Monday, February 12, 2024

Perception is Deception - Beware your Normalacy Bias...

 


 “...All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near...”
Sun tzu, The Art of War

Monitoring Active Directory OU's and Group membership changes is a Category One [HIGHEST] risk mitigation strategy, absolutely... however...

Are you monitoring [and using REAL TIME ALERTING?] for all of the Domain Admin "...equivalent..." OU's and Groups?

...PROBABLY NOT...

If you're looking for a spot near and dear to your CISO's heart, couple this with the one - two punch of implementing some top shelf DNS Security Monitoring like "Digital Defense Cloud" from the great folks at ThreatSTOP in Carlsbad California, you can thank me later...

As Will Smith would say, "...get jiggy wit it!..." and REALLY minimize your attack surface and risk posture by getting this set up today!

A brief musical interlude...

See the attached article's and if you really want the inside scoop, check out the excellent companion article at ADSECURITY.ORG for more on this topic.

SOME EXCELLENT REFERENCES on AD GROUP and OU monitoring, not for the faint of heart...

Microsoft Guidance

 From the pro's @ ADSECURITY.org

Tuesday, January 9, 2024

Part Two: Effortless Credential Harvesting

 

 

"...One popular means of credential access is the use of Mimikatz, described as the “AK47 of cyber” . The OverWatch team regularly sees Mimikatz used by both targeted adversaries and pen testers..."

Quote from CrowdStrike Co-Founder, Dmitri Alperovitch.

BOTTOM LINE UP FRONT:

 Risk Awareness... it's got to be a cornerstone of your Attack Prevention Strategy... where can you get a "... Cyber Security Early Warning System?...".

Since I am not attempting to sell you anything, I'll tell you the truth... you need a stellar DNS Security Tool as the Crown Jewel of your Attack Prevention Strategy.  There are many players, mostly Johnny come Lately's on the far side of the Technology Adoption Curve, fighting over the crumbs in the marketplace.

One of the only Companies we recommend to our customers is "ThreatSTOP' from Carlsbad CA.  They have the defacto competitive advantage, the creator of DNS, Dr. Paul Mockapetris is their Chief Scientist and has been on their team for over seventeen years. Hard to beat that!

SOME EXCELLENT REFERENCES on MIMIKATZ BASED CREDENTIAL HARVESTING

the BEST explanation ever!

 Also great analysis..

 Great walk thru of a Mimikatz Credential Harvesting Attack

 Great non-technical backgrounder...


 

Tuesday, December 12, 2023

Part One: Effortless Credential Harvesting



"...Rob Joyce, the head of the NSA’s Tailored Access Operations (TAO) group—basically the country’s chief hacker—gave a rare public talk at a conference in January. In essence, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks: “A lot of people think that nation states are running their operations on zero days, but it’s not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive..."

Quote from,  Bruce Schneier, https://www.schneier.com/blog/archives/2016/05/credential_stea.html 

BOTTOM LINE UP FRONT

An effective Cyber Security Program is all about risk mitigation and resources are a factor, budget and labor dollars are always being scrutinized by the Business.

Sadly these same Business folks read... they read Cyber Security FUD [Fear, Uncertainty and Doubt] and they love to give you advice!  

Ensure that your Enterprise Risk Register is a well discussed topic at your Steering Committee Meetings!

Here are a few excellent reference on "Credential Harvesting", add this as a high priority on your Cyber Security Project Roadmap for next quarter.

SOME EXCELLENT REFERENCES:

Credential Harvesting

Windows Credential Manager Mitigations

Windows Credential Harvesting Quick Guide

Adventures in Windows Credential Harvesting



Tuesday, January 24, 2023

Cyber Security ROI for the CEO- Part Six - People, Process & Technology


 

"...be truly honest with yourself. Are all of your people the right ones for their jobs? The reality is that some are probably hurting your cause more than helping. Your greatest performers must get it, want it, and have the capacity to do it..."
Gino Wickman, Traction

 

BOTTOM LINE UP FRONT

The Cyber Security business is first and foremost a People Business [it is only about the People and the Business, period]. If this surprises you, you should honestly think about stepping aside and hiring a different type of person as your CISO, one who holds these beliefs as non-negotiable core values, as nothing else will do.

A CISO who hides (overtly or inadvertently) behind techno-babble is not a value add to the business. A CISO who can analyze risk, and allocate resources accordingly in lock step with the Strategic Goals of your business, is both a value add and a force multiplier.

