Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details

Download Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details (1Mb PDF), updated February 2014

Table of contents

Introduction

This document provides further information regarding the Australian Signals Directorate's (ASD) list of Strategies to Mitigate Targeted Cyber Intrusions, including references to controls in the Australian Government Information Security Manual (ISM). Annex A contains a summary of the key changes made to this documentation suite since the previous release in 2012.

Readers are strongly encouraged to visit the ASD website for the latest version of this document and additional information about implementing the mitigation strategies.

This document focuses primarily on defending user workstations and servers. The underpinning principles highlighted by the guidance in this document are applicable to broader ICT security activities. ASD’s guidance to securely use mobile devices, such as tablets and smartphones, is available at Risk Management of Enterprise Mobility including BYOD in addition to ASD’s device-specific hardening guides.

Stages of a Targeted Cyber Intrusion

No single strategy can prevent a targeted cyber intrusion, and organisations should ensure that the strategies they select address all three high level stages of cyber intrusions:

Stage Action Methodology
1 Reconnaissance to select target user, execution of malicious software (malware) through the selected intrusion technique.
Creation of a malicious website, compromise of a legitimate website (‘watering hole’ or ‘drive by download’) or sending a ‘spear-phishing’ email with a malicious hyperlink or content.
2 Network propagation Use of compromised account credentials or exploitable vulnerabilities.
3 Data exfiltration Extraction of data through RAR/ZIP archive files, potentially exfiltrated via a Virtual Private Network (VPN) or other remote access connection.

Stage 1 – Code Execution

Cyber adversaries perform reconnaissance to select a target user, and either create a malicious website or compromise a legitimate website that the user visits, referred to as a targeted ‘drive by download’ or ‘watering hole’ technique. Alternatively, cyber adversaries send the user a malicious ‘spear phishing’ email containing either a hyperlink to a website with malicious content, or a malicious email attachment such as a PDF file or Microsoft Office document which might be in a RAR/ZIP archive file.

This reconnaissance is made easier for cyber adversaries if the user’s name and email address are readily available via their employer’s website, social networking websites, or if the user uses their work email address for purposes unrelated to work.

Malware is then executed on the user’s workstation and is often configured to persist by automatically executing every time the user restarts their workstation and/or logs on. The malware communicates with the network infrastructure controlled by cyber adversaries, usually downloading additional malware, enabling cyber adversaries to remotely control the user’s workstation and perform any action or access any information that the user can.

Stage 2 – Network Propagation

Cyber adversaries commonly use compromised account credentials or exploitable vulnerabilities in an organisation’s other workstations and servers to propagate (laterally move) throughout the network in order to locate and access sensitive information. Such network propagation can occur rapidly on networks with inadequate segmentation and segregation, especially when multiple workstations or servers share the same local administrator passphrase. Information accessed frequently includes Microsoft Office files, Outlook email PST files, PDF files as well as information stored in databases. Cyber adversaries typically access:

Although passphrases might be stored as cryptographic hashes to frustrate cyber adversaries, freely available software and a single workstation or publicly available cloud computing service might be able to quickly and cheaply crack these hashes to derive the passphrases, unless all users have selected very strong passphrases that are appropriately hashed using a cryptographically strong algorithm.

Alternatively, cyber adversaries might use the ‘pass the hash’ technique, avoiding the need to crack passphrase hashes; see Microsoft Security Blog: New Guidance to Mitigate Determined Adversaries’ Favorite Attack, Pass-the-Hash.

The use of single sign-on authentication in an organisation might significantly benefit cyber adversaries. In contrast, the appropriate use of multi-factor authentication helps to hinder cyber adversaries, especially if implemented for remote access or for when a user is about to perform a privileged action such as administering a workstation or server, or accessing a sensitive information repository.

Stage 3 – Data Exfiltration

Cyber adversaries usually use RAR/ZIP archive files to compress and encrypt a copy of an organisation’s sensitive information.

Cyber adversaries exfiltrate this information from the network, sometimes from a single ‘staging’ workstation or server on the organisation’s network. Cyber adversaries use available network protocols and ports allowed by an organisation’s gateway firewall, such as encrypted HTTPS/SSL, HTTP, or in some cases DNS or email.

Cyber adversaries might obtain VPN or other remote access account credentials and use this encrypted network connection for exfiltrating information, with the aim of defeating network based monitoring.

