Fortifying the Fort: System Hardening Against LOTL Threats
Hardening strategies are aimed at reducing the attack surface and enhancing the security posture of organizations and their critical infrastructure.
π Vendor and Industry Hardening Guidance: Organizations should strengthen software and system configurations based on vendor-provided or industry, sector, or government hardening guidance, such as those from NIST, to reduce the attack surface.
π Windows: Apply security updates and patches from Microsoft, follow Windows Security Baselines Guide or CIS Benchmarks, harden commonly exploited services like SMB and RDP, and disable unnecessary services and features.
π Linux: Check binary permissions and adhere to CISβs Red Hat Enterprise Linux Benchmarks.
π macOS: Regularly update and patch the system, use built-in security features like Gatekeeper, XProtect, and FileVault, and follow the macOS Security Compliance Project's guidelines.
Cloud Infrastructure Hardening:
π Microsoft Cloud: Refer to CISAβs Microsoft 365 security configuration baseline guides for secure configuration baselines across various Microsoft cloud services.
π Google Cloud: Consult CISAβs Google Workspace security configuration baseline guides for secure configuration baselines across Google cloud services.
π Universal Hardening Measures: Minimize running services, apply the principle of least privilege, and secure network communications.
π Critical Asset Security: Apply vendor hardening measures for critical assets like ADFS and ADCS and limit the applications and services that can be used or accessed by them.
π Administrative Tools: Use tools that do not cache credentials on the remote host to prevent threat actors from reusing compromised credentials.
π Constrain Execution Environment: Implement application allowlisting to channel user and administrative activity through a narrow path, enhancing monitoring and reducing alert volume.
Platform-Specific Allowlisting:
π macOS: Configure Gatekeeper settings to prevent execution of unsigned or unauthorized applications.
π Windows: Use AppLocker and Windows Defender Application Control to regulate executable files, scripts, MSI files, DLLs, and packaged app formats.
Network Segmentation and Monitoring
π Limit Lateral Movement: Implement network segmentation to limit the access of users to the minimum necessary applications and services, reducing the impact of compromised credentials.
π Network Traffic Analysis: Use tools to monitor traffic between segments and place network sensors at critical points for comprehensive traffic analysis.
π Network Traffic Metadata Parsing: Utilize parsers like Zeek and integrate NIDS like Snort or Suricata to detect LOTL activities.
π Phishing-Resistant MFA: Enforce MFA across all systems, especially for privileged accounts.
π Privileged Access Management (PAM): Deploy robust PAM solutions with just-in-time access and time-based controls, complemented by role-based access control (RBAC).
π Cloud Identity and Credential Access Management (ICAM): Enforce strict ICAM policies, audit configurations, and rotate access keys.
π Sudoers File Review: For macOS and Unix, regularly review the sudoers file for misconfigurations and adhere to the principle of least privilege.
As a long-term strategy, the guidance recommends implementing zero trust architectures to ensure that binaries and accounts are not automatically trusted and their use is restricted and examined for trustworthy behavior.
π Due Diligence in Vendor Selection: Choose vendors with secure by design principles and hold them accountable for their softwareβs default configurations.
π Audit Remote Access Software: Identify authorized remote access software and apply best practices for securing remote access.
π Restrict Outbound Internet Connectivity: Limit internet access for back-end servers and monitor outbound connectivity for essential services.