Brilliance in the Basics

Introduction


Tired of watching you and your friends get compromised, do exactly what's in this blog and start beating adversaries. Avoiding the memes adversaries win because of simple mistakes and neglect and we all already know what they are so I'm going to list them for you. Its all for free too.





Enumerate

To put it simply, there shouldn't be anything you don't know about your environment, you should know who all your users are, where all your electronic devices are and what they do, what applications you have and what versions they are. Enumeration is the jet fuel for making good defensive decisions. I wrote about how to enumerate your environment here Securing your estate: The First Step (goblinloot.net). Follow these steps and become the arbitrator of your own environment 

Your perimeter is a bridge, not a wall

Monitor your perimeter as best as you can but always assume it has already been defeated. Monitor endpoint system and process telemetry and southwest traffic for threats. Use your understanding of your environment to identify network activity that should not exist like domain controllers connecting to random domain names and build detections for them.

As much as possible segment your assets using ACLs on your switches so desktops cant communicate with MRI machines and other very much unrelated assets.

Take control of what is allowed on your assets

Most adversaries use binaries that need to execute regardless of their sophistication so take a whitelist approach and prevent items from running unless they are approved. This will defeat most malware. Controls like "Block at first site" and "Windows Defender Application control" are incredible at this. Projects like this will save your life https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig

With that said build robust channels between your IT department  and users so that they are confident the IT department is there to support them and provide them with what they need otherwise you will be plagued with shadow IT. You can read more about Shadow IT here Shadow IT: Your Bible (goblinloot.net).

Beyond WDAC Microsoft offers the two following ASR rules that will save you from new files that reveal themself to be malware.

  • "Block executable files from running unless they meet a prevalence, age, or trusted list criterion"
  • "Block executable content from email client and webmail"
These rules will cover the vast majority of initial access vectors.


Disable anything your organization isn't using

This is generally the premise of CIS controls and id highly recommend implementing them and if their configurable items in your operating system not in use just simple eliminating the vector can go a longway. A really fascinating example is RPC firewall which you can read about here zeronetworks/rpcfirewall (github.com).

ASR from Defender Antivirus is also a fantastic example of just eliminating vectors with 16 options you can just prevent from being abused.


Take control of internet browsing

Most users get compromised because they click and navigate to the internet, there are a multitude of controls available to reduce this risk. On servers or assets, you wouldn't expect users to browse to the internet enable all available zones security to the highest level.



Where users are permitted to browse the Internet implement a control like Defender SmartScreen to prevent access to websites with malicious or suspicious attributes, implement content type filtering to cut down the number of ADs accidentally clicked and enforce an ad blocker like unblock origin 



Plug and play does not exist

If you purchase a security technology and are told its all ready to go you have been lied too. Any control needs regular review, tuning and validation regardless of how much lobster the salesperson buys you. You need to ensure your new control is covering new and emerging threats and behaves as expected when tested.


If it's not for a human don't give it to a human

Too often people rely on "service accounts" for humans to execute services, this exposes what could of been a relatively low-risk activity into one full of human-related errors and vectors. If you are making use of Active Directory ensure you are using MSA and GMSAs at every opportunity. This also extends to highly privileged accounts, with the use of technology like Privileged access management and privileged identity management solutions the integrity of a highly privileged account can be increased tenfold as opposed to Jeff writing the password on a post-it note.


Set expectations for authentication

Your data is why your business exists and you should not allow people to access it whenever and however they like. Utilize controls like conditional access policies to limit authentication attempts to:

  • Geo locations
  • Managed Devices
  • Strong authentication methods
  • Risk-based scoring
At a minimum, these criteria will stop an adversary from just getting lucky.

Summary

Think about the adversary and not what's convenient for you, you are responsible for data that belongs to humans that could jeopardize their lives. Try harder.







Popular

Endpoint on Adrenaline : One

Investigate

Endpoint on Adrenaline 3

Writing detections when stuck with EDR

Endpoint on Adrenaline Two

Why you need to be purple!

Standardized Note Taking Format For Analysts

Investigate Two

Securing your estate: The First Step