Network Forensics
William Stevenson
October 2, 2020
Lab 6
CMIT 460-6380
Professor Bill Wary
Mitigation
Without knowing the specifics about what caused the vulnerability on the asset 10.10.5.69 and left it open to be attacked and exploited, it is difficult to tailor mitigation techniques to this specific instance. However, several catch-all approaches can be broadly applied that will likely patch out most avenues of attack.
The easiest and most important step is to keep any and all software and operating systems up to date with the latest patches and firmware. As exploits are discovered by or brought to the attention of vendors, security patches are rolled out to resolve the issues. Not installing these updates in a timely manner leaves any system using the software open to attack. While not all of these patches will resolve issues specific to avenues of attack that are likely to affect every organization, the best practice is to either automatically install updates, or to have a nightly patch period where services are shut down for a short amount of time to install patches. Making these patch windows nightly will ensure that the organization is never behind on critical patches when they are rolled out.
Installing and maintaining up-to-date antivirus and antimalware software on all systems is also a cost-effective and easily implemented mitigation solution. These software packages usually auto-update to include all known virus signatures as they become available and can be configured to automatically act in the event of detecting malware. The ability to automatically quarantine the malware without relying on external actions is extremely useful and helps eliminate human error in the response process. Human review of all automated actions would be highly recommended to catch and rectify false positives.
Maintaining regular backups for critical infrastructure and services is highly recommended. Full software backups of all assets would be best if economically practical, as would redundant hardware backups for critical systems. Last known working images, or clean images, stored on a server that is isolated from the main network would be useful to maintain in the event that an asset is fully compromised and no backup exists, or in the event that backups are corrupted as well, and would be very cost effective to implement.
Implementing multi-factor authentication for access to all assets and strictly enforcing the principle of least privilege would be extremely cost-effective mitigation solutions, as well as basic input validation and checking for passwords. In the case of this attack, the malicious actor attempting multiple SQL injection attacks on the admin account. Backend input checking and validation would immediately discard these SQL statements from the input and render the attack useless. Additionally, multifactor authentication would mean that even if the attacker is successful in obtaining the admin credentials, they still will not be able to log in without a second layer of authentication such as a physical token or biometric validation. Finally, the principle of least privilege will ensure that the attacker is limited in the number of accounts that have access to admin rights, meaning focus can be given to these specific accounts for tighter security policies and monitoring. Narrowing the target pool that the attacker would reasonably be interested in and limiting who has valid access to these accounts makes it easier to identify attacks and to defend against them.
Network segregation and active monitoring are more expensive but much more effective mitigation techniques. Utilizing a network DMZ for public-facing assets, such as web and application servers, and segregating critical internal infrastructure to the extent reasonably possible behind strict ACLs and inbound firewall policies are industry best practice. This would mean that the most vulnerable assets would be separated from internal assets by increasingly strict security policies for inbound traffic, making it more difficult for a malicious actor to laterally hop from a less-secure web server to an internal host and beyond. Active network monitoring in the form of intrusion prevention and detection systems will enable automatic blocking and reporting of anomalous traffic, as well as giving network administrators the tools to monitor system performance and user behavior for anything out of the ordinary. It is essential to incorporate human review of traffic analysis reports as malicious actors become better and better at hiding malicious traffic within legitimate traffic, which can fool automated detection and prevention systems.
Organizational Changes
The first organizational change I would recommend would be a full review and revision of the firewall policies, particularly the inbound traffic rules on the asset that was compromised. The attack was able to happen because port scanning on the asset revealed open and vulnerable ports. Several open ports were found and at least one was able to be exploited, meaning that the firewall rules are not configured correctly for at least that one port. To be safe, I would recommend a full review of the inbound and outbound firewall rules for the asset, as well as any internal network firewalls should the asset be in a DMZ. It is more likely that there are lax firewall policies among all firewalls if the external firewall is misconfigured.
After plugging any holes in the firewalls, a system-wide review of all software and operating systems should be conducted to ensure that all relevant security patches and firmware updates are in place, as well as ensuring proper enterprise antimalware is installed and configured correctly on all devices. Once everything is verified to be up to date, an organizational policy should be established to institute a nightly maintenance window during which network or system admins can install vendor patches. If the network is sufficiently redundant, this can be accomplished without taking services offline. It is key to install patches as soon as possible because malicious actors will take advantage of patch notes from vendors that detail the vulnerabilities that the patch fixes, which describes exactly how to attack organizations that do not install these patches in a timely fashion.
Creating a unified organizational policy regarding the creation, storage, and administration of backups can greatly assist in recovery efforts for little overhead investment. A unified policy is essential to ensure compliance and a predictable action plan should a security event occur. The most robust solution would be inline hardware redundancy for all critical infrastructure and full backups of all infrastructure. A more economical solution would be full backups of critical infrastructure only. Either way, clean images of all devices on the network should be maintained for reimaging.
The most expensive organizational changes would be related to network segregation and monitoring. Network monitoring solutions are a significant investment, but prove extremely valuable. Automated monitoring for anomalous network activity, traffic reports and analysis, and active threat monitoring can pick up the slack for any other mitigation techniques not implemented fully or correctly, or that are subject to human error. Virtualized or physical intrusion prevention systems can stop attacks dead in their tracks before damage can be done, well before even the most diligent human would be able to identify it. If the organization has not implemented a robust active network monitoring solution, one should immediately be procured and implemented with input from technical leadership in shaping the network traffic rules.
Implementing a DMZ if one does not exist should be the next step after active monitoring, as this would prevent malicious actors from reaching internal network resources. The asset that was attacked is likely a web or application server, making it more vulnerable to attack. Segregating this asset would contain the intrusion if another were to happen. Similar to the least privilege policy, critical infrastructure should be segregated behind the most restrictive firewall possible without disrupting service. Limiting the number of individuals and devices that can access this infrastructure limits the ability of an attack to successfully reach them and disrupt critical services.
Finally, the organization should immediately roll out a multifactor authentication policy. Multifactor authentication is the single most effective tool against access-based attacks both internal and external. This includes phishing and other social engineering attacks, which are shown to be highly successful, even in high-security environments. Biometrics are recommended above physical tokens as the second authentication method, as they are significantly harder to spoof/steal and are nearly impossible to lose, but this is the more expensive solution. Should the organization opt for a physical token authentication solution, they would need to implement a parallel policy regarding the administration, tracking, and replacement of physical tokens to prevent misuse and abuse. Multifactor authentication should be used to access any and all organizational resources but are of particular importance for critical infrastructure and high-level privileged accounts. While this may not have mitigated this specific attack, it is a simple and very cost-effective way to harden a network against its most vulnerable components being compromised: users.