Implementing Best Practices

Send system logs to a centralized logging server. 1.Alert on:

1. Added, changed, or removed software packages.

2. Administrative logins from unknown source locations.

3. Interactive administrative logins.

4. Users added or removed.

5. Changes to users’ group membership.

6. Changes to operating system configuration.

7. Changes to network configurations.

Utilize system firewalls to deny access to system services unless required.

Restrict access to administrative functions except through approved, secured communication channels.

Limit privileged access to the operating system to authorized personnel.

Do not allow shared superuser accounts to log into systems remotely.

Disable default accounts.

Create a segmented network for user workstations separate from other types of operating systems used.

Ensure endpoints are up to date with the latest patches from the vendor.

Install Anti-Malware defenses and keep them updated.

Implement 2FA for access to high-value systems.

Deploy EDR or similar functionality (https://github.com/SwiftOnSecurity/sysmon-config) to gain greater visibility.

Expand logging to include audit trails of privileged users’ access and activities. 1.Improve alerting by adding detections for:

1. Privilege escalation attempts.

2. Failed logins.

3. Log clearing events.

4. Security policy changes in host-based defenses.

5. Changes in users’ authorizations.

6. Account lockouts.

7. Wired and wireless LAN system simultaneous connections.

8. Two directly connected user workstations.

Implement application control by preventing installation or execution of software from:

1. Unapproved sources.

2. Browser downloads, including those to temporary folders.

Prevent wireless and wired workstations from directly accessing each other.

Prevent wireless clients from directly accessing other wireless devices.

Prevent or limit direct internet access wherever possible. Servers, for example, rarely need to browse any website.

Ensure users utilize separate accounts for administrative functions.

Discontinue the use of shared superuser accounts.

Restrict use of living off the land binaries (https://threatpost.com/living-off-the-land-malicious-use-legitimate-utilities/177762/) using application control.

Segment user workstations by job role.

Segment servers by logical grouping such as physical location, use case sensitivity, or workload.

Separate any mission-critical system from all other network endpoints, especially those that are older or difficult, if not impossible, to patch.

Utilize CIS benchmarks to harden systems.

Remove default accounts if possible.

Use random passwords to secure default accounts that must remain active.

Implement behavior analysis and alert on:

1. “Superman” rules that help indicate impossible user access based on time and distance between geographies of the source IP.

2. Geography, source IP, destination IP, session duration, and transfer sizes are tracked per device and user with anomaly alerting.

3. Patterns of administrator access and actions taken, tracked with alerts for abnormal behaviors.

4. Abnormal network connections based on network (https://en.wikipedia.org/wiki/Network_layer) and transport (https://en.wikipedia.org/wiki/Transport_layer) layer session details.

5. Abnormally large transfer sizes per user, source address, and destination address.

6. Abnormal process execution.

7. Abnormal command-line arguments for any process.

Deny users from utilizing simple passwords by enforcing a password policy that requires a complex password of at least ten (10) characters and enforces password history.

Use application control to prevent process execution except for specifically approved applications.

Instead of using privileged accounts for operating system administration, use software that enables authorized users to execute a minimal set of functions.

Work to achieve microsegmentation as much as possible. Separate computers based on workload with security controls enforcing access between all segments.

Harden configurations using guidance from a government (https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF), third-party (https://www.cisecurity.org/cis-benchmarks/), or vendor source as much as possible.

Remove all unnecessary applications from each system install.