Cyber adversaries typically have several compromised workstations or servers on the organisation’s network, as well as compromised VPN or other remote access accounts, maintained as backdoors to facilitate further collection and exfiltration of information in the future.

Sensitive Information

As part of a risk assessment performed by business representatives and security staff, organisations need to identify the type and location of their sensitive information stored electronically. For the purpose of this document, sensitive information refers to either unclassified or classified information identified as requiring protection.

Such information might reside in various locations including government ministerial submissions and other documents detailing government intentions, strategic planning documents, business proposals, tenders, meeting minutes, financial and accounting reports, legal documents, and intellectual property holdings.

Contemplating the intelligence goals of cyber adversaries can provide insight into which of an organisation’s users, based on their access to specific information, are likely to be targeted as part of a cyber intrusion. In some cases, targeting will coincide with a significant upcoming meeting or other business event of relevance to cyber adversaries.

Most Likely Targets

The phrase ‘Most Likely Targets’ describes users in an organisation who are most likely to be targeted as part of the first stage of a targeted cyber intrusion, and includes:

Rationale for Implementing the Mitigation Strategies

Australian organisations with access to sensitive information, including all Australian federal government agencies, have a high likelihood of being compromised by cyber intrusions of low sophistication if the organisation’s security posture is inadequate. In addition to the damage caused to Australia’s economic wellbeing and thereby to all Australian citizens, such compromises damage the reputation of affected organisations, undermine public confidence in the Australian Government, and unnecessarily consume scarce monetary and staff resources to continually clean-up cyber intrusions of low sophistication.

Most organisations have finite monetary and staff resources, requiring their senior management to commit to the importance of protecting the organisation’s sensitive information. The Top 4 mitigation strategies, when implemented as a package, address all three high level stages of a cyber intrusion and are the ‘sweet spot’ of providing a large increase in security posture for a relatively small investment of time, effort and money.

Once organisations have effectively implemented the Top 4 mitigation strategies, firstly on workstations of users who are most likely to be targeted by cyber intrusions and then on all workstations and servers, additional mitigation strategies can then be selected to address security gaps until an acceptable level of residual risk is reached.

In addition to implementing mitigation strategies, organisations require an incident response plan and associated operational capabilities, including regularly performed and tested offline backups to recover from cyber intrusions. Developing and implementing these capabilities requires support from technical staff and business representatives, including data owners, corporate communications, public relations and legal staff.

When a cyber intrusion is identified, it needs to be understood to a reasonable extent prior to remediation. Otherwise, the organisation plays ‘whack a mole’, cleaning compromised workstations and servers, as well as blocking network access to Internet infrastructure known to be controlled by cyber adversaries, while the same adversaries simply compromise additional workstations and servers using different malware and different Internet infrastructure to avoid detection.

For cyber intrusions of higher sophistication, ASD can assist Australian government agencies to develop a strategic plan to contain and eradicate the cyber intrusion, and improve the agency’s security posture in preparation for the likelihood that cyber adversaries will immediately attempt to regain access to the agency’s workstations and servers.

Organisations need to regularly test and update their incident response plan and capabilities, focusing on decreasing the duration of time needed to detect and respond to the next cyber intrusion.

Organisations should perform continuous monitoring and mitigation, using automated techniques to test and measure the effectiveness of the mitigation strategies implemented, and implement additional mitigation strategies as required to protect the information, workstations and servers that the organisation has identified as critical assets. Organisations that have implemented Data Loss Prevention solutions have usually already identified the location of their most sensitive information. Missing patches, other known weaknesses in workstations and servers, and detected cyber intrusion attempts should be regularly and systematically reported so that senior managers understand the threat and can make appropriate risk treatment decisions.

Proactive organisations invest in discovering new cyber intrusions instead of simply waiting for and relying on security products to detect cyber intrusions. Leveraging access to information about cyber adversary tradecraft and indicators of compromise, as provided to Australian government agencies via the OnSecure web portal, can assist organisations with identifying cyber intrusions.

Details of Mitigation Strategies

The concept of whitelisting is a key theme of the mitigation strategies, whereby activity such as network communication or program execution is denied by default, and only activity explicitly permitted by the system and network administrators to meet business requirements is allowed to occur. The traditional blacklisting approach only blocks a small amount of activity known to be undesirable, and this approach is reactive, time-consuming and provides weak security.

