitBox_enterprise_en.htm) and the free version is the
capability to properly integrate with your web filter and to fully separate intranet from internet
browsing. But even the free version is good for personal use.
Bufferzone Pro and Invincea along with Sandboxie are, in my opinion, other, standard commercial
solutions worth evaluating and exploring in comparative tests.
I have done my own tests and could say just this – in your testing always obtain fresh malware
samples and run them on a freshly installed and updated hardware box inside the sandbox and
outside of it, noting the registry / filesystem changes with Process Monitor and / or regshot or your
favorite system monitoring software.
Make sure to do these tests in fully isolated environments, not connected to your enterprise
network, have disk images ready to quickly restore the systems to their original pristine state. A good
free and effective disk imaging solution is AOMEI Backupper.
Comodo offers an AV + Firewall + a Sandbox (very good one, I might add) for free – but please check
their licensing terms and their compatibility with your environment.
Page 57 of 112
Selecting operating systems according to your business needs
Use BSD (FreeBSD/OpenBSD) whenever possible. If you have a Linux device which can be replaced by
*BSD and maintain the same functionality it would be a good idea to go forward with the
replacement. Use Linux whenever possible – including for some desktops in your environment which
do not necessarily need to run Windows – like kiosks, etc. Enable security auto-updates when you
can. Use Windows 8/10 64 bit when you can. And if you really, really care about security – try out
Qubes OS – this could be the first step into considering its use personally or for specific business
needs.
Before getting into the discussion which OS is more or less secure – let me clarify one thing. Even
Windows XP can be configured in such a way that it will become a very, very difficult target to
exploit.
For example: enable SRP application whitelisting and configure SRP properly. Install Browser-in-a-Box,
only browse from that application, install all the latest updates, install EMET (the latest supported
version for XP) and configure it properly. Install a proper AV, such as 360 Total Security (Chinese) (XP
might still benefit from it), set up a Guest user account and a regular user account, set up proper
passwords for all and only use the machine daily as a Guest-level account. When installing, elevate
with Run-As. Regularly update the HOSTS file with blocked malicious domains (this is available from
multiple sources and the task can be automated). Delete CMD.EXE, debug.exe, command.com and
disable powershell. Delete reg.exe and regedit.exe after everything is set up and installed – use them
from an external device if needed. Here you go! One paragraph, and the most “insecure” OS –
Windows XP – has been secured properly.
This only goes on to say that no OS is secure unless properly configured by a knowledgeable admin.
Even FreeBSD can become less secure than Windows XP – so please, pay attention to best practices,
SRG/STIGs and you will be fine.
*BSD
The *BSD family of operating systems is currently the least targeted and the most secure, if you
count publicly released exploits / vulnerabilities per OS. Next comes Linux in its various flavors. The
least secure (by default) operating system family is, of course, Microsoft Windows – just because of
its wide use and incredibly large codebase, but also because it is severely under-maintained and
under-configured compared to what it could become after proper tuning.
One benefit of using *BSD systems as servers (especially web servers) is the concept of ‘jails’ they
employ. This is similar to virtualization – but instead of virtualizing a whole OS for the sake of a single
application, you run the application in its own container, called a ‘jail’.
This concept is weaker in Linux (called ‘chroot’) and non-existent in Windows. The closest thing in
Windows to a jail is a sandbox – and it is not at least to my knowledge a practice to run web
applications inside a sandbox on Windows.
*BSD as a Desktop
Contrary to popular opinion, BSD can be used as a desktop OS as well. Even in corporate
environments (check out http://www.desktopbsd.net/ ).
Think about it – how many users in a company do not need specialized software to do their job? Call
center operators, mail room operators, non-skilled workers, developers (some programming jobs do
not require Windows) and many others. You can run your file servers on BSD, your web servers
Page 58 of 112
(which is actually recommended due to the aforementioned ‘jails’), your print servers, - the
possibilities are endless. And since it can easily integrate with Windows Active Directory, what’s
stopping you from experimenting?
Qubes OS
Qubes OS is appropriate for sensitive situations, when there is a high risk of attack against a
workstation in the form of an exploit. It has been created by Joanna Rutkowska with security in mind.
I would put Qubes OS on the desktops of the administrative assistants of the C-level executives
without any hesitation, as they are the ones most frequently compromised due to their low level of
technical skills and security awareness combined with their high value as targets.
In essence the operating system isolates all applications (such as browsers, editors, etc) in their own
VMs. It is very similar in operation to a regular Linux desktop with the exception that the user needs
to get used to the concept of application isolation. Office packages such as Kingsoft Office (described
later on) are perfect for it and if all one needs to do is work with documents, print, scan, read and
write e-mail, just regular office work – Qubes OS and Linux are perfectly appropriate alternatives,
providing security from the most widely spread malware and exploits and making it very difficult for
attackers to propagate in them if your other operating systems are compromised.
This OS cannot be ran in a virtual machine – it has to be installed in a physical box – so in order to
test it you will need a spare physical box with the right components inside. A hardware compatibility
list is available on the project’s website – https://www.qubes-os.org/
Linux
The level of maturity of the Linux family of operating systems (distributions) is enough for regular
business use. Tools exist to run Windows applications on Linux too – and there are quite good
alternatives to most frequently used Windows software for Linux.
Office productivity suites for Linux
Libre Office (Open Office) has been dominating the space for quite some time, until the appearance
of KingSoft Office - http://ksosoft.com/product/office-2013-linux.html , but both are good for their
respective audiences. It only boils down to testing and seeing which one fits you most.
Differentiate and decrease your attack surface when using 3rd Party Software
There are many alternatives for PDF readers, audio/video players, even for office packages. For
example, we know how frequently attackers exploit Microsoft Office ® vulnerabilities and use Macro
viruses to attack your endpoints.
So why not use Libre Office or Kingsoft Office? Okay, maybe Libre Office is not really ready for most
commercial environments, but I bet most people have not used Kingsoft Office! There is a fully free,
fully-featured version available and I might say the functionality and UI of this software package are
pretty good for the price. http://www.kingsoftstore.com/software/kingsoft-office-freeware
Page 59 of 112
Image credit: linuxundich.de
I would like to emphasize that Kingsoft® Office is available for both Linux and Windows® operating
systems. The quality of the suite is better than that of Libre Office, in my personal opinion – or I least
I find it better suited to my needs. It is up to you to decide – test both and see for yourself.
For PDF reading make sure to eradicate Adobe© Acrobat Reader© from as many of your endpoints
as possible. It is just ridiculous how many vulnerabilities have been found in a PDF reading package!
Foxit Reader is good enough. There are many other alternatives. But for all that’s holy, stop using
Adobe Acrobar Reader, until Adobe fixes the way it writes software – for me, seeing vulnerabilities in
a software package all the time means I should use this software package. It is not worth the risk.
The point here is, that Foxit with its smaller user base and much smaller code base – and sometimes
better functionality – will always be the smaller attack surface compared to the most popular PDF
reading software. Hackers will always target Acrobat Reader more – just because most people are
using it. And while this might seem as “security through obscurity” – the point of being secure is
sometimes in being invisible or being the less likely target – for me, this is better than using
vulnerable software just to avoid “security by obscurity”.
Some might call this security through obscurity – and yes, you are not solving the problem by
switching your pdf reader. But for me a decrease in attack surface is still a decrease in attack surface.
If 95% of the exploits written for pdf reader are for Adobe® Acrobat™ - and 5% for the other readers,
I am all for using other alternatives.
Page 60 of 112
Just make sure whatever software package you choose you have a plan (tested and working) on
properly automatically updating them to their latest versions, either using SCCM/other internal
software management system or using their official channels.
Flash
Oh, Flash. Need we even discuss… Please remove all flash plugins / remains from all your endpoints,
unless there is a dramatically important business critical reason to use it – even then you should only
use Flash in a hardly sandboxed environment. Just get rid of it. The amount of exploit packs using 0days for Flash is … over 9000.
How to properly harden your operating systems
The core of this book, the very essence of what building a cyber fortress is about is in this chapter. It
will probably be the most boring work you will have to do – the most tedious, labor-intensive and
frustrating – but if you follow this chapter properly the security posture of your company is going to
get to the level you need - raising the price of compromise above the levels acceptable to most
attackers.
Building a cyber fortress is not about constructing walls and towers – it is about making the endpoint
as secure as possible. If every endpoint and network connected device in your network is hardened
using the techniques below you will have every reason to feel safe.
Every operating system in mass use today is soft and squishy when its default configuration is
attacked. Hardening guides for the major OSes are abundant – but what makes them dangerous is
lack of standardization and testing. You cannot rely on blog posts and how-to guides for enterprise,
military grade security, this is obvious.
Relying on blog posts and advice found on the web (even on the sites of security experts) cannot be
trusted for multiple reasons – they are not regularly updated, they will for sure miss quite a lot of
settings and they are personal advice, published by people with different backgrounds and
knowledge levels.
Sources of hardening guides
NSA offers a large list of hardening guides in document format – ones which you can print and go
through page by page, as well as some scripts, configuration files – depending on the situation /
guide.
The page where you can find them at the time of this writing is
https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
The page contains guides even for iOS and Mac OS.
The NSA guides are lacking what the next section has in abundance – relevance for the latest
technologies and comprehensiveness.
What they do have, though, are scripts and ADM templates – which may help a lot during the testing
and automation processes.
SRGs and STIGs
Security Requirement Guides and Security Technical Implementation Guides are at the foundation
of what should be your procedure to secure applications and operating systems, networking devices,
basically everything which is configurable in your environment and which has SRG/STIG for it.
Page 61 of 112
The concept of a STIG is the following: it is a XML file containing all the most secure settings of the
software it was created for, as well as other configuration requirements and advice. The XML file is
accompanied by several PDF files, all in a single ZIP package. Be it Apache, IIS, RDBMS or an
Operating System – IASE DISA has most of them covered with the right STIG/SRG for every single one
of the most recent versions. At the time of this writing there are 474 STIGs, all of them are listed in
alphabetical order on http://iase.disa.mil/stigs/Pages/a-z.aspx
There are specific STIGs (for example the “Google Chrome Browser STIG for Windows - Version 1,
Release 2”, and conceptual STIGs, for example “General Purpose Operating System SRG”)
You can use these files to create Excel spreadsheets, which can then be distributed to various IT
support teams for auditing and configuration change tracking.
The same files can be used to feed into commercial tools – such as Nessus or Qualis – to audit the
configuration settings of your equipment.
From the official SRG/STIG training:
There are four Core SRGs. These provide general security guidelines for operating systems, network
infrastructure, applications, and non-technical policy controls. These four Core SRGs are the highest
level SRGs and govern specific technology and policy areas. Core SRGs contain all security
requirements for their technology and policy areas. Technology SRGs are subordinate to the Core
SRGs. Technology SRGs do not refer to a specific product or product version, but contain all
requirements that have been flagged as applicable from the parent level Core SRGs. The technology
SRGs provide the basis for product-specific STIGs. In this way, SRGs compile overarching technologyspecific security settings to help provide assurance that DoD information systems operate at an
acceptable level of risk. Note that the Core SRGs are not intended for use in assessments. STIGs, or, if
necessary, Technology SRGs will be used for assessments.
Page 62 of 112
STIGs document DoD policies and security requirements for specific technical products, as well as best
practices for configuration. You can find specific STIGs that cover widely used operating systems,
infrastructure services, and support applications. There are also STIGs that cover general topics such
as remote or wireless computing and networking. Note that STIGs have not yet been created for
specific mission applications.
Because STIGs can help you detect, or even avoid intrusions, respond to and recover from security
breaches, and implement specific security policies for technical products incorporated into your
information system, your system is more likely to operate at an acceptable level of risk. A STIG is more
than just a text document. STIGs include detailed guidelines to configure systems for security and
compliance, such as benchmarks, which are specific versions of STIG content with code to perform
automated assessment checks. STIGs also include guidance documents that you can use to configure
your system manually. In order to standardize the automation of compliance reporting, the code in
these benchmarks is compatible with the Security Content Automation Protocol, or SCAP. Note that in
the past, STIGs and their associated checklists were separate documents, but they are now included in
a single document that contains both content you can use to configure systems for security and
compliance and content you can use to check systems for security and compliance. Although
conversion efforts began in 2009, you may still encounter older STIGs with checklists that are
separate documents.
