Active Defense Part 2, The Endpoint

The problem of securing endpoints in today's threat environment is arguably the least addressed and the most exploited. In dozens and dozens of recent high profile cyber attacks, the point of initial incursion into the network was an innocent little file or link in an email or a piece of script on a webpage,followed by quiet and malicious exploitation, spread and further compromise.

In case after case after case, the use of advanced or not so advanced malware as a means to an end is a recurring theme that needs to be addressed seriously by any organization.

The Adversary

Cyber criminals - forgive me if I don't use the word hackers - learn faster than IT and Security departments. They don't really care what they are supposed to do but instead focus on what works. Attacking user machines and infiltrating networks through them works because user machines are weak.

The fact of the matter is that the attacker's job is unnecessarily easy. The defenses in place today in the typical business environment are defeated using simple mechanisms well within the reach, understanding and capability of a child, and the attackers that you should be worried about are definitely not children.

To the adversary, the initial point of infection is only the beginning; once you are effectively at the soft underbelly of the target's information system then why not capitalize? Financial gain, fame, political advantage, and massive damage are within easy reach. Who cares about one machine when you can have thousands, one user's data when you can have it all, or destroy it all, or divulge it all, or leverage it all?

This dictates a reality that defenders are ill-equipped to deal with. They simply don't know what to do about it, and they can only implement the controls that they understand and know how to manage and for which they look at the industry for answers, but they don't know what to ask.

The Defender

In most organizations today, we are defending against the threats of 5 and 10 years ago. The reactive measures mandated to overcome threats take so long to propagate that by the time they are common practice the opportunist attackers necessarily move on to what isn't covered.

At almost any organization, the endpoints are:

1. Windows machines added to an Active Directory domain, with
2. Automatic screen lock,
3. Managed Windows OS updates and
4. Managed Antivirus. There is a
5. Renamed built-in administrator account, with
6. User password complexity and expiry set by policy and, hopefully,
7. Limited user privileges.

That's it. That's all. Because that's what auditors flag and ask about, and that's what technology departments think that they are supposed to do. There are many gaps that technology departments do not address

1. Laptop users take their machines elsewhere, nay even unto public IP addresses, outside the company network where they are within a second from every cybercriminal on the internet, with running services completely exposed. This is of course bad enough, but it's exacerbated by the fact that.
2. Antivirus definitions do not get updated and Windows patches and configuration settings are not delivered and for extended periods, and
3. Host firewalls are disabled completely. Moreover,
4. Third party patching is usually not addressed at all, or addressed reactively through software deployment, typically for Java Acrobat and Flash, and
5. The built-in admin password is the same for all machines and known at the very least to the entire IT department. It is bound to leak and not be changed, and if changed can be found out by a savvy user.
6. All your similarly configured, similarly vulnerable systems are networked and can reach each other easily. Any infected machine can spread the infection to all the others in minutes.

This is familiar ground to all of us in Information Technology. Accepting this as a reality prevents us from doing what needs to be done to actually prevent damage.

What We Should be Doing

Simply from first principles and without resorting to the opinions of an industry analyst or research firm, or expecting the answer to come from legislative mandate or be supplied by the service provider, we can determine that the endpoint, the initial incursion point of multiple high profile attacks, has to be better guarded.

What do I mean by active defense? I mean the prioritization of protection mechanisms and the maximization of their benefit.

There are four major attack vectors to worry about regarding malware, advanced or otherwise. These are, in order of difficulty to exploit:

1. Malware infection via drive-by download, targeted email, removable storage, your own file server, through a browser or application exploit or by tricking the user into running a program
2. Network-based exploitation of running services,
3. Physical attacks against user machines

I will consider the fourth, privilege misuse by an authorized system administrator, as out of scope for the purposes of this article, and will come back to it later. For now: Your applications are vulnerable, and your Antivirus can't fix it. The gaps in your patching and control infrastructure need to be addressed first, followed by your software control, followed by your network, followed by your physical machines. Nothing needs to wait for anything else, but in case you need to prioritize I'd use the order below:

1. Configure your AV and system update mechanisms to patch machines both on-network and over the internet. No, you most likely do not to invest more or change solutions in order to do that, read the documentation, consult your vendor, be wary that they may want to up-sell, and push to get it done.
2. Speaking of which, study gaps in your systems management and endpoint protection capabilities. Conduct an improvement program, run it like a project, defer spending decisions or recommendations to defer and upgrade. These are usually cop-outs.
3. Patch third party software. Companies today patch Windows because they are expected to but leave Office alone - not acceptable. Patch everything you can - there are ways for you to patch third party known-flaky software with ease. Use them.
4. Don't use scripts to set the admin password. More likely than not, you don't need a built-in Admin account. Read MS14-25, sigh, then disable by policy or use Microsoft's recommended tool if you think they might come in handy.
5. Use DEP, ASLR, and any other security feature you can get your hands on to protect known-flaky client applications (won't name them, you know who I mean) through something like Microsoft EMET. It isn't perfect, you'll need to test and develop profiles, but so long as you getting working it's free and it's much better than nothing. Yes there have been demonstrated bypasses but it defeats a whole lot of exploits and it's worth the investment in one admin's time. Patch the programs AND use EMET if you can, and use it as a compensating mitigation when you can't.
6. Disable autorun, autoplay and execution from removable devices. If you can, disable removable devices completely, and if you can't limit their use to known devices on known systems.
7. You may have a Mac or two, or hundreds. They're not secure by default, they can hurt you, and they need to be a party to all of the protections that you subject your Windows machines to. Linux too - sorry, just because Microsoft has been notoriously bad at security doesn't mean your other operating systems get a pass. Patch it, update it, AV it, take away admin, lock it down, by hand if you have to - don't complain if you let an OS on your network without a way to manage it, develop one instead. Prioritize Windows if you must but don't take your eye of the ball.
8. Configure 802.1X authentication to only allow authorized machines onto your corporate network. MAC addresses aren't enough but they are a start until you configure and use automated certificate issuance to authenticate your machines. Do this first and only eventually set up NAC, since much of the work would be already done and done for free.
9. Deploy and configure application control. I can't emphasize this enough. I've said before that it isn't a silver bullet but it comes as close as anything. The concept is sound and implementations are solid. Use it to inventory your applications, identify applications that should be authorized, and block all that aren't - this includes all but the most sneakily tailored malware out there. If a user really needs an app they can come and ask, and if your help desk can't be bothered, then I have news for you all - you're slipping.
10. Configure and use your client firewalls to only allow authorized incoming connections from your client control and automation servers. Your client machines have no business talking to each other, and really have no business accepting connections from unknown IP addresses. For exceptions, if you for example use a soft-phone, you will have peer-to-peer connections that you can tie down to a binary and restrict to trusted IP ranges and servers. When you have your NAC up and running, test for this before letting them on.
11. Back your user machines up, automatically. Yeah you have a share and ideally your users will save their files there but guess what? Ideally usually means not really. There's expense here too, but consider using (free Windows Server) de-duplicated storage and a relatively cheap NAS or disk array, and another one with replication. It's more than worth it when you can shrink your support burden, reduce your user's downtime, and bail them out predictably. This also helps your users accept the fact that you're going to wipe their machines, which brings us to ..
12. Build a standard image with your authorized applications on it and latest security patches. Apply a security baseline configuration. Test this, make sure it works with all of the above protections, and schedule deploying it on your machines. All of them, no matter how the users take it.
13. Invest in automated deployment. Your systems management probably sorta maybe can do it but isn't configured, DHCP, PXE, letters you don't want to hear about. If your vendor can do it, great, it's worth the money.
14. DVD based installation media works faster if you're doing it en masse than the network because it's cheap to make twice as many DVD's as the number of your support staff - make sure it works. Take your time, but a staff member should be able to get it done in two weeks if it's on the front burner and a month if it's on the back, and that's better than deferring it indefinitely.
15. Ideally, you want to roll it out to every machine on the network. Some user machines may be difficult to re-image; let the difficult machines and users be the last and not the first 10%. Figure out what you will do about them later. Refresh your images often, rebuild all of your machines on a schedule.
16. Encrypt your machines, password-protect your BIOS, enable secure-boot if you have it, prevent booting from removable devices. Consider physically disabling USB ports with epoxy. Your users don't need optical drives, it's 2015.
17. Put your clients, and only your clients, on a super-net, and use that superset to define client and infrastructure policies instead of any. If you firewall doesn't understand Zones, or you're using the words DMZ and ACL, then it's time to pause and reflect.
18. Filter outgoing traffic both on the client firewall and at the perimeter firewall. Protocols that you don't expect, destined for the general internet, have no business being allowed out. Monitor and investigate persistent blocked connections, they are either due to a misconfiguration that you can correct or due to funny business that you should weed out.
19. Inspect your out-bound traffic. This is typically out-bound HTTP/HTTPS via a proxy.
20. Have a proxy. Since you already set up PKI for item 2, use it and inspect HTTPS traffic as well. Make an effort to block tunneling techniques and VPN protocols - these have no business existing on your LAN, and are easy to conceal in HTTPS.
21. Watch the user network like a hawk. Only after you've implemented the above successfully, have your bases covered, your systems patched, your endpoints and software inventoried, data flows accounted for, deviations investigated, controls in place, machines authenticated, non-compliant machines blocked, and your client machines all shiny clean and well maintained, only then do you have any business talking about anything advanced or space age.

All of this can be done for little expense. There's a learning curve, but so what? If you or you're team don't want to learn you have bigger problems. I'm sure I missed something in the above, I missed many things and made many assumptions that professionals will challenge me on, but I intend to demonstrate that many things need to be adopted today that aren't, and that security is a matter of work.

You know what needs to be done. Your team know what needs to be done. You don't need me to tell you any of the above, although I hope you find it useful. You have massive capabilities at your disposal that you are not using. Don't get distracted and frustrated by the latest innovations, they don't cover the fundamentals, that's your job.