Mitigation Strategy #1 – Application whitelisting

Mitigation

Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including DLL files, scripts and installers, implemented at least on workstations used by Most Likely Targets.

Rationale

An appropriately configured implementation of application whitelisting helps to prevent the undesired execution of software regardless of whether the software was downloaded from a website, clicked on as an email attachment, or introduced via a USB memory stick or CD/DVD.

Implementing application whitelisting on important servers such as Active Directory and other authentication servers can help prevent cyber adversaries from running malware that obtains passphrase hashes or otherwise provides cyber adversaries with additional privileges.

Implementation Guidance

The ability of application whitelisting to provide a reasonable barrier for low to moderately sophisticated cyber intrusions depends on the vendor product chosen to implement application whitelisting, combined with its configuration settings, as well as the file permissions controlling which directories a user (and therefore malware) can write to and execute from.

Configure the application whitelisting mechanism to prevent the running of unapproved programs regardless of their file extension.

Where possible, prevent users (and therefore malware running on the user’s behalf) from running system executables commonly used for reconnaissance as listed in mitigation strategy #15 ‘Centralised and time-synchronised logging of successful and failed computer events’.

Simply preventing a user from installing new applications to their workstation’s hard disk is not application whitelisting.

It is advisable to deploy application whitelisting in phases, instead of trying to deploy it to an entire organisation at once. For example, after fully testing and understanding the application whitelisting mechanism to avoid false positives, one approach is to deploy application whitelisting to the workstations used by senior executives and their assistants. Such users are Most Likely Targets who usually run a limited number of software applications such as Microsoft Office, an email program and a web browser. An additional benefit is that, when these users are made aware that they clicked on a malicious email attachment or visited a malicious website and application whitelisting mitigated the compromise, they might provide additional support for the deployment of application whitelisting to more user workstations in the organisation.

Deploying application whitelisting is easier if the organisation has a good change management process and therefore understands what software is installed on workstations and servers. Initially testing application whitelisting in ‘audit’/’logging only’ mode helps organisations to develop an inventory of installed software. Once an inventory has been established, application whitelisting can be properly configured in ‘enforce’ mode to prevent unapproved programs from running.

When installing new software, avoid creating hashes for added files that aren’t of an executable nature. Otherwise if every new file is whitelisted, the whitelist is likely to become too large and if distributed via group policy, might unacceptably slow down users logging into their workstations.

Installers, or installation packages, can install, modify or remove programs. Common installer frameworks include Windows Installer and InstallShield. Installers often contain installation information as well as files to be installed all within one package. Windows Installer package files have an MSI filename extension and are commonly referred to as MSI files. MSI files are commonly used for unattended installation or modification of programs in Microsoft Windows environments.

Endpoint protection or anti-malware software from some vendors includes application whitelisting functionality.

Further Information

Detailed guidance on the Top 4 mitigation strategies is available at Strategies to Mitigate Targeted Cyber Intrusions.

ISM controls: 0843, 0845, 0846, 0848, 0849, 0851, 0955, 0956-0957.

Mitigation Strategy #2 – Patch applications

Mitigation

Patch applications especially Java, PDF viewer, Flash Player, Microsoft Office, web browsers and web browser plugins including ActiveX. Also patch server applications such as databases that store sensitive information as well as web server software that is Internet accessible. Patch or mitigate systems exposed to ‘extreme risk’ vulnerabilities within two days.

Use the latest version of applications since they typically incorporate additional security technologies such as sandboxing and other anti-exploitation capabilities. For some vendor software, upgrading to the latest version is the only way to patch a vulnerability.

Rationale

‘Extreme risk’ vulnerabilities in software used by an organisation can enable unauthorised code execution by cyber adversaries using the Internet, which can result in significant consequences for the organisation. The level of risk might also be affected by whether exploit code for a vulnerability is available commercially or publicly, for example, in an open source tool like the Metasploit Framework or in a cybercrime exploit kit.

Implementation Guidance

Approaches to patching

There are a variety of approaches to deploying patches to applications and operating systems running on workstations, based on an organisation’s risk tolerance, as well as how many applications an organisation uses where the applications are legacy, unsupported, developed in-house or poorly designed.

Patch management

To obtain visibility of what software requires patching, maintain an inventory of software installed on every workstation and server, especially laptops that might only occasionally connect to the organisation’s network, and include details about software version and patching history.

Use an automated mechanism to confirm and record that deployed patches have been installed and applied successfully and remain in place.