Whether operating a current system or implementing a new system, STIGs and SRGs provide
important security guidelines and configuration resources for both system operators and developers.
The check content presented in STIGs will allow you to assess whether your current systems are in
compliance with the STIGs, while the fix text content in the STIGs will help you configure new and
existing products so they meet compliance requirements. Vendors should use STIG guidelines for both
new and existing products during research and development efforts. But what if an appropriate STIG
does not exist? If there is no product-specific STIG for your product, you should use an appropriate
SRG to guide you in implementing the appropriate security requirements. While FSO primarily uses
SRGs as the basis for writing product-specific STIGs, vendors may use SRGs to build more secure
products that comply with DoD security standards. SRGs, STIGs, benchmarks, and other information
security-related resources are all available at DISA’s Information Assurance Support Environment, or
Page 63 of 112
IASE, website. Each SRG or STIG will provide instructions on how to use and apply the guidance it
contains.
All of the above information is available on the free DoD course –
http://iase.disa.mil/eta/srg_stigs/launchPage.htm – and you get to print out a nice certificate in the
end!
No other organization in the world has put up as much work as IASE/DISA into cataloguing and
explaining every single settings in such a large amount of software products from a security point of
view. In fact, this topic is so important, I wish I could be able to mark it in red in the book’s Table of
Contents.
I have to give it to them – they’ve done an incredibly precise and labor intensive job to accomplish it
– and it will be a shame if you do not use this freely available resource. This whole book might have
been written on this topic alone and the best I could ask you for is to research into it and start
implementing.
The place to start is at http://iase.disa.mil/stigs/Pages/index.aspx – maybe it is a good idea to
download the whole archive, located at http://iase.disa.mil/stigs/dod-purpose-tool/Pages/index.aspx
before it has been taken down or made available only to U.S. military personnel with a PKI issued by
them.
I sincerely hope it does not happen – but the whole planet is preparing for war and after the release
of this book, one can never know which resources would become unavailable freely.
You can find a really good training on the topic in an online training published by the US DoD –
located at http://iatraining.disa.mil/eta/srg_stigs/launchPage.htm - they even provide a certificate
on completion!
Using SRGs / STIGs
Before using the guides you should at least be able to view them. For that there are several
resources. One is an online viewer located at http://www.stigviewer.com/ - it has been created by a
volunteer who is not related to IASE/DISA – but still did a great job in helping us all use this invaluable
resource.
From that website you can download the guides in Excel / JSON or XML format – without the need to
search and extract from the official source. Also the website can be used as a quick search engine
and reference when you just need to check something quickly.
The structure of the pages on that website is reflecting the structure of the guides themselves Finding ID, Severity, Title and Description.
Same website has a list of DoD 8500 security controls - http://www.stigviewer.com/controls/8500 as well as all of the NIST 800-53 security controls - http://www.stigviewer.com/controls/800-53
Overall, this is the swiss army knife of working with SRG/STIGs.
I would suggest you navigate through the site, choose a guide / stig and just explore from there –
click on the controls, see the detailed descriptions, etc – dive in and you will get the idea pretty
quickly.
Page 64 of 112
The Official Way
The official way of viewing STIGs/SRGs is http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx a Java application, allowing you to view/modify/save/track progress, as well as to export the files in
various file formats.
Creating a STIG Checklist
One of the most useful functionalities of the Java-based STIG viewer is creating checklist from the
XML files.
All you have to do is open the app, load the XML and from the interface choose Checklist - > Create
checklist from current STIG:
A new window pops up, allowing you to save the checklist to the native format, where it could be
useful to other people having the same program, or you could export to Excel (CSV):
Which is even more portable.
Besides using commercial applications and manual labor to check for STIG compatibility, you also
have the option to use a free tool, when it comes to Linux systems. The tool is called LinuxChiro, and
can be found at https://github.com/johnculkin/LinuxChiro
OpenScap
Another free tool supporting *nix/Linux operating systems is OpenScap, http://www.openscap.org/page/Documentation#Scanning
Page 65 of 112
It is much more powerful than LinuxChiro and has the capability of reading/working with multiple
formats – such as:
XCCDF: The Extensible Configuration Checklist Description Format (ver. 1.2)
OVAL®: Open Vulnerability and Assessment Language (ver. 5.10.1)
Asset Identification (ver. 1.1)
ARF: Asset Reporting Format (ver. 1.1)
CCE™: Common Configuration Enumeration (ver. 5.0)
CPE™: Common Platform Enumeration (ver. 2.3)
CVE®: Common Vulnerabilities and Exposures
CVSS: Common Vulnerability Scoring System (ver. 2.0)
Working with STIGs and OpenScap is detailed in this link:
http://www.openscap.org/page/Documentation#How_to_Evaluate_Defense_Information_Systems_Agency_.28DISA.2
9_Security_Technical_Implementation_Guide_.28STIG.29_on_Red_Hat_Enterprise_Linux_5
Nessus and Qualis are also able to scan for STIG compliance – even though they are commercial
products, you can compare them feature-wise and price-wise, maybe one of them will match your
needs perfectly.
Application Whitelisting - SRP and AppLocker
The industry as a whole has a problem – we rely too much on blacklisting, if at all. We blacklist
suspicious applications, domains and functions – but at a rate which is negligible compared to the
speed and capabilities of our adversaries.
An organization or a vendor can only blacklist what they know about – and the dark side of the
Internet is too wide and powerful, one vendor could never be able to cover it all.
Services exist on the black market to generate malicious executables undetectable by any AV – and
their SLA states that as soon as your malicious binary starts being detected, they replace it with a
new one, for free.
There is only one way to win in this situation:
APPLICATION WHITELISTING
As soon as you mention the idea of application whitelisting, your IT team will immediately start
acting in denial – saying that it is not possible, that it will not work, etc. What is happening is just
their lack of experience in that matter and their fear of change – also, their fear of the additional
work which is inevitable in this situation.
Your job will be to handle them smoothly and create a plan of multiple consequential steps for the
adoption of SRP (Software Restriction Policies) and AppLocker. That plan will need to include a proofof-concept test scenario where a small set of computers is configured properly (initially), to see how
the new configuration might impact the work of regular employees. Once this pilot project is
complete and the IT team is comfortable with it, they will accept wider adoption of the same much
easier than if you try to force a complete migration right from the start.
Note: the following pages will be deeply technical and will rely on understanding of Windows
Client/Server administration basics. If you come from a different background you may need to consult
Page 66 of 112
with your systems administrators / IT team. In the references section you will find all whitepapers on
which this chapter is founded – as well as in the end of the chapter itself, for your convenience. It is
best if you print them out or save them as PDF files and hand them in a discussion meeting to your IT
team.
The amount of available exploits for Windows components (remote / local exploitation, privilege
escalation) grows, generally servers and desktops get patched on a set schedule and some of them
lag months behind – in the best case scenario.
Execution of code on any node should be controlled and impossible without authorization. This
means that all applications and executables present in the environment need to be pre-approved
and on an authorized list (system) before being allowed execution. This sounds and is a lot of work
initially, but as your organization matures and more and more applications are added to the
authorized list, the easier it gets and the less requests for new additions you will receive. Without
this last rule your defenses will be almost helpless against attacks – even if your nodes are hardened
to the maximum possible in their configuration.
Blocking the execution of unauthorized code in any of its reincarnations is the only way to keep your
network immune and healthy.
It is no longer enough to block the downloads of executables on the proxy / firewalls – malware now
uses encrypted data inside JPG files, unpacks them in memory, decrypts and executes code and you
can’t control or contain that without blocking the execution of the initial malicious payload.
If any malicious payload gets executed and obtains access to a system, the game is over – it can do
whatever it wants and security teams would have a very difficult time stopping it. Your goal is to
prevent this initial infection from happening.
The vectors of attack are known: USB (including smartphones, flash drives, e-cigarettes, basically any
USB device), e-mail attachments, e-mail links, infected web pages, malvertising – all of them rely on
the user opening a file, extracting a file from a zip file (sometimes double zipped), clicking on a link or
simply loading a web page.
Infected web pages usually rely on unpatched versions of Java or Flash – and they usually success as
most companies don’t believe they can update Java and Flash at the same pace exploits for them get
released, without breaking legacy applications.
Blocking this specific vector – Java and Flash exploits – is not a part of this chapter, please refer to the
next chapter, where I will talk about browser sandboxes and browser isolation.
The reason you can’t control Java and Flash exploits via SRP / AppLocker is simple – if you allow Flash
and Java, they become whitelisted and any malicious code anywhere on the Internet is free to exploit
your decision at will.
My personal recommendation is to disable Flash completely – I can’t think of a valid reason having it,
now that most video sharing sites are using HTML5 to deliver content and most modern browsers
use HTML5 (I hope you are not using IE8).
Disabling Java in a corporate environment is not possible – but you can disable the execution of Java
applets on untrusted sites (sites not explicitly defined in a whitelist). Thankfully Oracle developed
Deployment Rule Sets – unfortunately, documentation on that front is lacking. They announced the
new feature here –
Page 67 of 112
https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets - but
according to many people the initial documentation is not clear and easy to follow. Still, their
documentation as well as several blog posts, such as http://kylebubp.com/2013/11/use-javawhitelisting-to-further-secure-your-organization/ , http://ephingadmin.com/administering-java/ ,
and https://isc.sans.edu/diary/How-To%27s+for+the+Holidays++Java+Whitelisting+using+AD+Group+Policy/17267
Java whitelisting is a very complicated topic – nevertheless you will need to put it in a standalone
project and work through its completion if you want to control this very large execution vector in
your environment.
Are you ready to jump right into configuring application whitelisting? Not so fast!
Execution Monitoring
First, you need to make sure you know what is happening in your environment. Since by default
Windows operating systems don’t have any process execution tracking, you would have to either use
SysMon by Microsoft (https://technet.microsoft.com/en-us/sysinternals/dn798348 ) or use a thirdparty tool such as http://www.nexthink.com/ or https://www.bit9.com/solutions/carbon-black/ (I
only recommend products I’ve used, others might exist but I cannot cover all of them in that book, as
it would be unfair to mention things I have no experience with personally). In any case, it is
imperative that you store all executions of binaries in a central database, away from the endpoint,
for later investigations or for real-time analysis and alerting. SysMon logs can be sent and analyzed in
a SIEM, for example. Having a log like this will help you with the actual application whitelisting
implementation process – without it, you will be working with one eye closed and one hand tied
behind your back.
(Note on Sysmon: the best article I’ve read about it – which tops even Microsoft TechNet – is at
https://jon.glass/discusses-sysmon-v2/ and https://jon.glass/discusses-sysmon-v2-filtering-rules/ )
I will talk more about system monitoring in the SIEM and Logging chapters – this is relevant just for
this chapter.
Now that you’re done with your process monitoring, you can start planning the actual application
whitelisting process.
Your first step is to determine which technique is more suitable for you – using Software Restriction
Policies or AppLocker.
Microsoft has created a good (although not that great) comparison table here:
https://technet.microsoft.com/en-us/library/ee424371%28v=ws.10%29.aspx
This is also the point when you should decide if you are going to use Whitelisting or Blacklisting.
Because you can block execution from specific folders and still be relatively protected from Internet
threats (the folders used by browsers as download and temporary file storage).
I will only do a small deviation from the Whitelisting topic to define the best practice for Application
Blacklisting:
Page 68 of 112
Application Blacklisting with SRP
Not as recommended nor as secure, but some organizations still prefer to go with it as it is less hassle
to maintain (but trust me, much more hassle if you get compromised and your whole business shuts
down for a week, with your job being given to someone else as a result).
For application blacklisting to work correctly, you will need to create 2 separate accounts per user for
your admins – and your regular users should have no admin rights.
Your Admins should never log in to Windows as Administrator – in fact, their log on locally right
should be denied. They will only run applications with admin rights using the Run As… function, and
their administrative users should be exempt from most of the SRP rules – all of them except
execution from Temporary Internet File and Downloads folders.
