Development and operations a practical guide



Download 4.62 Mb.
View original pdf
Page87/96
Date11.02.2023
Size4.62 Mb.
#60628
1   ...   83   84   85   86   87   88   89   90   ...   96
1 Joe Vest, James Tubberville Red Team Development and Operations
Defensive
Action
Description
Prevent client-to- client communication
Preventing these communications limits a threat's ability to move freely throughout the network, reduces the likelihood of privileged account discovery, forces an increase in time and effort (more activities and artifacts, and therefore, can increase the defender's ability to detect.
Prevent server- to-client communication
Assuming the network has prevented client-to-client communications, the only option a threat has is to attempt access to a server, but cannot communicate server to the client.
Block outbound server communications
There are very few instances where a server needs to communicate with a system external to the network. These are exceptions and should be managed to allow only connections to the required external asset or IP and allow only the use of required ports and protocols.
Clear cached administrative credentials
Cached credential discovery is a common and primary method in which threats escalate privileges.

Reset the
KRBTGT
Account
Reset the KRBTGT account twice within a limited time-frame followed by the changing of all administrative credentials. These resets limit a threat's ability to maintain access after credential changes.
Perform a sensitive items review
Perform frequent search and discovery activities for critical items stored across organizational assets
(Passwords, Configs, Privacy of
Information Act (PIA) data,
Intellectual Property, etc.)
Block and
Disable non- required ports,
protocols, and services (PPS)
Both internal and external systems and network devices should disable and block PPS that aren't required for the network. Limit PPS to only what is required for each specific system.
Implement separation of accounts and privileges
Users should be limited to only what is required to perform daily tasks.
Standard users often do not require elevated privileges on a daily basis.
In rare scenarios where a user needs elevation often, require the use of a secondary account with only the access required and no external communications ability.
Ensure group permissions are appropriately identified and mapped
This recommendation has multiple applications however, the main focus is nested groups and permissions.
Implement
Microsoft Local
Administrator
Password
Solution (LAPS)
No two local accounts have the same password. A client-side component generates a random password, updates the LAPS password on the Active
Directory computer account, and sets the password locally.
Multi-Factor
Authentication
Additional security control and protection that requires more than one authenticator or authentication factor

for successful authentication.
Application
Whitelisting
Implement Application Whitelisting only after all of the prior recommendations have been implemented.
This list is comprised of list of preventable controls (Mitigation Strategies Part 1
[25]
and Part and is a great list of starter techniques a Red Team can use to apply Red Team techniques that directly measures security operations ability to detect and response to threat techniques.



Download 4.62 Mb.

Share with your friends:
1   ...   83   84   85   86   87   88   89   90   ...   96




The database is protected by copyright ©ininet.org 2024
send message

    Main page