Using the latest version

Avoid using software which no longer receives vendor security patches for vulnerabilities. This is especially important for software that interacts with untrusted and potentially malicious data.

Avoid continuing to use Adobe Reader prior to version X, as well as versions of Internet Explorer prior to version 8 for accessing Internet websites.

Further Information

Detailed guidance on the Top 4 mitigation strategies is available at Strategies to Mitigate Targeted Cyber Intrusions.

ISM controls: 0790, 0297, 0298, 0300, 0303, 0304, 0940, 0941, 1143, 1144, 1244, 1298, 1348-1349, 1350-1351, 1362, 1365-1366.

Mitigation Strategy #3 – Patch operating system vulnerabilities

Mitigation

Patch operating system vulnerabilities. Patch or mitigate systems exposed to ‘extreme risk’ vulnerabilities within two days.

Use the latest operating system version that meets your organisation’s business requirements, since newer operating systems typically incorporate additional security technologies including anti-exploitation capabilities.

Rationale

‘Extreme risk’ vulnerabilities in software used by an organisation can enable unauthorised code execution by cyber adversaries using the Internet, which can result in significant consequences for the organisation. The level of risk might also be affected by whether exploit code for a vulnerability is available commercially or publicly, for example in an open source tool like the Metasploit Framework or in a cybercrime exploit kit.

Implementation Guidance

Refer to the implementation guidance provided for mitigation strategy #2 ‘Patch applications’.

Apply firmware patches to networking devices such as routers and switches, especially those devices that are Internet accessible.

Avoid using Microsoft Windows XP and earlier versions of Microsoft Windows.

Preferably use a 64-bit version of Microsoft Windows instead of a 32-bit version, since the 64-bit version contains additional security technologies.

Further Information

Detailed guidance on the Top 4 mitigation strategies is available at Strategies to Mitigate Targeted Cyber Intrusions.

Further information on additional security technologies contained in 64-bit versions of Microsoft Windows is available at Microsoft Support: A Description of the Differences between 32-bit versions of Windows Vista and 64-bit versions of Windows Vista.

ISM controls: 0790, 0297, 0298, 0300, 0303, 0304, 0940, 0941, 1143, 1144, 1244, 1298, 1348, 1365–1366.

Mitigation Strategy #4 – Restrict administrative privileges

Mitigation

Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account, and preferably a separate physical workstation, for activities that are non-administrative or risky such as reading email, web browsing and obtaining files via Internet services such as instant messaging.

Such users should perform administrative activities using a workstation that implements at least the Top 4 mitigation strategies.

Rationale

The consequences of a compromise are reduced if malware runs as a low privileged user instead of a user with administrative privileges.

Implementation Guidance

This mitigation strategy applies to:

Further Information

Detailed guidance on the Top 4 mitigation strategies is available at Strategies to Mitigate Targeted Cyber Intrusions.

ISM controls: 0405, 0434, 0445-0448, 0985, 0709, 1175, 0582-0583, 0987, 1380-1383, 1385-1388.

Mitigation Strategy #5 – User application configuration hardening

Mitigation

User application configuration hardening, disabling: running Internet-based Java code, untrusted Microsoft Office macros, and unneeded/undesired web browser and PDF viewer features.

Rationale

This mitigation strategy significantly helps to reduce the attack surface. Specifically, it helps mitigate cyber intrusions that involve malicious content attempting to evade application whitelisting by either exploiting an application’s legitimate functionality, or exploiting a vulnerability for which a vendor patch is unavailable.

Implementation Guidance

Focus on hardening the configuration of applications used to interact with content from the Internet. For web browsers, disallow ActiveX, Java and Flash except for whitelisted websites that require this specific functionality for business purposes (e.g. if Flash is required to use a website for business purposes, allow only Flash but not ActiveX or Java). Disallowing HTML inline frames and javascript, except for whitelisted websites, is ideal though challenging due to the large number of websites that require such functionality for business purposes.

A variety of approaches can be used to mitigate running malicious Java code located on the Internet, including:

Further Information

ISM controls: 0380, 0961.

Mitigation Strategy #6 – Automated dynamic analysis

Mitigation

Perform automated dynamic analysis of email and web content run in a sandbox to detect suspicious behaviour including network traffic, new or modified files, or other configuration changes.

Rationale

Dynamic analysis uses behaviour-based detection capabilities instead of relying on the use of signatures, enabling organisations to detect malware that has yet to be identified by vendors.