For Local Group Policy editing when the machine is not part of the domain, you will still be able to set
up two sets of group policies for two groups of users (admins and non-admins(built in)) following this
guide:
https://technet.microsoft.com/en-us/library/cc766291%28v=ws.10%29.aspx
Here are the rules:
Software restriction policies:
-Security Levels:
--Default: Unrestricted
Additional Rules:
Path Rules: (set all to Disallowed)
%Temp%*
%USERPROFILE%\AppData\Local\Temp*
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE*
%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\*
%USERPROFILE%\Local Settings\Temp*
E:\*
F:\*
Explanation: blocking execution from E: and F: usually is enough to block execution from USB devices.
Blocking execution from temporary internet files prevents many malicious programs to silently
download and run executables, the same applies to the Temp folder. The %temp% rule prevents
execution from opened Zip archives (for example, when a user opens a zip file and then runs the
“PDF”.exe from inside the zip file directly).
Another way to block USB execution is using Group Policy Editor and using the specific policy setting:
Administrative Templates, System, Removable Storage Access:
Page 69 of 112
Yet another way to block removable storage execute access is using the tool Ariad by Didier Stevens http://blog.didierstevens.com/programs/ariad/
As already mentioned, only admins will be able to run installations with the rules above. Another
consequence is that some software, which loads and runs executable code to/from temporary
locations, will also fail to run. You will have to make the decision which is more important: having this
software, finding other options or enabling exceptions in order to run the software.
Moving users with this software to groups with other rules applied (specific rules disabled, all the
rest – still on) might work.
Once again: application blacklisting is only recommended for non-critical environments, when you
have very good control over the web traffic (web site whitelisting) and over your firewall, utilizing a
next generation firewall technology with IDS/IPS turned on, protocol whitelisting and so on.
In other words: use with extreme caution, use only if you want your security to be slightly better than
no execution prevention at all.
One more thing which will be a beneficial read for you before starting with Application Whitelisting is
to read the US DoD / NSA leaflets on the topic (just 2 pages each):
https://www.nsa.gov/ia/_files/factsheets/i43v_slick_sheets/slicksheet_applicationwhitelisting_stand
ard.pdf and
https://www.nsa.gov/ia/_files/factsheets/Application_Whitelisting_Trifold_Jan_2013.pdf . The same
can be provided to your team / manager / executives for their understanding before any further
discussions arise (the logos on the paper weigh more than the paper itself).
Page 70 of 112
AppLocker Whitelisting Limitations
Please keep in mind that AppLocker only prevents execution of binaries and scripts from storage
media. It does not prevent direct exploitation where code is loaded and executed only in memory –
for that you will need to have other controls, limiting the amount of foreign code which can touch
your internet-facing applications (such as browsers). Most state-sponsored exploits in 2015 and
onwards operate in memory only – you will have to think about mitigations such as web site
whitelisting, java applet whitelisting, disabling flash completely, browser sandboxing and others, to
mitigate state-sponsored malware.
Also, by default DLL control rules are not enabled and need to be created – without them you will be
missing a significant portion of the benefits, provided by AppLocker. A lot of the malicious code is
distributed and used in the form of DLLs.
Mitigation for common attacks against AppLocker:
-
Deploy SMBv2 packet signing to mitigate Man in the Middle style attacks.
Restrict paths that binaries can be executed from to local non-removable media sources
where possible.
In order not to turn this book into application or protocol specific manual – and because much better
manuals have been written by military organizations already, I will just leave 4 links on the topic
here:
http://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Applocker-public-v1.0.5.pdf - the New
Zealand guidance on applocker implementation – probably the best guide out there.
The Australian Government Department of Defense has also published a short paper on application
whitelisting, located here: http://www.asd.gov.au/publications/protect/Application_Whitelisting.pdf
- it’s not a stellar one, but nonetheless is useful (in my opinion, the most useful part of that
document are the two links at the bottom of it).
It goes hand in hand with their page for Mitigation Strategies, located at
http://www.asd.gov.au/infosec/mitigationstrategies.htm
The sister page of NSA on mitigation strategies is located at
https://www.nsa.gov/ia/mitigation_guidance/ - and it also includes a guidance on mitigating
targeted malware at
https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
One question I keep asking myself: if http://support.microsoft.com/kb/2532445 has been out for 4
years, why none of the papers listed before - NSA, Australian - mention it? Do they want you to
believe AppLocker is safe without this hotfix, just to be able to bypass it? In any case. You got the right
implementation here.. with one exception. http://www.wilderssecurity.com/threads/circumventingsrp-and-applocker-by-design-with-sandbox_inert-new-process.291593/page-3 is still not fixed.
I generally recommend free and open source solutions and try to avoid recommending commercial
solutions, due to the many "snake oil" salesmen on that arena. But... in this case I can recommend
Bit9 + CarbonBlack. It's expensive - and effective.
Practical advice
The articles linked above will give you best practices for implementing Applocker.
Page 71 of 112
My practical advice: have 2 users (I mentioned this multiple times throughout the book) for your
admin users and for the users who need exceptions when running specific tasks/software.
You can have different policies applied to 2 or more groups of users, based on their needs.
Sometimes, you may even need 3 users for your admins, if they’re doing installations – especially if
you have different rules for accessing the Internet for users and admins (generally users with admin
rights should not have Internet access).
Other uses of SRP & Applocker include the ability to block the execution of an outdated or a
vulnerable application until a patch is deployed (actually forever – you don’t need that older version
running ever again once it’s blacklisted). For example as soon as a new version of your favorite PDF
reader comes out, block the hashes of all previously known versions.
You should block any scripting interpreters not used on a specific machine / server / subnet for
business purposes – that includes python, perl, cscript, on some machines – even powershell.exe,
AutoIt, etc. One more idea on PowerShell – you should DISABLE it with a policy for all nonadministrative users. Administrators should only be able to use it on specific machines. Keep in mind
that powershell is called “a post-exploitation framework” by hackers – they value it more than gold
when available after an initial compromise.
Finally, this document is in the list of references of this book at the end of it – but I know nobody
reads the list of references. But you should read it!
https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_APT_Detection.pdf
2-factor authentication for servers
Using password-based authentication is a call for trouble. Your passwords (and even Kerberos
authentication tickets) can be stolen in so many different ways there is not enough space on one
page to list them. Think software keyloggers, hardware keyloggers (wired and wireless, including
ones planted inside your keyboard), remote micro cameras, exploits, etc.
One of the best solution to thwart attempts to use a stolen password to authenticate to your critical
servers is 2-factor authentication.
http://blogs.msdn.com/b/rds/archive/2014/04/30/using-rd-gateway-with-azure-multi-factorauthentication.aspx is one suggestion by Microsoft on using Azure services for 2-factor auth.
Besides the commercial applications (which are multiple and not mentioned here) you could even
use open source software:
https://github.com/LastSquirrelIT/MultiOneTimePassword-CredentialProvider and
http://www.multiotp.net/ as well as https://github.com/sbeh/RDP-OTP for Windows-based systems.
For Linux and BSD there are many more options – for Debian-based distros, just apt-cache search 2factor or OTP and you will find plenty.
Biometrics
Commercial solutions providing biometric matching of typed passwords are very good as well. I’ve
tried several and they work really well – some even lock a desktop as soon as they detect a typing
pattern which is not that of the rightful owner / user of the system. This eliminates the risk of losing a
Page 72 of 112
device and is more user-friendly, potentially deployable not just for your admins and core servers but
for the whole organization.
Caution:
Be careful to prepare for the loss of your 2-factor auth device/key/phone – and have procedures in
place to rollback to password authentication.
Have a procedure in place to deactivate access for stolen/lost 2-factor auth devices.
Maintaining the operating systems
I don’t know if patching should even be mentioned. But noticing how many organizations put
patching behind and are sometimes years (!) behind schedule on updating essential components
after an exploit has been published for them, maybe it’s a good idea to repeat a well-known truth.
If your organization does not have an official patch policy this could lead to chaos and depending on
the emotional disposition of your system admins whether your devices will be patched on time or
not.
That is why I recommend creating a patch policy based on https://www.first.org/cvss/cvss-basedpatch-policy.pdf - as it strictly defines the timelines depending on the patch and vulnerability
criticality.
Always be careful with devices brought in by external vendors – servers, appliances – everything
which contains an operating system of some sort – as many times vendors are only trying to sell an
appliance and rarely strive to keep it updated.
*Everything* should be patched – everything which is patchable and for which a security patch has
come out must be patched as soon as possible, according to the above or similar policy. Ensure you
have the proper mailing lists and subscriptions to receive notifications on new security patches from
all vendors used in your environment. Make successful on-time patching part of the KPIs of your
system admins and infosec teams.
Page 73 of 112
Raise the cost of malicious code execution in your environment
The economics of malicious software separate into multiple facets, two of which are mass malware
distribution and targeted malware.
Mass malware distribution depends on a network of services itself – groups delivering hacked
websites and compromised hosts for file storage, groups delivering compromised advertising
networks and groups providing services to make malware undetectable.
For the criminals having compromised legitimate websites (at a certain point even Forbes.com was
compromised for several months, delivering targeted malware) means that your automatic malicious
url blacklisting systems would not work and they will be able to pass through your defenses easily.
Having access to compromised (or just willing to deliver anything for the right price) advertising
networks means criminals can deliver malicious software on virtually any website – including
Youtube, for example (there have been multiple occurrences of the same).
Combined the two above create an unprecedented threat environment where any website can
deliver a malicious payload to your users – when even whitelisting, believed to be a draconian
measure, would not help much.
Moving on to MAAS – or Malware As A Service
Malware as a service delivers on two promises – at any point in time your adversaries will have
access to compromised hosts and undetectable malware. If a certain number of vendors start
detecting the malicious sample, their fully automated service will generate a new sample and deliver
it where needed – no interaction needed.
As soon as a compromised host or website gets on any blacklist, the malicious code automatically
moves to a new set of compromised hosts. This is part of their SLA (service level agreement) – and as
mature business people they are well aware of the reliability they need to maintain in order to retain
their customers in a highly competitive underground market.
Their model is solid and proven – and relies on return on investment just as any other business
model. In order to disrupt their operations against your business, you could do only one thing: raise
their costs of attacking you using their automated methods so much as for the attacks to become
unprofitable – at this point they will move to another target.
That is IF you are not targeted specifically – at which point it will be only a matter of time until the
actual compromise occurs – where your incident response and digital forensics capabilities will be put
to the test, but that is a discussion for an entirely different chapter.
Preventing Exploit Execution
If you followed through on the previous chapters and have implemented applocker/software
restriction policies and / or a commercial product to control the execution of unknown applications /
code, if you have full control over powershell and have blocked malvertising to the maximum
possible extent – it is time to move on with prevention of exploit execution.
There are commercial and free solutions for this purpose, but you have to be extra careful when
testing and evaluating them as what is advertised is not always what is in the box.
Page 74 of 112
Years ago a well-known name in the AV industry sent a project for evaluation – and they had a point
where their ‘unique anti-exploit functionality’ had to be tested. They promised protection from a
specific RDP exploit. So I tested the exploit and lo and behold, the protection was working! I was
surprised, but digging deeper it turned out all the product did was use the Firewall to block RDP
connections from outside. Turn off the firewall functionality and the exploit crashed the system
completely. Exploit prevention? Always test and ask tough questions before spending a considerable
amount of money on software licenses. In the end, not even the money spent is at risk – it is the
protection of your assets (or lack of the same).
Malwarebytes Anti-exploit (https://www.malwarebytes.org/antiexploit/) is one product I would
recommend you to try out and compare to its free counterparts.
One suggestion I always give when evaluating a security company: look for signs of noncommercial community work. For example, releasing useful, non-marketing targeted tools
designed to actually help users to fix their information security problems. Malwarebytes
excels in this field – if you look at their free tools section you might find plenty of good ones https://www.malwarebytes.org/downloads/#tools.
