Architecture and Implementation Best Practices

Edit online

There is no perfect security state, but there are resilient systems that survive attacks. Randori’s goal is to help defenders improve their resilience by viewing their environment through the eyes of professional attackers. Specific guidance for improving defenses is at least as varied as the number of software packages in existence. Despite nearly infinite tactical options, five best-practice philosophies strategically apply when architecting and implementing defenses. Continually applying these best practices over time will frustrate adversaries and improve resilience.

Visibility and Monitoring

No control will withstand an adversary forever, so the ability to know that failures have occurred is necessary to be resilient -- that is, to prevent an adversary from advancing further, you must take action, which requires knowledge. Reviewing logs builds a better understanding of normal and abnormal events, which leads to better alerting. And, higher-quality alerts spot threats faster. Good visibility also removes operational risk from Least Privilege and Default Deny implementations. It is easier to gain support for disabling software features and blocking network traffic with proof that neither impacts business functions.

Expect attackers to manipulate logs and network traffic data. It is best to securely transmit events to central storage systems as quickly as possible after generation. Central log analysis and storage systems are mission-critical. Treat any systems processing or storing events as highly sensitive. All the best practices described should be applied to those systems as well.

While planning visibility and monitoring strategies, consider where compromise might occur and how that will impact visibility. Architecting multiple monitoring points that should tell similar stories creates the ability to detect compromise even if some of your monitoring data gets affected by a threat. Numerous monitoring points also offer higher fidelity logs and better analytic results.

Actionable questions

  1. Are you gathering application and system logs from all systems?

  2. Do you have visibility at all security boundaries?

  3. Do your events include or attribute activity to users wherever possible?

  4. Are events reviewed regularly? Identifying event patterns to generate alerts is critical. Most SIEM/UBA solutions have sound initial logic to build upon with your organizational intelligence.

  5. Does your monitoring system offer the ability to do the following?

    1. Selectively retain logs based on source or content after analysis?

    2. Deduplicate events after analysis?

  6. Is your monitoring system also monitored?

Least Privilege

The principle of Least Privilege restricts users’ access to the smallest set of capabilities required for normal operation. Ideally, apply Least Privilege to all users across all applications and services. Whenever possible, limit access based on identity, job role, location, time, and any other criteria that make sense for the organization. Do not forget user identities that aren’t associated with human beings. Service accounts used to run applications should also carry the minimum necessary permissions. Implementing Least Privilege makes it more difficult for adversaries to gain privilege and access credentials.

Implementing Least Privilege often generates anxiety among teams. Expect fear that restrictive policies generate some lost productivity for users. Not all these fears will be unfounded. Use log analysis to guide policy creation and measure risks associated with Least Privilege implementation. Good visibility and monitoring strategies lead to successful deployments. Least Privilege will sometimes introduce momentary delays to some users’ work, but this loss is often trivial compared to delays caused by a compromise or breach.

Actionable questions

  1. Who needs access?

  2. What level of access is required? Limit the ability to change data for users who only consume, rather than create, information.

  3. Are users’ typical geographic locations or times of access known? Write policies limiting access based on these behaviors.

  4. Are roles defined and granular role-based access control configured where possible?

Default Deny

Default Deny is a type of Least Privilege associated with access control policies. Found in networking equipment, security gateways, and application control systems, access control policies will have a default rule applied when no other logic is matched. For resilient defense, security policies should deny activity by default.

As with Least Privilege, analyzing events observed through visibility and monitoring strategies makes implementing Default Deny easier. Do not rely only on the network filtering options offered by applications and systems. Layering security gateways with built-in filtering options forces attackers to compromise multiple systems to gain full access. Security gateways may also offer access to higher-layer enforcement. When applications are compromised, so are any controls they enforce. Application layer policies at a security gateway can maintain enforcement when applications are compromised, further hindering attackers. Default Deny slows attackers’ lateral movement, buying time for defenders to catch and remove threats. Default Deny also offers additional visibility options and the opportunity to create high-value alerts.

Actionable questions

  1. Is inbound access needed for a solution to operate?

    1. What IP sources should initiate sessions to a system?

    2. Sessions should initiate on what ports?

    3. What types of sessions should the application or system begin? On which ports?

  2. What are the addresses and ports for supporting services like authentication, DNS, time synchronization, etc.?

  3. Is it possible to block traffic from specific geographic regions or cloud service providers?

  4. Is network access authenticated? Are policies written to limit network access based on associated identities?

Segmentation

There are many ways to design a network. It is tempting to create open networks where all hosts can communicate freely with any other. The broad accessibility of open, permissive networks is convenient, but this convenience extends to attackers making these networks easy to maneuver. Dividing networks into logical or physical subnets creates more points of visibility and hampers attackers. To achieve goals in segmented networks, attackers must spend time compromising additional defenses after gaining initial access. Segmentation increases the time required to turn a compromise into a breach giving defenders more opportunities to stop attacks before they are completely successful.

Actionable questions

  1. How much of the network can a host access without passing through a security gateway or router?

  2. If traffic were sniffed from a host, how

    many other hosts’ communications would be exposed?

Configuration

Software manufacturers tend not to ship products applied with the best possible security configuration. There is no malicious intent in this reality. Making flexible, feature-rich applications for a wide range of users makes it impossible to craft one perfect configuration for all possible use cases. It is important to review and harden configurations based on the specific workloads performed. Governments, third parties, and vendors produce hardened configuration options for several solutions. All offer potential starting points to harden a configuration but are not a substitute for understanding configuration options and features of the applications themselves. Hardening configurations is ultimately a balancing act between usability and resilience. Having a greater understanding of how an application works leads to better configurations. When all else fails, develop configurations that improve implementations of default-deny, Least Privilege, segmentation, and visibility.

Actionable questions

  1. Are unused application or product features disabled?

  2. What features exist to enforce Default Deny and Least Privilege principles?

  3. What features exist for secure, centralized logging of events?

  4. Have you minimized enumerability by removing banners, headers and other identifiable information?

Perfect: The enemy of good, and defenders

There is no perfect application of these best practices. Attackers will constantly develop new threats and improve their capabilities. Money, politics, and time will work to complicate defensive operations. Creating resilient systems capable of withstanding compromise and preventing a breach takes continual effort. Every incremental improvement is an opportunity to thwart some failure, even if it doesn't thwart all failures.

At times best practices will appear difficult or impossible to achieve. In these moments, ask, do we need this? “This” can be substituted for almost anything.

  • Do we need to let all users access firewall administration?

  • Do we need to let our servers open connections to any client workstations?

  • Do we need to turn on every feature on our UTM device?

Where the answer is no, respond accordingly. For the examples above:

  • Restrict access to non-administrative users.

  • Block servers from connecting to workstations.

  • Disable any feature on the UTM device that is not necessary.

Doing so implements Least Privilege, Default Deny and hardens the configuration. These may not be perfect applications of the practices, but every action to improve resilience, however small, makes the attacker’s work harder.