Implementation Guidance

Analysis could be performed in an instrumented sandbox located either in an organisation’s gateway, on a user’s workstation, or in the cloud subject to concerns about data sensitivity, privacy, and security of the communications channel.

Preferably use an implementation that:

Use an implementation that is regularly updated by the vendor to mitigate evolving evasion techniques that challenge the effectiveness of this mitigation strategy. Avoid using implementations that are easily circumvented by cyber adversaries using evasion techniques such as:

Further Information

ISM control: 1389.

Mitigation Strategy #7 – Operating system generic exploit mitigation

Mitigation

Apply operating system generic exploit mitigation technologies e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Security-Enhanced Linux (SELinux) and grsecurity are examples of exploit mitigation mechanisms for Linux operating systems.

Rationale

These technologies provide system-wide measures to help mitigate techniques used to exploit vulnerabilities, including for applications which EMET is specifically configured to protect, even in cases where the existence and details of vulnerabilities are not publicly known.

Implementation Guidance

Configure DEP hardware and software mechanisms to apply to all operating system programs and other software applications that support DEP.

Configure ASLR to apply to all operating system programs and other software applications that support ASLR.

Further Information

Further information about EMET is available at:

Information on DEP, ASLR and other generic mitigation technologies such as SEHOP is available at Microsoft: Mitigating Software Vulnerabilities.

ISM control: 0380.

Mitigation Strategy #8 – Host-based Intrusion Detection/Prevention System

Mitigation

Implement a Host-based Intrusion Detection/Prevention System (HIDS/HIPS) to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and call hooking. Suspicious behaviour also includes software attempting to persist after the workstation or server is rebooted, for example by modifying or adding registry settings and files such as computer services.

Rationale

HIDS/HIPS uses behaviour-based detection capabilities instead of relying on the use of signatures, enabling organisations to detect malware that has yet to be identified by vendors.

Implementation Guidance

Configure the HIDS/HIPS capability to achieve an acceptable balance between identifying malware, while avoiding negatively impacting users and your organisation’s incident response team due to false positives.

Endpoint protection or anti-malware software from some vendors includes HIDS/HIPS functionality.

Further Information

ISM controls: 0576, 1034, 1341, 1184-1185.

Mitigation Strategy #9 – Disable local administrator accounts

Mitigation

Disable local administrator accounts to prevent cyber adversaries from easily propagating throughout an organisation’s network using compromised local administrator credentials that are shared by several workstations.

Rationale

Disabling local administrator accounts helps to prevent cyber adversaries from propagating throughout an organisation’s network as part of the second stage of a cyber intrusion.

Implementation Guidance

In cases where it is not feasible to disable the local administrator account on servers such as the Active Directory authentication server, ensure that the local administrator account has a passphrase that meets ISM requirements. Appropriately protect records of the passphrases used for such servers.

Further Information

ISM controls: 0383, 0445.

Mitigation Strategy #10 – Network segmentation and segregation

Mitigation

Segment and segregate networks into security zones to protect sensitive information and critical services, such as user authentication by the Microsoft Active Directory service.

Network segmentation involves partitioning the network into smaller networks. Network segregation involves developing and enforcing a ruleset controlling which workstations and servers are permitted to communicate with which other workstations and servers. For example, on most corporate networks, direct network communication between user workstations should not be required or permitted.

Rationale

Network segmentation and segregation helps to prevent cyber adversaries from propagating throughout an organisation’s network as part of the second stage of a cyber intrusion.

If implemented correctly, it can make it significantly more difficult for cyber adversaries to locate and gain access to an organisation’s most sensitive information.

Implementation Guidance

Network segmentation and segregation should be based on the connectivity required, user job role, business function, trust boundaries and sensitivity of information stored.

Network controls that can assist with implementing network segmentation and segregation include switches, virtual LANs, enclaves, data diodes, firewalls, routers and Network Access Control.

Constrain VPN and other remote access, wireless connections, as well as user-owned laptops, smartphones and tablets which are part of a ‘Bring Your Own Device’ implementation.

Organisations using operating system virtualisation, (especially third party) cloud computing infrastructure, or providing users with ‘Bring Your Own Device’ or remote access to the organisation’s network, might require controls that are less dependent on the physical architecture of the network. Such controls include personal firewalls and ‘IPsec Server and Domain Isolation’.