EMET
The operating systems widely deployed at the endpoints are vulnerable. God forbid you’re still using
Windows XP – but I’ve seen even the Space and Naval Warfare Systems Command of the USA visit
my website from an XP box, so I guess everything is possible?
Even Windows 7 is outdated by modern standards – but migrating to a newer operating system is not
always possible due to multiple reasons, especially in larger environments.
3rd party software is also rarely updated, mostly due to lack of knowledge and experience on the side
of IT staff – they don’t see the reasons or don’t know how to update to the latest PDF reader or Flash
version (but why even have Flash on the endpoints, is another question), they don’t patch the
installed office applications with their latest security patches unless forced specifically by an audit
requirement or finding.
Since at least 3 years there has been a ‘silver bullet’, guarding against application vulnerabilities and
preventing exploitation by adding a second layer of defense between the operating system kernel
and the applications on Windows systems. The name of this silver bullet is EMET (Enhanced
Mitigation Experience Toolkit). At the time of this writing the latest version is 5.2 – a very mature
application, I would say.
I am constantly amazed by how many IT “experts” have not heard of or are not using EMET. Given its
effectiveness and price – FREE – and given its developer – Microsoft – with the sole purpose to
protect Microsoft Windows operating systems from exploitation, it really is difficult to comprehend
why people ignore this product.
This is likely one of your best and most effective defenses against exploits – even when they are
attacking non-updated plugins like Flash, Java and Silverlight. And let’s be honest, does your
company auto-update all plugins to their latest versions as soon as one is available? Sadly this is
almost always not the case.
For those of you who are not familiar with the concept, you can get yourself acquainted on the
following links:
Page 75 of 112
http://support.microsoft.com/kb/2458544
https://technet.microsoft.com/en-us/security/jj653751
http://blogs.technet.com/b/srd/archive/2014/07/30/announcing-emet-v5.aspx
http://support.microsoft.com/kb/2909257
Please, break the rule and read the manual! After that, go ahead and download and install the tool.
The installation page will offer you to download the manual as well – do it and read it. It’s not the
best manual out there, but that is why my book exists!
Let’s get into the technical details.
The settings you see on this screenshot are not the default – they are the recommended ones (by me
and by Microsoft). On first launch, just click the dropdown menu and choose “Maximum security
settings”, then reboot your computer.
Note: some AV products might interfere with EMET. If that is the case, you can contact them and ask
for support or uninstall them and get a better AV product. In all cases – EMET should be preferred
over an antivirus product anytime. After all, if you follow the advice in this book, you will never need
to rely primarily on an antivirus for your security, ever again!
Page 76 of 112
Most people don’t even get to this point – they install EMET and consider their job done – and it’s
not. Next, you need to click on Import, go to C:\Program Files (x86)\EMET
5.1\Deployment\Protection Profiles and import Popular Software.xml. You can also import the
other two xml files, but this one is most important.
This step will add additional configuration settings for widely used applications which will prevent
nagging crashes and issues of incompatibility.
If you encounter application compatibility issues – namely, some apps crashing and the EMET
window popping up saying it has blocked something – or if you see events in the event log that emet
has closed an application due to some kind of mitigation – you have two options: either it has been a
legitimate threat (exploit) or you have encountered a bug in the application. Sometimes these
conditions are caused by a very long uptime, when EMET confuses memory addresses used by apps
and thinks it’s an exploit. Sometimes these crashes are caused by a conflict with other security
software. Sometimes you just need to update the crashing application, and sometimes… you need to
re-configure EMET.
Here is how to do it.
Go to the main screen, then click on the Apps icon:
You will see the following window:
Usually the event log will tell you which mitigation has been triggered – most often it is Caller
Mitigation. If this happened to you, you can turn off this specific mitigation for this specific
application – fully aware that you are losing a part of your security. Never disable mitigation settings
unless you are absolutely sure this cannot be rectified by updating your application, OS, EMET or AV.
There have been blog posts about certain security consultancy firms bypassing EMET – I can assure
you these were written primarily for marketing purposes. It is still not common for attackers to use
exploits capable of bypassing EMET and it is still advisable that you implement it in your company as
soon as possible.
If you think about it, everything can be bypassed – does that mean that if a protection measure can
be bypassed, you should not install it?
Page 77 of 112
Other malware prevention measures
I wish NIST 800-83, http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf - Guide to
Malware Incident Prevention and Handling” was made mandatory for implementation everywhere.
My recommendations on this document: there are action items which you can mark (with a colored
marker) for implementation and add these to a project, something similar to “Malware prevention
measures” – then add all the action items on a timeline and task the IT / IT Security teams for their
implementation.
Simply reading will yield little benefit as the document is a bit high level, not getting into much
technical details, which I think is on purpose, as otherwise they would have to go down to the vendor
level configuration settings, which is not the purpose of the document.
Other server / workstation hardening ideas
I generally recommend getting rid of any binary which is not essential to the business operation of a
workstation or a server.
Deleting non-essential binaries
Does a specific user need cmd.exe, reg.exe, regedit.exe, cscript.exe, at.exe, psexec.exe, nbtstat.exe,
ftp.exe, bitsadmin.exe, makecab.exe, quser.exe, ieexec.exe, schtasks.exe, netstat.exe, sc.exe,
xcopy.exe, nslookup.exe, taskkill.exe, tasklist.exe, route.exe, regsvr32.exe, ping.exe, wmic.exe,
powershell.exe?
There are several ways of dealing with the situation.
1.
2.
3.
Delete the binaries, when needed – bring them with you to the machine
Restrict execution with a policy
Rename them – cmd.exe could become dmc.exe, for example (after the proper tweaking of
the system’s self-preservation mechanisms trying to return such system files to their original
form). Renaming renders useless many automated attack scripts / exploits / etc, just as well
as deleting or restricting with a policy.
The same applies to any operating system.
Please use proper change management, testing and implementation for all such changes – some
systems management software uses powershell, some enterprise scripts might need cscript to run –
take this advice with a grain of salt and always test for an extended period of time before rolling out
such drastic hardening measures across the enterprise. Rendering a system unusable is worse than
not implementing a hardening measure.
More on PowerShell:
A security expert (Nikhil SamratAshok) recently posted a set of posts on his blog, named “Week of
PowerShell Shells”. If you’re not familiar with what a shell is in this context – it is a way to obtain a
remote ‘command line shell’ via non-standard techniques, for example by sending and receiving
ICMP (Ping) packets.
So while you’re sitting there and looking at your clean traffic showing only ping packets traveling
between system A and system B, someone might actually be having full remote control of said
systems.
Well, it would be best to just read the blog posts to get a better picture:
Page 78 of 112
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-4.html
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-3.html
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-2.html
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
The above blog posts prove just one thing – if PowerShell is available on a system it represents
almost everything an attacker needs to utilize the system and penetrate deeper into your network.
It is yet another reason to lock it down and make it accessible to administrators only and only on
specific machines, definitely not on all your endpoints.
The following 2 posts by Microsoft will help you lock down your PowerShell:
“PowerShell’s Security Guiding Principles” http://blogs.msdn.com/b/powershell/archive/2008/09/30/powershell-s-security-guidingprinciples.aspx and “PowerShell Security Best Practices” http://blogs.msdn.com/b/powershell/archive/2013/12/16/powershell-security-best-practices.aspx
Page 79 of 112
Choosing secure networking components
Hardware-level encryption between nodes via built-in encryption in the network cards / other
networking equipment is desirable, but not necessary – the same can be achieved via software in
budget-oriented organizations.
Network outlets should be properly secured (in an ideal world, with a physical lock of the cable to the
network outlet, making it impossible to unplug or connect something else without changing the lock).
The minimum level of security for said network outlets is a strong NAC (network access control)
based on a whitelist of allowed devices and vendors mapped to specific network outlets.
Before you buy a device you should have some idea how secure it is, how prone it is to compromise
and how well it can integrate with other secure elements in your organization. As you could imagine,
someone has already done this work for you at least to some extent:
https://aplits.disa.mil/processAPList.action
On this page you could see all components which have already been tested and approved for use in
US military environments. I suppose that’s good enough for most organizations.
What comes next is for you to secure your core network services.
DNS
DNS is critical to your networking infrastructure. Even so, when setting up the foundation of your
core network, you better not rely only on the decisions of your trusted sysadmins as they are mostly
focused on functionality and performance and leave security last.
The most widely used DNS server is BIND – it is also the most widely exploited one. It has been
plagued with bugs and security holes since its inception. If you are really serious about your security,
I suggest you think twice and only use BIND if you are absolutely sure in what it has to offer and are
ready to accept the risk.
Djbdns
http://cr.yp.to/djbdns.html - this project is not as flexible or as powerful as most other DNS servers in
existence – but it surely is more secure and reliable than most.
Page 80 of 112
If you can afford the time and effort to make the switch – and especially if you are still using BIND –
you should.
The attack surface of djbdns compared to BIND is … uncomparable. There maybe was one exploit
published for djbdns – compared to hundreds for BIND. If you can, start at least with testing the
server and evaluating its capabilities in a test environment.
Routing
I will not mention vendors in this part of the book, but you might as well guess who they are. Being
the most targeted in the world, you can be certain there are multitudes of 0-day exploits for their
devices in the hands of various actors. They might not be your adversaries – nor your country – but
being vulnerable can still render your network incapacitated as a collateral damage in somebody
else’s battle.
Besides, referring to the all-popular ‘leaks’ we can all be assured with a high level of certainty that
many popular network device vendors have released and keep releasing intentionally or nonintentionally backdoored products.
Even if they are not backdoored when leaving the factory, the process for backdooring them on the
way to your premises is documented and practiced to perfection. So you cannot rely on their
invincibility from any point of view – and if it was my choice, I would never trust my router to a
popular vendor.
There are non-commercial, open-source alternatives.
The BSD Router project – thanks, Ivan Natchkov, for pointing this project out!
Most environments don’t need the overly complex and incredibly expensive commercial routing
products. Unless there are features which the vendors offer you and you really need them, I suggest
you go with the BSD Router Project, as it is very secure, very effective and, well, very free.
From the project’s features page:
Base OS: Embedded FreeBSD 10-stable using NanoBSD, Easy upgrade process using two system
partitions
Routing features: All routing protocol supported by quagga: BGP, RIP and RIPng (IPv6), OSPF v2 and
OSFP v3 (IPv6), ISIS All routing protocol supported by Bird: BGP, RIP and RIPng (IPv6), OSPF v2 and
OSFP v3 (IPv6)
Multicast: DVMRP, IPv6 PIM Dense Mode and Sparse Mode
Multiple FIB: 16 Routing Tables available
High availability with CARP (support also load balancing the incoming connections) and VRRP.
Multi-link PPP: PPTP, PPPoE, L2TP, etc… (all features supported by mpd)
VPN: GRE, GIF, IPSec (IKEv1 and IKEv2) and OpenVPN
IPv6: native 6to4 tunnels and Tayga NAT64
Qos: Traffic shaper with IPFW+dummynet supporting: FIFO, WF2Q+, RR (Deficit Round Robin), QFQ,
Alternate queuing with ALTQ supporting: CBQ (Class Based Queuing), RED (Random Early Detection),
RIO (Random Early Drop), HFSC (Hierarchical Packet Scheduler), PRIQ (Priority Queuing), Committed
Access Rate with netgraph: Single rate three color marker (RFC 2697), two rate three color marker
(RFC 2698), RED-like, Traffic shaping with RED
Page 81 of 112
Ethernet features: 802.1q vlan tagging, link aggregation and link failover interface, bridging with
support of Rapid Spanning Tree Protocol (802.1w)
Network services: DHCP Relay, DHCP Server
Management: From CLI only: local console, serial and SSH access, Command completion with somes
BSDRP tools: config, system, show and upgrade
Monitoring: SNMP v1,v2c and v3, Syslog, Mail, Netflow with native ng_netflow (v5 and v9)
Security: mtree reference files available for system integrity check (sha256)
Building your own router from scratch on OpenBSD
OpenBSD is considered to be more secure than FreeBSD, on which the ORP is based. You can see a
full tutorial on building such a router at http://www.bsdnow.tv/tutorials/openbsd-router
Firewall alternatives
Commercial firewalls have a disadvantage – that is, it is never known if the vendor has introduced
(willingly or unwillingly) a backdoor or intentional security weakness to allow access for unknown
parties.
