Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Defensive Action Description Prevent client-to- client communication Preventing these communications limits a threat's ability to move freely throughout the network, reduces the likelihood of privileged account discovery, forces an increase in time and effort (more activities and artifacts, and therefore, can increase the defender's ability to detect. Prevent server- to-client communication Assuming the network has prevented client-to-client communications, the only option a threat has is to attempt access to a server, but cannot communicate server to the client. Block outbound server communications There are very few instances where a server needs to communicate with a system external to the network. These are exceptions and should be managed to allow only connections to the required external asset or IP and allow only the use of required ports and protocols. Clear cached administrative credentials Cached credential discovery is a common and primary method in which threats escalate privileges. Reset the KRBTGT Account Reset the KRBTGT account twice within a limited time-frame followed by the changing of all administrative credentials. These resets limit a threat's ability to maintain access after credential changes. Perform a sensitive items review Perform frequent search and discovery activities for critical items stored across organizational assets (Passwords, Configs, Privacy of Information Act (PIA) data, Intellectual Property, etc.) Block and Disable non- required ports, protocols, and services (PPS) Both internal and external systems and network devices should disable and block PPS that aren't required for the network. Limit PPS to only what is required for each specific system. Implement separation of accounts and privileges Users should be limited to only what is required to perform daily tasks. Standard users often do not require elevated privileges on a daily basis. In rare scenarios where a user needs elevation often, require the use of a secondary account with only the access required and no external communications ability. Ensure group permissions are appropriately identified and mapped This recommendation has multiple applications however, the main focus is nested groups and permissions. Implement Microsoft Local Administrator Password Solution (LAPS) No two local accounts have the same password. A client-side component generates a random password, updates the LAPS password on the Active Directory computer account, and sets the password locally. Multi-Factor Authentication Additional security control and protection that requires more than one authenticator or authentication factor for successful authentication. Application Whitelisting Implement Application Whitelisting only after all of the prior recommendations have been implemented. This list is comprised of list of preventable controls (Mitigation Strategies Part 1 [25] and Part and is a great list of starter techniques a Red Team can use to apply Red Team techniques that directly measures security operations ability to detect and response to threat techniques. |