Increasing Your Security Posture

by David Evenden

Increasing your security posture in an enterprise environment begins with identifying and closing visibility gaps. The following steps will help your team understand adversary techniques and methods to defend against them.

Increasing your Security Posture requires understanding the Attack & Exploitation Lifecycle adversaries use to attack your network.

The descriptions below are based on Pentesting Methodologies, which have been created by practicing adversary emulation based on the Exploitation Lifecycle.

RECON

Often referred to as OSINT (Open Source Intelligence) or reconnaissance, this is simply using publicly available resources to learn as much as possible about your target.

This consists of researching the following non-exclusive list:

• Employees ranging from the boardroom to the basement
• Externally accessible resources
• Programming or developer languages used in production
• Internally & Externally used applications

TARGET(ing)

Targeting or Vulnerability Discovery is the act of pairing identified infrastructure with corresponding open source exploits.

BREACH

A Breach is the act of exploiting infrastructure to gain access to a target.

PERSISTENCE

This is the act of installing a backdoor [malware|callbacks|etc] so that exploitation isn’t necessary over and over again to operate in the target network.

MIGRATION

Often the machine of initial access isn’t the primary target. The art of migration is moving throughout the network to expand persistence and locate the primary target.

EXFILTRATION

This is the act of moving data from the target to an external C2 or the attacker machine.

The lifecycle pictured above is based off of the Pentesting Methodologies shown below.

In order to properly secure an environment, we must first identify the boundary that, once breached, will have the maximum negative impact.

What level of data breach can your organization not recover from?

Identify your worst case scenario, then start working backwards.

The phases below will help you identify the gaps in your network. Once the gaps are identified using these phases and techniques, locate the mitigation recommendations and create a checklist.

Once the checklist is developed, start walking your way through the checklist until all items have been mitigated.

Then start again.

Developing an Asset List & Tagging Critical Data

Asset Management is the process of taking inventory of all internal and external assets spread throughout the network, including hardware, software, and network assets. By developing an effective asset management program, you are able to increase your efficiency, effectiveness, and security by making it easier to identify visibility gaps, stolen equipment, apply patches and software upgrades , as well as budget for future security solutions.

We recommend you start by developing an enterprise level asset list that consists of physical devices, software, and data. Then tag critical data on the list. This comprehensive Asset List should consist of network devices, software installed/used on devices throughout the network, and the owners of those devices.

Understanding asset ownership is an important aspect of the asset list creation process. Asset ownership is critical when it comes time to perform enterprise level heuristic analytics on change point detection, anomalies, and vulnerability identification.

Intelligence Mitigation Technique: Once you identify your critical data and have correlated which actor is targeting your sector, you can use the intel you’ve uncovered to research what data your actors might be targeting from your organization.

Close the Network Visibility Gap

Network visibility gaps in enterprise environments allow attackers to migrate, or move, around a victim’s network. Once you identify that network segment, work on network visibility to and from that space.

Network migration is also called pivoting. This is the act of using an existing foothold to move throughout a network accessing critical infrastructure.

Pivoting can be prevented by increasing and sharpening SIEM network logging, and implementing stronger internal security controls.

Side note (log aggregation): The following image outlines common concepts about methodologies associated with event log aggregation.

Increasing Host Visibility

Host AntiVirus is where many enterprise level security engineers start.

Increasing host visibility using the following methodologies is the next phase of this lifecycle:

• Locking down host firewall
• Proper configuration for host AV
• Remote connections to & from hosts
• Child processes and orphaned processes
• Utilization of legitimate process slack space
• DLL hallowing and process injection

Increasing Perimeter Visibility

Perimeter Visibility identifies the types of threats being thrown at your enterprise network from the outside. This is an important aspect of network defense.

However, for this stage we are simply focusing on what is entering and exiting the network.

Common protocols and traffic to look for are:

• Anomalies or significant changes in bandwidth
• Outbound DNS traffic not originating from your internal DNS servers
• Encrypted traffic on ephemeral (high numbered or uncommon) ports
• Inbound emails with known malicious or otherwise suspicious activity
• Traffic destined to known malicious domains

Increase OSINT & Targeting Visibility

Open source intelligence research is nearly always the first step to the attack/targeting/exploitation lifecycle. Knowing what your exposed organizational footprint looks like will increase your ability to combat attackers when they target your organization.

Since the attack vector pictured above is twofold (technological and social engineering) educating yourself on attack methodologies surrounding both attack surfaces will help you develop a target scope for the organization.

Research Mitigation Technique: Mitigation of this process consists of you doing your homework. You can either attempt to identify the exposed attributes of your organization, or hire a penetration testing team like TrustedSec, StandardUser, or SocialEngineer to perform OSINT research for your organization.

Once you have all this data aggregated, have implemented applicable mitigation methodologies where possible, and know your enterprise security visibility gaps, you’ll be prepared to make enterprise & organizational level risk determinations.

This kind of risk determination will provide a vehicle to develop manpower management needs, budgetary and compliance roadmaps, and begin to close additional visibility gaps throughout your network and allow you to sleep a little better at night.

About the Author

Author

Bartek Adach

Latest Articles

• Blog2022.12.28Cybersecurity in Education: What Parents, Teachers, and Students Should Know in 2023
• Blog2022.12.15Remembering Leonard Jacobs
• Blog2022.09.30VPN Security: A Pentester's Guide to VPN Vulnerabilities
• Blog2022.08.09AppSec Tales II | Sign-in