It is generally a good rule of thumb to remember that if a vendor is known to have used a backdoor
once, they will place a backdoor a second time – just trying to hide it better the next time.
That is why for smaller organizations it is a good idea to evaluate other options, such as PfSense or
OpnSense - https://www.pfsense.org/ and https://opnsense.org/. Another vendor, who also offers
commercial versions and support, is https://www.untangle.com
It is only logical that for large organizations small, open source firewall will simply not be enough – or
at least not as their main firewall. But for small environments the aforementioned are more than
enough.
Port Knocking – NSA is using this for the past 10 years, are you?
The concept of port knocking is: the firewall presents all ports as closed, unless a specific port
sequence is ‘knocked’ with a special packet.
For example, if you want to keep port 22 for remote administration purposes, but want to close it for
everyone but a list of authorized people/devices, you could set the firewall up in such a way that if
your authorized person sends a specially crafted packet to ports 1888, 25678 and 3456, their IP
address is temporarily whitelisted and can open a connection to port 22.
NSA has been known to use port knocking for all remote access connections for many years – even
for access to their internal systems, not just remote administration and / or VPN.
A good tutorial on setting up port knocking on open source operating systems can be found at
DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-tohide-your-ssh-daemon-from-attackers-on-ubuntu
Page 82 of 112
Ask your Firewall Appliance vendor if they support port knocking. If not, you can certainly place an
open source screen in front of your appliance anyway, just for that purpose.
Network Segregation / Isolation
Way too many organizations do not use any form of network isolation / segregation. For example,
they do not control which workstations can access specific servers directly.
Does the administrative assistant of the CEO (or any other user) have a legitimate business need to
be able to access the Domain Controller via RDP?
Do they need to access the database server? On any port?
You get my point. Now is the time to really think about how to isolate specific groups of users (even
inside the IT department!) from specific groups of other users and devices.
No employee should be able to access network shares or anything else in the HR department, for
example – and if you sit with your team and think about it, there are really a lot of rules which can
and should be created for this. A good person to call to the brainstorming session is the risk manager
of your organization, as they will be able to help with identification of sensitive areas you might not
have thought about.
You should assume that at any point in time some endpoint will get infected in one way or another –
when that happens, the attacker should be ‘sandboxed’, isolated in that specific network segment
and should not be allowed to roam freely across the whole network.
Protect people from themselves. You are not isolating them because they might somehow magically
obtain the ability to hack computer systems – you are protecting them from the risk of being
exploited and becoming a bridge between a threat actor and your most sensitive data.
On Web Servers / Externally accessible services and DMZs
Do you have web servers and / or other internet-accessible services in a DMZ? Move them out
immediately. They should not be located even in the same datacenter as your primary devices.
Ideally the only connectivity there should be over a VPN with a port-knocking set up, so as to not
expose any remote administration capabilities over open ports. DMZ is dead (my personal opinion),
from a security perspective. Treat all your devices as internet accessible – from the point where your
user endpoints became entry points DMZ became irrelevant.
Whenever possible, such services should run from a BSD Jail – or from isolated (per app) virtualized
environments, never overlapping more than one service on one jail or one virtual machine.
On VPN connections
Always remember that a VPN connection and the target device / network is only as secure as the
source device connecting to it.
That means, that no matter how hardened your network and servers are, if an administrator
connects from home from a compromised machine, whoever has compromised their machine has
also effectively compromised your network.
You can prevent this by providing separate, secured laptops to your administrators with an enforced
policy to ONLY be used for remote connectivity. Same should be encrypted, should have the same
Page 83 of 112
hardening measures applied to them as all your other critical endpoints, including security software,
policies, STIGs, etc.
Think about enforcing 2 or even 3 factor authentication for VPN connections.
MAC and vendor whitelisting
Only MAC addresses existing on a pre-approved list of devices should be able to connect to the
network, and only to specific network outlets.
Let me give you an example why.
Attackers often use rogue devises to plug a gateway (in the form of a wirelessly connected flower
pot, for example) into your network. Other times they come in during a time when people are on a
break and plug in rogue devices.
A new device on the network, even if not allowed to connect due to MAC filtering, should raise the
loudest of alarms for your infosec and physical security teams.
Since MAC addresses are extremely easy to fake and duplicate, you should enforce matching of a
mac to a wall outlet – a device should not be allowed to ‘roam’ – can you imagine your networkconnected printer suddenly picking itself up and connecting from another floor?
Another good idea is physically securing specific wires to specific outlets, with a lock – where
applicable. It sounds like an overkill but it is not. Attackers do come into printer rooms, they do copy
MAC addresses – and they can unplug your printer and plug in their rogue device, even putting it
between the printer and the wall outlet. Unplugging the cable in such rooms with limited visibility
should be impossible (and these rooms should always be under video surveillance).
Host-based Network Whitelisting
Most commercial Antivirus products come with a host based firewall. If yours doesn’t it is time to
switch vendors.
Host based firewalls should be granularly, centrally configured to only allow traffic to the internet for
specific applications (your corporate approved browser, for example). If everything else is denied,
hostile binaries will not be able to communicate with C&C (command and control) servers and / or
exfiltrate data.
You should explicitly deny, log and send alerts for all traffic attempts from unauthorized applications.
Rules should also be defined in the same way for servers, as internet access should only be allowed
for the hosted application and for nothing else. You should NOT allow any powershell executable /
ftp or anything else internet access from a server or a workstation. Applications to block from
internet access using host-based firewalls: ftp.exe, powershell.exe, psexec.exe, psexecsvc.exe and
any other executables you may want to prevent from external access in your environment.
If you need an official-looking document to convince the network team that this topic is worth
discussing you might want to take a look at
https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SegregatingNetworksAndFu
nctions_Web.pdf
Page 84 of 112
DoS / DDoS protection
There are some unconventional ways to protect from a Denial of Service attack. In 2015 when this
book is being published these are the most effective attacks in terms of return on investment – the
price to shut down your public service / website is so low that without spending a considerable
amount of money on ‘protection services’ (reminding you of any other business models?), it is very
difficult to stay assured of your survivability.
The famous players on the field of DDoS protection charge ungodly amounts of money on a monthly
basis for something which might never happen – hoping that your fear will keep driving money to
their bank accounts. I agree, they are effective, but they are not the only solution.
Some of the measures suggested below are only applicable to small to medium organizations – of
course, if your size justifies serious (TB/s) attacks, you will need to go with the big vendors.
Luckily there are less common and very effective ways to counter DDoS attack effectiveness.
Use 3rd party services to serve your customers on a constant basis
One very important thing is to learn and start using social media as a communication channel – and
why not the main communication channel? It’s easy to flood your website with traffic – and
extremely difficult to do the same to your Twitter / Facebook accounts.
Devise a plan to still being able to sell your services even if your website is completely down.
Establish presence on online marketplaces, utilize Skype other similar VOIP services for
communication in case your phone networks are down. You get the idea – decentralize. Do not
depend on a single point of failure.
You can, even now, setup some of your web presence on services such as Google Sites – I would love
to see an attacker take that down. In the event of an attack you just redirect your visitors there,
while your team is working on mitigating the attack.
Use CloudFlare
I am not a part of their sales team, but considering their prices and effectiveness small organizations
would benefit tremendously from the resulting protection. Besides the DDoS protection they have a
pretty good Web Application Firewall and website optimization as part of their package.
All you need to do in order to place a website behind CloudFlare’s protection is change your DNS
server settings in the domain control panel, as well as make sure all DNS records are properly
replicated during the initial setup (mail, etc.) – that’s it. Usually takes less than an hour, I’ve managed
to get it working in 20 minutes in some cases.
You should specifically look at the security features they’re offering – even in their free plans – here:
https://www.cloudflare.com/features-security - besides everything else provided for free. In my
opinion it is well worth to pay the $20/month for this service, especially remembering that other
vendors charge more than $1000/month for much less.
Page 85 of 112
Advice for Security Services/Products Vendor Selection
A very good standard for choosing MSS (managed security services) providers is described in the
book “Surviving Security: How to Integrate People, Process, and Technology” by Amanda Andress
(2003).
I will not repeat anything from that book as I recommend you to buy it – but there are other aspects
which are not mentioned there.
Just as described previously on the topic of choosing a penetration testing company – the process to
select a security vendor should be similar.
Try to arrange a pre-sales meeting and ask for the engineers who are supposed to be serving you to
be present – not their best engineer but the ones who are supposed to work with you on a long term
basis. This moment is very important – as what the sales team can describe is often not what you will
get out of the box after paying.
The engineer should be able to answer most of your questions (just as they are supposed to solve
your problems later on) without writing them down for a later follow-up. If they are not able to
answer a question, they should give proper pointers and politely promise a follow-up. Ask for at least
one resume of the people who are supposed to be providing professional services to you – the
process should be as tough as in hiring your own team – as in fact you are doing just that, with the
difference that the legal and financial dealing is with a company and not a person. The IT / infosec
work will be with their engineers and you should assess them properly.
Have a list of requirements specific to your organization in advance.
Do not compromise on attitude and quality – a slight price difference in their favor is acceptable –
but choosing a vendor just based on price is a very bad choice long-term. If the engineers are proud
and / or arrogant on that first meeting you can be sure the situation will be much worse down the
line – at the first sign of arrogance on their side cancel the meeting and move on to the next vendor.
Once again – make sure at least some employees of the vendor are active in the infosec community.
Look how popular are their blog posts (on twitter and google) – if the vendor is not contributing
anything but is only trying to sell there is a big chance their employees are not capable enough to be
useful to the community – and probably are barely doing their job. Look for a different vendor if that
is the case – there are thousands of small companies packed with qualified individuals – and finding
them is your job. Good teams rarely have to proper marketing / sales teams to reach everyone. If you
need security expertise in a specific technology – you can find your vendor on the reddit / google
groups topics on it. Their twitter feed should be filled with helpful advice to people asking them for
their advice and that is just one example. Finally, feel free to (anonymously) post your need on the
same forum / reddit / twitter hashtags – someone might refer you to a good vendor / team. Trust the
community!
Price negotiation
Open competition is the driver to a clean and fair market, where deals under the table are harmful to
all. Be sure to have the approval of a vendor to share the average / not exact number of their offer
with other vendors.
Base price expectations on the compliance % of different vendors to your requirements.
Page 86 of 112
When building my list of requirements I usually used the Gartner detailed vendor comparisons per
sector, adding all functionalities and features of all vendor offerings to an excel spreadsheet. Then I
consolidated all overlapping features, assigned different weights to the features most important and
built a matrix comparing vendors on their compliance with the features my company needed.
This matrix was then compared to the prices offered by all vendors – making the selection process
quite straightforward and easy, especially for justifying the price to higher management.
Page 87 of 112
Security Monitoring and Logging
If you really need to work on this topic, I suggest you read the book of Anton Chuvakin - Logging and
Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging
and Log Management. It has helped me tremendously in several projects and I would like to pass on
the fact that it is an incredibly useful book.
Besides that, I have a few ideas to share which might be useful to you and are not present in the
aforementioned book.
Before even starting to collect logs you need to understand your environment. That is why audits and
assessments are useful. But that is not all – you need to understand how much data your devices are
producing in log format every second, minute, hour, 24 hours – then you need to understand how to
optimize what is logged and what is not.
It is very easy to lose yourself in the amount of logging information generated on each of your
devises, especially if you add them all at once to your SIEM (even if you add only servers/switches
and firewalls and omit the desktops).
The noisiest devices in my experience are Windows systems – especially domain controllers and mail
servers. Second would come your proxy servers and firewalls.
To understand how logging in a Microsoft Environment works, I suggest you read these two links:
Advanced Audit Policy Configuration FAQ http://technet.microsoft.com/enus/library/ff182311(v=ws.10).aspx,
HOWTO: http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx
Once you’ve read the above and understand the difference between basic and advanced audit policy
configuration, move on to the next link:
http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Mon
itoring.pdf
It explains in detail the changes you need to make in order to have an optimized for detection logging
environment. It also explains which EventIDs you should focus on.
