How to Mitigate Against Targeted Cyber Intrusion
Published: January 21, 2013
Author: James Kavanagh, Chief Security Advisor, Microsoft Australia
Your Organization is a Target
Sensitive government information, corporate intellectual property, financial information and private personal data is being lost to cyber intrusions targeted at government agencies and private enterprises. Hacking, defacement and denial-of-service attacks can severely disrupt your organization’s online presence, damage your customers’ confidence and even lead to loss of extensive customer information.
More persistent threats, incorporating spear phishing and remote access technologies, selectively target individuals to gain a foothold in your network and then proceed to remove sensitive data or intellectual property. And it’s not just the largest government and enterprise organizations at risk. Globally, small and medium businesses along with state and local governments have suffered losses due to these types of attack. Microsoft documented this alarming trend in a supplement to the
Microsoft Security Intelligence Report v12.
But there are very effective protections that you can put in place, and they need not require new investment in technology or personnel. The Australian Defence Signals Directorate (DSD) has published guidance on the top 35 strategies to mitigate against targeted cyber intrusion and concluded that at least 85% of the intrusions they responded to in 2011 and 2012 would have been prevented if only the top four of these mitigations had been in place.
These top four mitigations only require organizations to employ application whitelisting technology, maintain current, patched applications and operating systems and effectively restrict the use of administrative accounts. In this paper, we provide a brief overview of how a targeted cyber intrusion typically plays out and highlight how the DSD top four can be the foundation for your organization building greater resilience to targeted cyber intrusions on your network.
Targeted cyber intrusions can take advantage of a variety of technical and human weaknesses, such as web servers susceptible to injection of code, unpatched browsers that inadvertently enable malware downloads or users who succumb to opening malware laden email attachments. There is no single pattern of attack, nor is there an entirely predictable sequence of events. An attack might be a single event that lasts for minutes or a sustained progression of intrusions that last for months or even years. However, it is useful to conceptualize a targeted cyber intrusion in terms of three stages:
1. Code execution
An adversary performs reconnaissance to select a target user, and sends this user a malicious email containing a malware-laden attachment or link to a web site. By opening the attachment or visiting the web site, malicious code is executed on the user’s workstation and is typically configured to persist by automatically executing every time the user restarts their computer and/or logs on. The malicious code is remotely controlled by the adversary, enabling them to access any information that is accessible to the user.
2. Network propogation
The adversary moves through the network to access information on other workstations and servers. This might include Microsoft® Office files, PDF files as well as information stored in databases. Adversaries also typically access system information such as network topology, as well as details about users including usernames and passphrases. Although passphrases might be stored as cryptographic hashes, cracking such passphrase hashes to derive the passphrases may be fast, cheap and easy unless all users have selected very strong passphrases.
3. Data exfiltration
The adversary extracts information from the network using network protocols and ports allowed by the organisation, such as HTTPS, HTTP, or in some cases DNS and email. The adversary typically leaves behind several compromised computers as a backdoor to facilitate further exfiltration of information in the future.
The DSD Top Four
The Australian Defence Signals Directorate is the premier organization in Australia charged with responding to cyber security incidents that affect national security. Based on lessons learned from responding to numerous incidents through 2010 and 2011, DSD published a set of 35 mitigations that they found most effective at countering targeted intrusion. The full list can be found at
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm, but of fundamental importance in particular are the top four:
Application whitelisting is about identifying specific executables and software libraries that should be permitted to execute on a given system, then enforcing a policy so that only those identified components can operate. A system protected by explicit whitelisting of allowed applications will typically block malware such as a remote access tool from executing, providing an effective mitigation against the first stage of a targeted attack.
Microsoft AppLocker is a set of policy settings and software components within Windows 7, Windows 8 and Windows Server 2012 that effectively allows multiple levels of enforcement as well as several methods of recognising whitelisted executables.
Maintain Patched, Modern Applications
Unpatched applications have become the most common vector for exploitation primarily due to significant vulnerabilities discovered in versions of Microsoft Office, Adobe Acrobat, Oracle Java, and all common internet browsers. Frequently, the vulnerabilities exploited by attackers have been public for some time with protective updates already available from vendors but not yet deployed within the targeted organisation. This time delay between availability of an upgrade and its deployment within an enterprise must be minimised, especially for critical updates. Unfortunately, many applications have unique patching methods and requirements that can be challenging to integrate into a single, managed process.
Microsoft provides update tools for the enterprise called
Windows Server Update Services and guidance for the patching process in the
Microsoft Security Update Guide. This guide was designed to help IT administrators develop a repeatable, effective deployment mechanism for testing and releasing security updates. Furthermore, Microsoft System Center Configuration Manager 2012 can provide an integrated update mechanism for all software applications from any vendor.
Maintain Patched, Modern Operating Systems
Effective system hardening begins with the deployment of current, fully updated operating systems, and it is important to recognise that modern operating systems are far more secure than legacy platforms. Against a determined attacker, a fully patched Windows XP operating system does not provide anywhere near the equivalent security protections of a fully patched Windows 7 or Windows 8 operating system.
This reduction in security risk in modern operating systems is primarily due to features such as user account control, feature lockdown by default and memory protections along with support for security controls like data encryption (Microsoft BitLocker) and application whitelisting (AppLocker). To help with assessing a migration to current operating systems, Microsoft provides a free tool called the
Microsoft Assessment and Planning Toolkit. This toolkit can be used for agentless inventory of an IT environment, assessment of hardware and software readiness for migration, and custom reports detailing hardware, device and operating system readiness.
Restrict administrative privileges
Administrative privileges need to be tightly controlled and restricted to a small number of known users who must abide by strong authentication policies. Attackers will typically work towards obtaining the credentials of an administrator as this enables them to extend their network access, gain higher levels of access to resources and even cover their tracks. Minimising administrative privileges makes it more difficult for the adversary to extend their intrusion or hide their existence on a system. Microsoft recently published a
white paper on the Pass-the-Hash (link from TwC) exploitation technique used by many attackers which details effective steps in reducing administrative privileges.
Microsoft Forefront Identity Manager 2010 provides a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments. It can help with restricting administrative privileges and enabling stronger authentication.
About the Author
James Kavanagh is the Chief Security Advisor for Microsoft Australia. He works with Australian federal and state cyber policy makers, law enforcement, government agencies and enterprises, along with the international Microsoft teams focused on secure platform deployment, information security assurance, digital crime disruption and information sharing.
Microsoft Security Newsletter
Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.