Be truly and harshly honest with yourself, is this the type of person who is your current CISO? If not, you owe it to your business, your BoD, your shareholders, and your employees to be both the sheep dog and the wolf to drive tactical decisions in support of your long-term strategy.

Get yourself a CISO who almost never says the word Security, who always discusses Strategic Business Goals in the context of Cyber Security goals, principles, strategies and operational processes.

Each Leader in your organization is given personnel and capital resources to support Strategic Business Goals.If they are not delivering and they have not asked for resources to deliver in a satisfactory results, they are not a good fit to role of a CISO. Act accordingly.

THE PEOPLE COMPONENT

Let me say it early so the outrage can get out of the way...

There is no Cyber Security Talent shortage. 

There are only weak managers (certainly not leaders) who use weak excuses for why:

  • Their Cyber Security Roadmap is not delivering business results
  • Their Risk Management Program is not delivering business results
  • Their investment in Tools is not delivering business results

The list goes on...

To solve your Cyber Security Talent Shortage problems, look no further than your current IT Department. 

 

Let me say it early so we can get the outrage out of the way...

IT services are a commodity now, we've had them for half of a century.  

Your CIO knows this so let's just face up to it. If you want great Cyber Security Talent:

  • Look no further than your current IT Department(s)
  • Actively encourage and incentivize your IT Department personnel to transfer into your Cyber Security Deportment(s)
  • Your investment in training will be a trivial cost when compared to the value to the Business.
  • It's a fact that IT skills are easy to replace. They are a commodity.

Your IT Department people already work for you, they are a known commodity, they know your business, they know your processes, they know your networks, they know your Strategic Business Goals (hopefully), so they are resources that need to be actively managed for the good of Strategic Business Goals. Period.

KEY TAKE AWAY: Aggressively source Cyber Security talent from your existing IT Department staff members.

ANECDOTE: ...I used to have the Service Desk Manager send me reports on which IT staff were the most productive in closing tickets... this was a key indicator over time of their troubleshooting ability... these folks were very successful Cyber Security Practitioners at the end of training... 

 

THE PROCESS COMPONENT

Let me say it early so we can get the outrage out of the way...

Documentation in both the IT and Cyber Security organizations isn't important, it's critical.  How this documentation is maintained and continuously validated is also important.

If your CIO and CISO have to be told this, they are not the right team members to support your business. Period.

As a Business Leader, what do you get for your investment in documentation (Process and Procedure Documentation particular)?

  • Repeatable Business Outcomes: Business Service disruptions and those "...oops..." moments become a thing of the past (mostly).
  • Better Audit Results: Auditors will ask an employee to generate an audit artifact or tell them (the auditor) how they do a process. The employee's first action must be to go to the Process Library on line and open the germane process (or procedure) document and follow it to the letter. If your employees are following written process or procedure as required by Policy, auditors will likely be satisfied.
  • Better Employees: Your documentation becomes your new employee training program.   No more new employee frustration at shoddy on-boarding. Map Process and Procedure documentation to their position in the org chart. When on-boarding, have them read, then practice, then be observed by their supervisor following the documentation. Give them ownership of the documentation that is critical to their job and make them responsible for maintaining and updating it. This will drive a "...no negative business outcomes..." mindset that can only benefit the business and gain alignment with Strategic Business Goals. What's not to like?
  • Continuous Improvement: By assigning a Manager as the Process Owner and a team member as the Process Manager and making this a key component of the annual review process, your employee KPI's are both measurable and in lock step with Strategic Business Goals.
KEY TAKE AWAY: Well-designed and well-documented processes and procedures are the key to meeting Strategic Business Goals, including retaining skilled and knowledgeable employees.
 
ANECDOTE: When I was a lowly telephone tech support person at Microsoft, it was mandatory to document two hours a day, it was a firing offense to not do so...
 

THE TECHNOLOGY COMPONENT

In both the IT and Cyber Security Department(s) "...tools..." are a significant capital expense. Not only that, each tool carries with it, annual maintenance contract equal to, on average 20% of the purchase price. Over the next five years you will pay 200% of the acquisition cost just to have that tool.