In order to clean up your logs and only collect what is needed, you need to know what can be
discarded. To know what is being logged, a good idea would be to export the logs from your noisiest
server for a day to a CSV file, open it in Excel and filter by EventID. It should be easy to distinguish by
percentage which events are happening most frequently and which are not.
In one case I saw thousands of events per second with the word “Filtering engine” in them. Turns out
packet logging was turned on – and every single network packet coming through the internal
Windows firewall was being logged! You can imagine the amount of logs generated by this server per
hour and the usefulness of these logs.
Unfortunately such level of detail can render your SIEM and your storage incapacitated – and you
should be very careful what you log and what you discard.
If you want a good start with configuring your SIEM, you could only configure it to log the EventIDs in
the aforementioned “Spotting the Adversary with Windows Event Log Monitoring” paper by NSA –
and expand to other systems / events once you are sure you got that one right. Don’t just plug in
Page 88 of 112
your SIEM and all your devices into it in a shotgun manner – all your money spend on storage and
SIEM will go to waste if the system is not optimized and tuned for effectiveness.
You should also focus on the following EventIDs:
4688 Process Create (after going to https://technet.microsoft.com/enus/library/dn535776.aspx?f=255&MSPPError=-2147217396 and enabling logging)
4663 File/Registry Auditing
4075 Service Created
4070 Service Changed
4624 User Login Success
5140 Share accessed
(List taken from http://www.slideshare.net/Hackerhurricane/ask-aalware-archaeologist)
The same process can and should be repeated for all your systems / devices. Only plug a device into
your SIEM solution once you fully understand the format of logging it uses, the amount / type of
events and how you could fine-tune the amount of details in these logs.
A really good additional guide on configuring Windows Logging is this one:
https://malwarearchaeology.squarespace.com/s/Windows-Logging-Cheat-Sheet.pdf – the “Windows
Logging Cheatsheet”, if the link breaks and you find the need to Google it.
Tools
These links will be useful during your work on optimizing your logging environment.
http://sourceforge.net/projects/syslogserverwindows/
http://sourceforge.net/projects/nxlog-ce/
https://indihiang.codeplex.com/
https://eventloganalyzer.codeplex.com/
https://logexpert.codeplex.com/ - especially this one!
https://www.mandiant.com/resources/download/highlighter
Using open source tools for centralized logging management
Before even beginning to think about buying anything, think about optimizing your logs and storage –
as storage is utilized very quickly and becomes expensive if not managed properly.
There are multiple log storage calculation options online – what I used back in the days were a set of
spreadsheets with pre-configured EPS (events per second) per device or operating system, or one of
the online tools, such as http://codepen.io/packetinspector/details/vxjbL/
Another way of obtaining proper log storage calculation spreadsheets is asking SIEM vendors for
them in a pre-sales meeting – their engineers have them and are willing to share.
There are a few really good open source solutions for centralized log storage and analysis (well, not
as in a SIEM, but with a really good searching and filtering capability which is still good) for smaller
budgets.
Page 89 of 112
One of them – a classic – is Syslog-NG - https://www.balabit.com/network-security/syslogng/opensource-logging-system
They offer free and commercial versions.
In my opinion though the next 2 projects are offering better user interface (at least I like them more):
Logstash, ElasticSearch and Kibana
ElasticSearch has recently acquired Logstash under its wing – which is a good thing from a
compatibility / support point of view.
Logstash is the engine used to receive, process and then forward your logs for storage.
ElasticSearch has a very good performance, compared to conventional database log storage – and
Kibana is probably the most beautiful visualization / search engine developed.
Together they form a really nice combination – and if you don’t have the budget for a SIEM (which is
the case with many companies) – is a really good evaluation option.
Just remember to make sure you calculate your storage requirements – as it might turn out that your
storage will cost as much as a SIEM with good archiving capabilities (archiving (compression ratio) is
one weakness of the above combination).
Yet another good tutorial from DigitalOcean on setting it up:
https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-andkibana-4-on-ubuntu-14-04
GrayLog2
Another really good open source log management product is GrayLog2 (https://www.graylog.org/) .
It is very similar in operation and performance to the ES/Logstash/Kibana – with the difference that it
is a bit simpler to set up and get up and running and that the user interface of GrayLog2 does not use
Kibana – which is a weakness, as Kibana is incredibly powerful in terms of what you can do with its
dashboards and custom filtering / reporting capabilities.
I will spare you the screenshots / detailed technical capabilities – and I’m just mentioning the
projects so you could have them in your mind when comparing to commercial solutions.
Security Onion
I cannot possibly write a chapter on security monitoring without mentioning this security linux
distribution.
It is installable on your own hardware – and for a small (500 endpoints) would require at least 16 gigs
of RAM and many TB of storage (as much as you can / want to afford) to store all the network traffic
passing through your gateway.
It operates by running all network traffic through a set of open source intrusion detection systems.
As with all of them turned on the machine would need significant amount of RAM and CPU power as
well as the maximum IO you can push it is not recommended to run it on a VM. It is also
recommended that your storage is built out of high-performance disks.
The distro allows you to look back in time in a way, and if an incident happens, to extract the exact
packets containing the attack. The longer period you can store your network traffic for, the better.
Page 90 of 112
http://blog.securityonion.net/p/securityonion.html
Feeding your SIEM with external threat intelligence data
The value of having threat intelligence data fed into your SIEM can be seen when events from your
IDS/IPS/Firewalls/other devices properly correlate with it. When unknown binaries or traffic patterns
enter your network this new data will help make sense of the unknowns and generate alerts when a
patterns matches with a known threat indicator.
Since it is humanely impossible to read all the information passing through your SIEM you would
probably rely on its alerting capability whenever it detects anything suspicious. Let us leave aside
anomaly detection and spike detection for a moment and focus on threat intelligence as that is a
very good source of alerts whenever something matches with your network.
External threat intelligence feeds usually comprise of file hashes, IP addresses, hostnames, domain
names, Indicators of Compromise (IOCs), matches to YARA rules, etc.
Companies make a living from dissecting botnets, malware and breach investigations to produce
valuable information on detecting even small portions of malware based on similarity and
functionality rather than hashes (so called fuzzy hashing, for example). Then they convert that data
into actionable form and sell access to it – so you could plug it into your SIEM.
Once your SIEM is fed with one or more threat intelligence feeds it could notice any similar activities,
files, portions of files, accesses to suspicious networks or hosts – and alert you.
Below I will list some free and commercial threat intelligence feeds. It is your choice which ones to
use, but I would put my focus on the commercial ones (after reading reviews from their customers
and comparing them).
Commercial threat intelligence providers:
Kaspersky Security Intelligence Services:
http://www.kaspersky.com/enterprise-it-security/security-intelligence-services/
TrendMicro Security Threats Connect: http://www.trendmicro.com/us/security-intelligence/currentthreat-activity/threat-connect/
Norse Intelligence Service: http://www.norse-corp.com/products/norse-intelligenceservice/index.html (they also have a pretty cool (funny to look at) map of ongoing attack traffic here:
http://map.ipviking.com/ )
iSightPartners ThreatScape®: http://www.isightpartners.com/products/threatscape/
VeriSign Security Intelligence: http://www.verisigninc.com/en_US/cyber-security/securityintelligence/threat-intelligence/index.xhtml
CrowdStrike Falcon Intelligence: http://www.crowdstrike.com/falcon-intelligence/
And finally, one service by Microsoft, which is focused on internal data analytics rather than external:
http://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/
Open Source / Free Threat Intelligence providers:
AlienVault Open Threat Exchange (OTX): https://www.alienvault.com/open-threat-exchange
Page 91 of 112
Thanks to http://cyberwarzone.com/30-malicious-ip-list-and-block-lists-providers-2015/, we have a
list of 31 (30 active) malicious IP/domain list providers:
1. CriticalStack - https://intel.criticalstack.com/
2. ATLAS - https://atlas.arbor.net/
3. BLADE Malicious (outdated)
4. CLEAN-MX Realtime Database http://support.clean-mx.de/clean-mx/viruses
5. CYMRU Bogon List http://www.cymru.com/Documents/bogon-dd.html
6. DShield Blocklist http://www.dshield.org/ipsascii.html
7. EmergingThreats Lists http://www.emergingthreats.net/index.php/rules-mainmenu-38.html
8. Google Safe Browsing API http://code.google.com/apis/safebrowsing/
9. hpHosts File http://hosts-file.net/
10. Malc0de Database http://malc0de.com/database/
11. Malware Domain Blocklist http://www.malwaredomains.com/wordpress/?page_id=66
12. Malware Patrol’s Malware Block Lists
13. Malware-Control Blacklist http://www.malware-control.com/
14. Malwared http://malwared.ru/database.php?page=1
15. MalwareDomainList.com http://www.malwaredomainlist.com/hostslist/hosts.txt
16. MalwareURL List http://www.malware.com.br/lists.shtml
17. Malwr https://malwr.com/
18. Nictatech http://www.nictasoft.com/viruslib/
19. Norse Darklist http://www.norse-corp.com/darklist.html
20. OpenPhish http://openphish.com/
21. ParetoLogic URL Clearing House http://mdl.paretologic.com/
22. PhishTank Phish Archive http://www.phishtank.com/phish_archive.php
23. Project Honey Pot’s Directory of Malicious IPs
http://www.projecthoneypot.org/list_of_ips.php
24. Scumware.org http://www.scumware.org/
25. Shadowserver http://www.shadowserver.org/wiki/pmwiki.php?n=Services/Reports
26. Sourcefire Vulnerability Research http://labs.snort.org/iplists/
27. SRI Threat Intelligence Lists http://mtc.sri.com/
28. Sucuri Blacklists http://sucuri.net/?page=tools&title=blacklist
29. ThreatStop http://www.threatstop.com/
Page 92 of 112
30. URL Blacklist http://urlblacklist.com/
31. ZeuS Tracker Blocklist https://zeustracker.abuse.ch/blocklist.php ,
https://zeustracker.abuse.ch/monitor.php?browse=binaries
You can also use these to plug into your Web Filter appliance / proxy server blacklist.
Page 93 of 112
Control the Insider Threat
There is a sea of products and services on the market offering the same with different names –
essentially you would be interested to detect intrusions shortly after their occurrence (it is inevitable)
– no matter if they are external or internal.
Please remember the statistics – the majority of incidents happen with the help of insiders, not from
external sources. It only makes sense to focus on the most likely risk and move further from there,
once you have a pretty good grip on it.
It would be an overkill to try and beat the best paper written on the matter by CMU University staff –
“Common Sense Guide to Mitigating Insider Threats” http://resources.sei.cmu.edu/asset_files/TechnicalReport/2012_005_001_34033.pdf
Controlling what people copy to their personal devices via any medium (Bluetooth, USB, WiFi) or
personal mailboxes or what and how much they can upload to external sources is essential. Blocking
HTTP(S) POST requests larger than X KB unless specifically whitelisted is a very good idea I’ve seen at
one of the places I worked at.
Even then – there is a way to establish an encrypted session with the outside world and push
(stream) data slowly over time – which is what many advanced intruders do. Whitelisting is essential
in this case.
People associate the insider threat with an individual with malicious intentions – which is not always
the case.
Most times when an incident occurs where the cause is an insider this is due to someone with
privileges deciding to slightly bend the rules to ease their life.
Think of a user with admin privileges on a machine, who decide to install non-approved application
because they “know” it’s “clean”.
Or someone bringing in a portable app, to make their life easier – and bypass installation policies.
Or someone being logged in the whole day with their admin account, ‘just because it’s easier to do
my job this way’.
You might be surprised at the LOW level of information security awareness of people with an
extensive IT background. The ones who are the pillars or your IT environment are often either
oblivious or not aware at all – or don’t care, which is worst – about cyber security risks.
So you have two ways to deal with that.
One is total control of admin accounts and their allowed use. For example, you could completely
restrict interactive logons for admin accounts, only allowing them to execute the “Run As” or “sudo”
functionality, but not being able to login. You could also completely restrict Internet access for admin
users – thus even further reducing the motivation to work all day logged in as an admin.