The use of IPsec provides flexible network segmentation and segregation. For example, IPsec authentication can ensure that a specific network port or ports on a sensitive server can only be accessed by specific workstations such as those workstations belonging to administrators.

Sensitive servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers referred to as ‘jump servers’. Jump servers should be closely monitored, be well secured, limit which users and network devices are able to connect to them, and typically have no Internet access. Some jump servers might require limited Internet access if they are used to administer defined workstations or servers located outside of the organisation’s local network.

Organisations with critically sensitive information might choose to store and access it using air-gapped workstations and servers that are not accessible from the Internet. Security patches and other data can be transferred to and from such air gapped workstations and servers in accordance with a robust media transfer policy and process.

Further Information

Further guidance on network segmentation and segregation is available at Network Segmentation and Segregation

Information specifically pertaining to mobility solutions is available at Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD)

ISM controls: 1346, 1181, 1182, 1385.

Mitigation Strategy #11 – Multi-factor authentication

Mitigation

Implement multi-factor authentication, especially for Most Likely Targets, remote access, and when the user is about to perform a privileged action (including system administration) or access a sensitive information repository.

Multi-factor authentication involves users verifying their identity by using at least any two of the following three mechanisms:

Rationale

Multi-factor authentication helps to prevent cyber adversaries from propagating throughout an organisation’s network as part of the second stage of a cyber intrusion.

If implemented correctly, multi-factor authentication can make it significantly more difficult for cyber adversaries to steal legitimate credentials to facilitate further malicious activities on the network.

Implementation Guidance

Different multi-factor authentication mechanisms provide varying levels of security.

Secure servers that store user authentication data and perform user authentication since such servers are frequently targeted by cyber adversaries.

The use of multi-factor authentication for remote access does not fully mitigate users entering their passphrase on a compromised computing device. Cyber adversaries might obtain a user’s passphrase when it is entered into a compromised computing device used for remote access. This passphrase might then be used as part of a subsequent cyber intrusion, for example by cyber adversaries either gaining physical access to a corporate workstation and simply logging in as the user, or by using this passphrase to access sensitive corporate resources as part of a remote cyber intrusion against the corporate network. Mitigations for this include using multi-factor authentication for all user logins including corporate workstations in the office, or ensuring that user passphrases for remote access are different to passphrases used for corporate workstations in the office.

Ensure that administrative service accounts, and other accounts that are unable to use multi-factor authentication, use a passphrase that meets ISM requirements.

Further Information

Further guidance on multi-factor authentication is available at Multi-factor Authentication

ISM controls: 1039, 1265, 1173, 0974, 1384, 1357.

Mitigation Strategy #12 – Software-based application firewall, blocking incoming network traffic

Mitigation

Implement a software-based application firewall, blocking incoming network traffic that is malicious or otherwise unauthorised, and denying network traffic by default.

Rationale

Blocking unnecessary network connections reduces the potential attack surface by limiting exposure to network services running on workstations and servers, as well as reducing the ability of cyber adversaries to propagate throughout an organisation’s network as part of the second stage of a cyber intrusion.

Implementation Guidance

Endpoint protection or anti-malware software from some vendors includes software-based application firewall functionality.

Further Information

ISM controls: 0380, 0941, 1017.

Mitigation Strategy #13 – Software-based application firewall, blocking outgoing network traffic

Mitigation

Implement a software-based application firewall, blocking outgoing network traffic that is not generated by a whitelisted application, and denying network traffic by default.

Rationale

Blocking outgoing network traffic that is not generated by a whitelisted application helps to prevent cyber adversaries from propagating throughout an organisation’s network as part of the second stage of a cyber intrusion, and from exfiltrating the organisation’s data as part of the third stage of a cyber intrusion.

Implementation Guidance

Endpoint protection or anti-malware software from some vendors includes software-based application firewall functionality.

Further Information

ISM controls: 0380, 0941, 1017.

Mitigation Strategy #14 – Non-persistent virtualised sandboxed trusted operating environment

Mitigation

Implement a non-persistent virtualised sandboxed trusted operating environment, hosted outside of your organisation’s internal network, for risky activities such as web browsing.

Rationale

Cyber adversaries who compromise a user’s non-persistent virtualised workstation, which is located outside of an organisation’s internal network, will have a significantly reduced ability to persist as part of the first stage of a cyber intrusion, and to propagate throughout the organisation’s network as part of the second stage of a cyber intrusion.