Ask your CIO and/or CISO:

  • To establish and demonstrate a tool evaluation matrix that addresses tool costs, benefits, features, and ROI, including mappings to:
    • Strategic Business Goals
    • Business processes
    • Skill sets
    • Audit controls and artifacts
    • Automation capabilities
  • That the tool is not duplicating the capabilities of other tools.
  • That the capabilities of the current tools have not been "...overcome by events..." such that, a newer tool would not provide significantly greater capabilities at a better cost point.
  • That the capabilities of the tools have been mapped to business, audit and/or compliance requirements.
  • That the required Audit Artifacts that are mapped to each tool have been to the greatest extent possible (and practical) automated such that labor dollars have been returned to the Departments.
  • If this is not automated, ask for proof that it cannot be automated.

When you ask, "...show me where each tool that the Business is currently paying for is mapped to Critical Business Process support and/or Compliance requirements or Risk Mitigation...". Be on the look out for blank stares from your CIO and/or CISO... if you see them, your next stop should be to chat with the VP of HR...

Don't accept vague answers, it is natural for people to become complacent over time, if you hear the lament "...that's the way we've always done it...", this should be your key indicator that the tool has become a sacred cow and is ripe for justification, or replacement.

KEY TAKE AWAY: The tools in the IT and Cyber Security Department(s) are owned by the business. Period. There must be an agreed upon master plan for all tools, regardless of who manages them that clearly shows how each supports the Strategic Business Goals of the Business. This is a non-negotiable condition of further employment.

ANECDOTE: If your tools investments are not currently mapped to Strategic Business Goals, Compliance and Risk targets, find Leaders and Managers who understand this key requirement to replace the ones that you currently have. They are not aligned with your Strategic Business Goals.

Resources, where can you get help?

Gino Wickman, and his world changing book, "Traction"

Traits of Great Leaders


 

Friday, December 17, 2021

Cyber Security ROI for the CEO - Part Five - Incident Response Realities

 


"...If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle..."
Sun Tzu, The Art of War

Bottom Line Up Front

The bedrock of a mature Incident Response Capability is a brutally honest understanding of where your preventative and detective controls are strong and where they are weak, and your personnel's confidence in a "...no fear..." incident reporting policy.

Incident response is a "...people thing..." not a technology thing, the ease of use of the process, spells either the success or failure of the program - maybe the same for your business.

What we will discuss in this section:

  • Why your Communication Plan IS the Incident Response Program [IRP]
  • Insurance and Corporate Risk
  • Types of "incidents"
  • What works re: triage "incidents"
  • Your Incident Response Process
  • Why tools cannot save you...
  • Why your Risk Register is the backbone of your Incident Response Program
  • Why your Risk Committee must own the Incident Response Program
  • Resources, where can you get some help?

Why your Communication Plan IS the Incident Response Program

An "incident" can and should be reportable by anyone... the ease of and familiarity with the process by all personnel will define the effectiveness of the program. An easy to use, "...no fear..." (of blow-back) based process will give you timely results you can use, right now to protect your business.

Since we're talking people here, communication is the key:

  • Who is the point of contact [POC] for the IRP? Are they available 7x24x365? Here's a hint, your "Service Desk" staff should be extremely well trained and "own" the possible incident until handed off to the Leadership Team. You must empower them (really) to expend resources to protect your business until someone more knowledgeable arrives on the scene.
  • How well is the POC trained to calm down the person reporting and gather information?
  • How quickly can the POC contact a business decision maker to take action?
  • Who "owns" the incident, cradle to grave?

The quality of your Service Desk staff's Incident Response training will be 90% of the success of your IR Program, bank on it.

Insurance and Corporate Risk

Cyber Security insurance has become a significant component of an organizations’ cyber risk mitigation planning. Cyber Security insurance primarily covers the often excessive and normally under budgeted expense of responding to a major cyber incident. Unfortunately, most cyber insurance policies are purchased in conjunction with Workers Comp, E&O, D&O, etc., and without direct input from the cyber security group.

If this is the case, take action now to ensure that your Legal, Compliance, Risk and Cyber Security Leaders sit down now, and review your Cyber Security Insurance Policy, and if necessary, develop a punch list of "issues" and facilitate a negotiation with your Insurer to tailor your coverage to exceed the needs of your business to protect your market share and competitive advantages.

Cyber insurance policies are contracts that establish expectations between the insurer(s) and the insured. If these expectations are not satisfied, the insurance policy may not deliver on its promise.

More importantly, these policies will provide your incident response team with a plethora of tools to move swiftly and decisively to reassure customers, investors and to protect your business.

Types of "incidents"

From a policy perspective, document your types or phases of incidents, so that in the event of legal action, you can adequately justify your actions.