You could define it as a violation of policy – and impose punishment for violating it, with strong
monitoring and detection rules in place, which would alert you when someone is abusing their admin
rights.
Page 94 of 112
The other way is education. You could provide your system admins with the proper training for them
to understand the risks of not following the official policies and guidelines, as they should understand
them first before agreeing to following them (there is such a thing with IT people and not only them).
In the Information Security Awareness chapter I referenced some materials which might be helpful in
that task.
There is also another aspect of controlling the insider threat, which is rarely mentioned in
professional literature (at least not in infosec literature) – and that is the emotional and psychological
environment people work in.
If people are stressed and pressured, if they live in a bitter environment of gossip and dirty games
they will naturally be less motivated to follow the rules and maintain the security of your data.
If people are happy with their job and their colleagues, they will naturally try to protect this
environment from internal and external threats – as this essentially protects their well-being.
Page 95 of 112
Cyber Incident Response
If your company is like most, you consider a cyber security incident to be such only if ‘you get hacked’
– whatever this magic term means, or if a major mass infection occurs in your network. But if you
really look into what is going on in your IT environment you might find one or more intruders
roaming freely, collecting information, leaking it out and deleting their traces, then another intruder
coming in, doing what they intended to do and leaving, this would be repeating on and on. Because
some intruders don’t want to advertise their presence and never show up publicly with a report they
hacked you. They would not trigger your AV, either.
By implementing proper security monitoring (which usually costs a lot of money on
SIEM/IDS/IPS/DLP/storage/analysts/threat intelligence subscriptions) you will suddenly start
receiving a lot of alerts – and some of them will be of actual incidents.
Employees break security policies and procedures on a regular basis, code gets executed without
authorization – and in the cases when this code is malicious, external parties might gain access to
your internal network.
People browse non-work related sites, download things they are not supposed to, execute things
they are not supposed to, send home documents they are not supposed to, bring devices they are
not supposed to bring, etc.
And if a few years ago it was appropriate to let the IT Administration / CISO handle such situations,
now this is impossible due to the number and complexity of incidents – if your organization counts in
more than 1000 people, you need a separate DFIR (digital forensics and incident response) team.
Building such a team is a complicated effort and if you are just starting to consider this option, start
by reading the following resources:
NIST Computer Security Incident Handling Guide http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
http://www.dtic.mil/cjcs_directives/cdata/unlimit/m651001.pdf - CYBER INCIDENT HANDLING
PROGRAM (U.S. Military guideline)
Then move on to https://www.enisa.europa.eu/activities/cert/training - this resource could become
the single point of training for the whole DFIR team, as it offers practical exercises as well as
theoretical material in the form of templates, guidelines, text books, etc.
It is impossible nor desirable to cover such a complex topic in a single chapter – as with many of the
chapters of this book (which I call a reference for a reason) – its main objective is to give you
guidance in a helpful direction.
Your CSIRT is the immune system of your organization – detecting internal and external breaches
and isolating any perpetrator before it has done major harm. In the case of an ‘infection’, your
CSIRT will raise the ‘temperature’ of the whole organization and with the collective intelligence of
the whole organism will drive the intruder out.
Here is the best possible material / source you could learn from:
https://www.enisa.europa.eu/activities/cert/support/guide
Page 96 of 112
A handy list (frequently updated) of useful resources your CSIRT (cyber security incident response
team) will need to get to know and use:
https://github.com/rshipp/awesome-malware-analysis
The best blog on incident response you could start reading is http://journeyintoir.blogspot.com – as
it details a lot of the processes which are not described in books on the topic.
Another similar blog is http://windowsir.blogspot.com – as its name implies, focused primarily on
Windows.
Page 97 of 112
Smoke and Mirrors
Or the art of active defense and enemy disorientation
“You can ensure the safety of your defense if you only hold positions that cannot be attacked. Hence
that general is skillful in attack whose opponent does not know what to defend; and he is skillful in
defense whose opponent does not know what to attack.” – Sun Tzu
It is impractical to cover everything on this topic in a single chapter – but what could help you in
building good active defenses is reading the following book – “Aggressive Network Self-Defense”.
What I am going to cover here is just some basic ideas of making the life of an attacker more difficult
and the usefulness of their automated tools less effective.
For example, you could open certain ports on purpose and redirect all input from them to /dev/null –
an effective measure which would keep an adversary entertained for quite some time trying to
exploit that open port.
Honeypots and honeynets
Building a good honeynet is useful in 2 ways:
1. It gives you intelligence on what the attackers are doing before they have a chance of doing
the same on your production systems
2. It wastes the adversary time and resources while wasting comparatively low resources on
your side to run the honeynets/honeypots.
Having several honeynets and honeypots is not enough. Attackers look not only for ports and
services, but for the story behind them – you will need to build a whole story around the
honeynet/honeypot – fake personas, fake business applications, fake presentations indexed by
Google, fake profiles on social networks, etc.
A lot of malware will simply stop running if there are VMWare tools (or specific registry entries which
are present on VMWare/Virtualbox virtual machines). You could simply install VMWare tools (check
the license terms first) on a non-virtualized machine.
User agent spoofing
In one of my favorite Chrome plugins – uMatrix, in the Privacy tab, you can see a very handy option:
Spoof user agent every X minutes:
This is one additional measure against exploit kits targeting specific browsers, as user agent is what
most of them rely upon in order to deliver the right exploit.
Page 98 of 112
User agent string rotation has one additional benefit. When a targeted attack is planned, the
attackers will usually send a series of links to various employees, recording the user-agent strings in
order to better plan their exploitation. With the tool above (and especially if you add more useragent strings besides the default) you will significantly increase the complexity of preparing a
targeted attack against the browsers/plugins employed in your organization.
Adding confusion everywhere you can will slow down adversaries and will completely thwart
automated attack tools in some cases – spoof web server signatures, dns serve signatures, mail
server welcome banners, ssh, etc.
Page 99 of 112
Mobile Device Security
You should not forget that mobile devices are swiftly replacing desktops as targets – I have seen a full
compromise of a fully updated Android phone via a simple, ‘empty’ SMS message – granting full
control of that device to a third party at all times (remember, phones are rarely shut down and you
have much less performance / network monitoring tools for your phone than for your desktop).
Isolating mobile device usage in a proper manner is important. That includes having separate devices
for corporate and personal usage, separate network providers, separate applications / credentials,
separate mobile device management systems, etc.
Compromising your mobile device means someone gaining access to all information on that device. If
you can’t afford losing that information’s confidentiality or availability, think twice before storing
information on that device.
At the time of this writing Samsung Knox (now open to everyone with a strong enough Samsung
device - http://www.engadget.com/2013/09/04/samsung-opens-up-knox-security-platform-to-allconsumers/ ) and Apple iOS are the two effective ways you could choose for your mobile device
security.
The latest (at the time of this writing) iOS security guide by Apple is located at
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Delivering exploits to mobile browsers is no different than the way its’ done on desktop systems –
the problem is that we don’t have well sandboxed browsers for smart devices yet – at least not on
the level of “Browser-in-a-box” by Sirrix.
Delivering all mobile content after it has been filtered already by your web filtering appliance is one
solution to the problem as that will block a lot of malicious domains / advertising (malvertising)
networks, for devices which are under your control.
Mobile devices you control should be a subject to the same hardening efforts you spent on your
other endpoints – and there are plenty of STIGs for all the major mobile operating systems.
In general it is advisable to use alternative browsers whenever possible to avoid easy compromise via
exploit kits (Webroot, Maxthon and Opera come to mind as appropriate alternatives).
If your device has 3GB of RAM or more and a quad-core CPU then full encryption will not harm its
performance much – and is recommended.
So far I’ve found Webroot AV to be the most effective in blocking web-based attacks against Android,
followed in quality and performance by 360 Security. The first has a paid version while the second is
100% free and has a thousand times bigger user base (China + the rest of the world).
Not using a log screen password mechanism is a call for trouble. Note that a 4-digit pin is broken in
seconds, simple passwords in hours – the most secure android protection now is the pattern lock
with as complex pattern as you’re comfortable with.
Biometric protection is much better – and I am glad Apple and other vendors have started embracing
it.
Page 100 of 112
Creating a personal cyber fortress
Protecting your own digital life and that of your family is of paramount importance and even we as
security veterans may sometimes forget to take care of our own with the long hours we spend doing
the same at work.
Protecting a personal computer / mobile device / anything personal with some form of connectivity
to other devices is becoming an interesting objective – just as complex cyber-attacks from 2006-8
were discovered only in 2014/2015, we will most likely realize what kind of threats were lingering in
our smartphones only after 2018-2020.
Keeping that in mind, we should assume our personal and mobile devices as vulnerable now as our
computers were vulnerable to APTs in 2008.
The chapters above – on Software Restriction Policies / Applocker and EMET apply to personal
computers just as they apply to business devices. You should at the minimum install and configure
EMET as otherwise you will be prone to a lot more exploits. That is if you’re using the Windows
operating system, of course. Hopefully when you read this Windows 10 will be out – which is much
more secure than Windows 7 by default, but even then you should still install EMET on it.
For my family (especially for its older members) I have a rule: when setting up a computer and fully
configuring it, I enable the Guest account, change its picture and name and only show that as a login
option. For a regular user this is more than enough – all their applications are working, but I would
not want to be in the place of a malware author trying to exploit a Windows 8.1/10 box fully
configured as per the rules above and running with a Guest account…
However for highly sensitive situations I recommend you switch your operating system to Qubes OS
or DektopBSD - http://www.desktopbsd.net/. Or at least use something like Kubuntu or Xubunu
(Sorry Ubuntu, but your user interface is just…. Ugh!)
Starting from a clean install is also very important, always using licensed software and avoiding
cracks/keygens as the plague. Seeing such applications without any malicious code in them is like
seeing a unicorn.
Knowing that most people will ignore the advice to use an alternative OS and will continue using the
most popular one – the advice from now on will be focused on solutions and ideas for Microsoft
Windows.
Full Disk Encryption
With the demise of TrueCrypt the alternative I would recommend for Windows 7 devices is
VeraCrypt.
Unfortunately Windows 8 has changed the way it boots and VeraCrypt does not fully support full disk
encryption for system (boot) partitions yet for Windows 8/10.
For such situations BitLocker is more than enough protection for a home computer – as we can
consider what you’re keeping safe is the privacy of a home computer in the case of a loss / theft, not
in the case you’re being chased by an intelligence agency.
Page 101 of 112
Store your passwords in a secure way
Always use a password manager for your online accounts (this implies you use different passwords
for all websites which require authentication and are sensitive in nature).
I recommend KeePass Password Safe - http://keepass.info
Browse the web safely
Using a regular browser simply is not good enough anymore. Being exposed to sophisticated exploit
packs on potentially any website we access, we need to re-learn how we use the web on a day-to-day
basis.
Using a non-standard browser will put you in the small percentage of users exploit pack writers
ignore due to the cost of covering 100% of all browsers – it is 10 times cheaper to cover 80% than
90% of them. It is probably 100% more expensive to cover 100% than 80%. So it’s simple math – be a
part of these last 10%, be safe (as much as possible).
Browser-in-a-box
This is a unique concept. In essence it is a virtual machine (linux) which exports a Firefox browser to
your Windows desktop, making it almost transparent to the user and at the same time very, very
difficult to exploit.
You can download the ‘application’ at http://download.sirrix.com/content/pages/bbdl-en.htm or
read more about it at https://www.sirrix.com/content/pages/BitBox_en.htm
Comodo “Dragon” browser
Based on Chromium (most people would recognize that as Google Chrome), with enhanced privacy
and as per their website:
Has privacy enhancements that surpass those in Chromium's technology
Has Domain Validation technology that identifies and segregates superior SSL certificates
from inferior ones
Stops cookies and other Web spies
Prevents all Browser download tracking to ensure your privacy
Not as secure as “Browser-in-a-box”, but much lighter. Would work best with the whole Comodo
suite of applications, which they are offering for free – AV, Firewall and a sandbox. Just be careful not
to install anything else when installing – de-select any additional offers.
For secure banking, I recommend the usage of Bitdefender Safepay™ Browser:
http://www.bitdefender.com/solutions/safepay.html
Page 102 of 112
Another cool solution is the combination of the 360 browser +
360 total security suite.
The 360 browser is built by Qihoo 360 and is, just like the
Dragon Browser by Comodo, based on the Chromium engine,
which makes it compatible with all your favorite Chrome
Extensions – it can also import all your bookmarks and
passwords (if you can trust it) from Chrome and / or Firefox.
The additional security features of this browser can be seen
from the screenshot on the right.
With sandbox protection, process isolation and the 360 cloud
security you will be protected from phishing as well as
malicious websites – and it comes with adblocking turned on.
The browser is developed by Qihoo http://en.wikipedia.org/wiki/Qihoo - a company with more
than 640 million users of its security products – it is Chinese but I personally trust them more than I
trust certain famous companies – simply because certain government agencies have absolutely no
power over them.
One really good reason why choosing 360 as your AV is a smart choice: they have no benefit in
signing agreements with the Five Eyes Alliance to keep their malware undetected, as some other
vendors do.
Browser Add-ons
https://addons.mozilla.org/en-US/firefox/addon/noredirect/
For the Firefox users out there I recommend this add-on, which prevents 302 redirects in your
browser, effectively blocking a lot of malicious redirect scripts, pointing to hacked / malware infested
pages.
NoScript
https://noscript.net/
This extension is a must-have for security-conscious people with a little bit of technical skills. It will
probably not be appropriate for regular users who will have no idea why certain pages and page
features are not working and will be constantly complaining to tech support about it.
By blocking all unknown scripts and active elements it implements script whitelisting in the browser,
a very effective measure even when visiting hacked websites.
uMatrix
uMatrix is appropriate for the more technical users who know how to configure it per each website
visited, as it often breaks desired functionality in its eagerness to protect you. But as you can see
from the image below – loading one comic site drags along scripts and content from so many others
tracking and advertising sites, the list can’t even fit and needs to be scrolled down!
By clicking the right box the elements get loaded (after you press the reload button) or their
allowed/denied state is being saved when you click on the save button so you wouldn’t have to
reconfigure everything again next time you visit that website.
Page 103 of 112
This extension is an ad-blocker on steroids (or something stronger) – I combine it with uBlock for
ultimate peace of mind.
Antivirus protection for the home computer
Personal computers (and tablets on the Windows OS) will need antivirus protection for a few more
years, whether we want it or not. AV protection is necessary to defend against 40% of the threats
which are active and detectable by them. The rest you will have to defend against using common
sense and proper device hardening, as mentioned elsewhere in this book.
There are two products I can wholeheartedly recommend:
360 Total Security and Webroot.
Page 104 of 112
360 Total Security
As can be seen on the image above, I have highlighted 2 of the very important features of this
product.
Arrow 1 points to the Tool Box, which contains functionality to optimize your computer and patch it
with any missing updates, even if the update functionality of your PC is broken for some reason.
The second arrow points to the 5 AV engines (2 of them must be manually disabled right there,
clicking on the BitDefender and Avira icons) it uses.
The product also protects your web browsing and enables phishing protection for certain websites.
There are a few default settings you need to enable to ensure maximum protection:
- uncheck this box if it is checked.
In Active Protection > System, in the section Files to be monitored, select All files.
Page 105 of 112
In Virus Scan, set the following options:
And the best part… IT IS FREE
Webroot
This product was my favorite before I discovered 360 because of its excellent behavioral malware
detection, sandbox and web browsing protection – as well as detection of system modifications
which are not normal (once a Java update tried to replace a system file in c:\windows\system32 and
it caught and prevented it on my machine).
Unfortunately they do not offer a free version (except for their mobile version) – but I was using it for
2 years and recommend it to anyone who does not trust 360 Total Security for some reason or
another.
The web browsing protection from malicious websites is very good.
Comodo AV + Firewall
If you’re careful when installing and deselect any additional options / software / offers they try to
force your way, the product is amazing.
https://www.comodo.com/home/internet-security/free-internet-security.php
The bundle is especially useful to technically adept users as the amount of features and settings
under the hood is just mind boggling. The sandbox and the firewall alone are worth the effort of
installing.
The Comodo Firewall is really useful when it comes to notifying and preventing unknown / new
processes from connecting to the Internet without your approval.
Security monitoring for your home computer
https://www.glasswire.com/ - is a must.
This application allows you to monitor your internet usage in a way no free or commercial home
firewall does – via usable and informative graphs and notifications.
Page 106 of 112
It is not a firewall in the pure sense – but is a really good monitoring solution to detect anomalies in
your network traffic.
As can be seen on the screenshot above, this is probably the best user interface in a consumer grade
security monitoring product ever developed.
One example of a potential detection, which turned out to be a false positive:
As you can see (hopefully) from the image above, an application tried to connect to the Internet for
the first time. The location: c:\users\username\appdata\local\temp\isgvmkv.tmp\countinstallation.exe – looks exactly like malicious software, as legitimate software
Page 107 of 112
would not run its components from that location. Luckily, this is a binary signed by Foxit Software
Incorpoated – and I noticed this executable right after the installation of Foxit Reader in a VM.
In another situation I would have been alerted of a malicious activity at the time it would happen,
not during an investigation later on.
Censorship avoidance
There are countries which limit freedom of speech and access to information. There are situations
when you might need to avoid being tracked – even just for principle’s sake, if you want to make a
point that your browsing is your own business and should not be in anyone’s statistics.
I will list a few ‘free’ censorship bridges – in various forms and effectiveness, nevertheless, they are
worth trying.
Google Compression Proxy
https://chrome.google.com/webstore/detail/data-compressionproxy/ajfiodhbiellfpcjjedhmmmpeeaebmep
The way it works is, you add it as an extension to Google Chrome and it passes all your web browsing
traffic through Google’s servers – compressing data and saving your traffic as well as privacy. Of
course, if you are worried about Google inserting data (think NSA exploits) or monitoring you, avoid
this service.
SoftEther VPN
This is a serious privacy project trying to provide secure and private browsing experience to
everyone, for free.
https://www.softether.org/
Any paid VPN with a good reputation is also a good alternative.
Protecting a personal mobile device
To protect your personal smartphone or tablet you can rely on technologies such as Samsung Knox™
- but if your device is not of that brand, you still have multiple other options.
Apple devices remain relatively secure – as the operating system is maintained very well and their
security team is doing a great job. As long as you do not jailbreak your device and you properly
configure your account and device you can remain with a peace of mind.
Jailbreaking an iOS device is akin to asking a random ‘keymaker’ on the street to install a lock of their
choice on your door and allow them to keep a key, just in case – and distribute it to their friends.
Does not sound safe to me. It is in this sense better to allow the vendor access (which they will
always have anyway) and deny it to everyone else, rather than giving access to unknown adversaries.
Yes, you can install additional security software after jailbreaking – but yet again, you have no control
over the source code nor the vulnerabilities present there.
Doing the same to an Android device (called “rooting”) results in the same weaknesses – you gain
more control but you lose security features, opening more holes in your mobile device than were
present before.
Page 108 of 112
The few benefits I see in rooting an Android phone is that you can install security patches and newer
versions of the OS more rapidly and you can give security applications deeper access to the OS – that
is a fact, the choice is yours.
Installing the proper protection applications on your Android phone can help a lot. Just be careful
what you install – not every vendor out there is benign and not every security app is effective – many
are there just to maintain marketing presence.
Recommended Android security apps
VirusTotal - https://play.google.com/store/apps/details?id=com.virustotal – generates hashes of the
applications and services on your phone an uploads unknown apps to VirusTotal – and is the best
way to detect malicious files which are undetectable by your current Android security app. Their
system also has a sandbox where such unknown apps show their behavior – another added benefit.
360 Security - https://play.google.com/store/apps/details?id=com.qihoo.security – yes, I know, a
Chinese security vendor. Yes, I know you’ve been scared by the media about how evil the Chinese
are. But please evaluate the app and its capabilities. I have used many security apps and so far
personally find this one the most effective and feature-rich.
An alternative to 360 is
Webroot - https://play.google.com/store/apps/details?id=com.webroot.security
Besides offering an excellent and effective mobile security suite, Webroot also offers a premium one
(features as many as above, but at a price) – which I find very effective against malicious websites.
They also offer a very good, secure browser – overall the company is security-oriented and offers
excellent products.
Another company seriously focused on security for many years with excellent research and excellent
products is Kaspersky. Yes, Russian. No, they are not evil communists.
https://play.google.com/store/apps/details?id=com.kms.free
Google Authenticator – a must have. If you are not using 2-factor authentication, you should start
NOW! I will mention it a bit further – but for now, install the app.
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
Secure Mobile Browsing
You should not access banking websites with a regular browser – especially if clicking (tapping) on
links in e-mails, supposedly leading to your mobile e-banking.
Webroot SecureWeb Browser https://play.google.com/store/apps/details?id=com.webroot.secureweb
Trusteer, just as Webroot above, offers a secure browser https://play.google.com/store/apps/details?id=com.trusteer.securebrowser.trusteer
Secure Messaging
You should only trust encrypted communication for confidential conversations – and even if you only
want to keep your conversations as they should be – between you and your conversation partner.
Threema - https://play.google.com/store/apps/details?id=ch.threema.app – so far, the leader in
security and user interface usability. Not free, but well worth the price.
Page 109 of 112
TextSecure Private Messenger https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms
This one is free, but I personally prefer the UI of Threema. The same developer also offers a secure
calling app, which is very effective in keeping your voice conversations private https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone – RedPhone.
Encryption
Encrypting your device is recommended if it has more than 2GB (3 or more) of RAM and a high-speed
CPU (quad core). You can encrypt weaker devices, but you will pay a high price in performance issues
and lag. But encrypting your phone and SD card is the only protection you have in case your phone is
stolen or confiscated at an unfriendly border (some countries may well jail you for a single photo or
e-mail they consider inappropriate).
Choosing your encryption key is as important as choosing your banking passwords – phrases
containing spaces and symbols are best.
Securing your personal finances against confiscation / inflation / financial crisis / others
I will only leave a single link here – as there is a blog out there which goes to great lengths about
protecting yourself and your finances against abuse – it is the International Man website http://www.internationalman.com/
As the author points out on their website:
“The problem — your problem — is that any country can turn into a 1970s Rhodesia. Or a Russia in
the ‘20s, Germany in the ‘30s, China in the ‘40s, Cuba in the ‘50s, the Congo in the ‘60s, Vietnam in
the ‘70s, Afghanistan in the ‘80s, Bosnia in the ‘90s. These are just examples off the top of my head.
Only a fool tries to survive by acting like a vegetable, staying rooted to one place, when the political
and economic climate changes for the worse."
-
Doug Casey
But that is not the only way you could go. Look into Bitcoin – really look into it – as it is the only
technology in existence which protects your money from being taken away if you properly secure it
digitally (or in print, yes, you can print bitcoin).
Page 110 of 112
Various tools
Finally, if you are curious, here are some miscellaneous links to tools related to information security
you might want to check out:
http://sourceforge.net/directory/security-utilities/os:windows/freshness:recently-updated/ - a
collection of open source / free tools related to information security. Many are regularly updated, I
would like to specifically highlight ProcessHacker as one useful example you should look at.
Another useful open source repository is https://github.com/showcases/security
Page 111 of 112
References:
https://www.nsa.gov/ia/mitigation_guidance/
https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_APT_Detection.pdf
http://www.computerworld.com/article/2872292/nsa-secretly-uses-scapegoats-data-mules-andinnocent-victims-pcs-for-botnets.html
http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparationsfor-cyber-battle-a-1013409.html
http://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Applocker-public-v1.0.5.pdf
http://iase.disa.mil/Pages/index.aspx
https://www.nccgroup.com/media/481134/2013-12-04_-_ncc_-_technical_paper__bypassing_windows_applocker-2.pdf
http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf
Page 112 of 112