There are normally, three types of incidents:

Potential Cyber Incidents: these are "incidents" where so little is known that they are not actionable. As a matter of policy, until a "potential incident" is handed off to the Incident Response Team, it should only be referred to as a "potential incident.

Cyber Incidents: these are identified, "Cyber Security Related Incidents", we believe they are Cyber Incidents, however, we are still collecting information and performing triage.

Reportable Cyber Incidents: these are the real deal, these meet all the legislative, legal, regulatory or policy requirements as "reportable", you may still be collecting information and performing triage but you have legitimate business risk involved. You are required to notify your insurer at a minimum, legal, any regulated oversight bodies, etc... Before you do, find your Corporate Communications Polices and Officer and take a few minutes to assign tasks and set expectations. This is where people are navigating in uncharted territory and may get emotional. Work hard to keep things low key and level headed.

What works re: triage "incidents"

How do you get real time visualization of your enterprise, so that your IR Team can function rapidly? How will you contact the correct key personnel in a timely manner for decision making and consensus building? Better to work that out now.

The neat thing about this is that the requirements here are functional, as opposed to the nonfunctional ones in prevention and detection. So, the good will beat out the mediocre. We need to build good things and bring people and technology together to mirror less of IT and more of generic risk management. We can learn a lot from other domains that have been doing this for decades.

Your Incident Response Process

The classic approach to Incident Response is made up of four phases: (1.) Preparation; (2.) Detection & Analysis; (3.) Recovery; (4.) Post Incident Activities. Let's look at each in a little depth:

Preparation Phase: This is your training and "risk register" phase. Creation, care and feeding of your "risk register", attention at the Risk Committee meetings, grooming, validation, allocation of resources to mitigate, etc... Training of your Service Desk team in their role of "Incident Response - First Responders" are your key performance indicators in this phase.

Detention & Analysis Phase: This is where your training pays off, your "first responders" are appropriately trained and resourced to act swiftly and decisively to protect your business. Bringing the right people together at the right time to ACT!

Recovery Phase: The worst is over and now it's time to manage resources to get back to customer focused resource allocation. Hold the Champagne until your customers are happy again...

Post Incident Activities: This is where most business scrimp, but in reality where most businesses should lavish resources. What did we learn? How can we, proactively, work to ensure that that never happens again? What training, policies, processes, procedures, people, etc... need to be modified to better support the business continuity plan should we find ourselves in an other emergency situation? Do yourself a big favor, spend the most of your IR time here...

Ensure if you can that your Cyber Security Insurance covers these post incident activity costs, if it does not, see if you can negotiate a "rifer" to cover these costs, it will be money well spent.

Why tools cannot save you...

As technologists, most people, when facing a challenge, look for a tool to "...do the work...", like it or not, the Incident Response world is the people world, a tool cannot interview an employee about what happened, it cannot talk to the press, it cannot brief the Board of Directors, the Audit Committee, the CEO, etc...

Give alot of thought to the folks that will make up your IR team and specifically, who will lead that team. Do yourself a favor and don't make it an emotional appointment, make it a solidly merit based appointment, a cool headed person, who can clearly see the guard rails and understands that a "policy" is just guidance, not stone tablets from on high...

Why your Risk Register is the backbone of your Incident Response Program

In a perfect world, your "risk register" contains the "...indicators of compromise..." of your next incident and may very well be your roadmap for your next "incident". If your next incident in the final analysis, was not related to an item on your risk register, there is something wrong with your risk identification and analysis process.

Is your "risk register" open to anyone to comment on it? For example, during a new customer assessment we were pleased to find that one of the Service Desk staff had been keeping notes on root cause analysis of problems for years... apparently, no one had been willing to listen...

Why your Risk Committee must own the Incident Response Program

Hopefully, we've made the case that the effectiveness of your Incident Response Program is easily within your grasp, that it can be managed in a cost effective manner without major expenditures and deliver significant risk mitigation benefits. That your "risk register" if properly managed can be your early warning system of potential incidents. That the training and sweat you spend, now, with hour "first responders" will pay major benefits when that day comes (and it will). That your Cyber Security Insurance investment must be proactively managed by your key stakeholders to address unforeseen costs and drive meaningful benefits during and after your incident.

Resources, where can you get some help?

Cyber Security Insurance - primer

Bruce Schneier on Incident Response

NIST Incident Response Guidance

NIST - Computer Security Incident Handling Guide