Implementation Guidance

Network segmentation and segregation should be implemented to mitigate the risk of a compromised virtualised operating environment accessing an organisation’s sensitive information.

The non-persistent nature of this mitigation strategy helps to automatically restore a compromised system to a known good state. However, it will also remove some forensic evidence related to the cyber intrusion, highlighting the importance of organisations performing centralised logging as discussed in mitigation strategies #15 and #16.

A robust policy and process should be used to enable data to be transferred from the virtualised operating environment to the user’s local environment.

Further Information

Implementation options are included in ASD’s guidance on network segmentation and segregation, available at Network Segmentation and Segregation

ISM controls: 1181, 1345, 1346.

Mitigation Strategy #15 – Centralised and time-synchronised logging of successful and failed computer events

Mitigation

Perform centralised and time-synchronised logging of successful and failed computer events, with automated immediate real-time log analysis, storing logs for at least 18 months. Important logs include logs generated by security products, as well as Active Directory event logs and other logs associated with user authentication including VPN and other remote access connections.

Rationale

Centralised and time-synchronised logging and timely log analysis will increase an organisation’s ability to rapidly identify patterns of suspicious behaviour and correlate logged events across multiple workstations and servers, as well as enabling easier and more effective investigation and auditing if a cyber intrusion occurs.

Implementation Guidance

Use a Security Information and Event Management solution to aggregate and correlate logs from multiple sources to identify patterns of suspicious behaviour, including behaviour that deviates from the baseline of typical patterns of system usage by users.

Perform regular log analysis focusing on:

When performing log analysis of user authentication and use of account credentials, especially focus on:

Further Information

ISM controls: 0120, 0670, 0790, 0380, 0957, 0261, 0109, 0580, 0582-0583, 0584, 0585, 0586, 0587, 0859, 0987, 0988, 0991, 1032, 0631, 0634, 1176, 1305.

Mitigation Strategy #16 – Centralised and time-synchronised logging of allowed and blocked network activity

Mitigation

Perform centralised and time-synchronised logging of allowed and blocked network activity, with automated immediate real-time log analysis, storing logs for at least 18 months. Important logs include DNS server, web proxy logs containing connection details including user-agent values, DHCP leases, firewall logs detailing traffic entering and leaving an organisation’s network, and metadata such as Network Flow data.

Rationale

Centralised and time-synchronised logging and timely log analysis will increase an organisation’s ability to rapidly identify patterns of suspicious behaviour and correlate logged events across multiple workstations and servers, as well as enabling easier and more effective investigation and auditing if a cyber intrusion occurs.

Implementation Guidance

Perform regular log analysis focusing on connections and the amount of data transferred by Most Likely Targets to highlight abnormal internal network traffic such as suspicious reconnaissance enumeration of network shares and user information including honeytoken accounts. Also focus on abnormal external network traffic crossing perimeter boundaries such as:

Maintain a network map and an inventory of devices connected to the network to help baseline normal behaviour on the network and highlight anomalous network activity.

Further Information

ISM controls: 0120, 0670, 0790, 0380, 0957, 0261, 0109, 0580, 0582-0583, 0584, 0585, 0586, 0587, 0859, 0987, 0988, 0991, 1032, 0631, 0634, 1176, 1305.

Mitigation Strategy #17 – Email content filtering

Mitigation

Implement email content filtering, allowing only whitelisted attachments with a file type and file extension that are required for business functionality.

Rationale

Email content filtering helps to prevent the compromise of user workstations via cyber adversaries using malicious emails.

Implementation Guidance

Preferably analyse/convert/sanitise hyperlinks, PDF and Microsoft Office attachments to disable malicious content.

Disallow or quarantine content that cannot be inspected such as passphrase protected ZIP archive files.

Reject emails from the Internet that have your organisation’s domain as the email sender.

Preferably archive PDF and Microsoft Office attachments, and virus scan them again every month for several months.

Preferably quarantine attachments and disable hyperlinks in emails from webmail providers that provide free email addresses to anonymous Internet users, since cyber intrusions commonly involve the use of such email addresses due to the lack of attribution.

Further Information

Refer to mitigation strategy #6 ‘Automated dynamic analysis of email and web content run in a sandbox’ for details about detecting email content exhibiting suspicious behaviour such as network traffic or changes to the file system or registry.

An example plugin for Microsoft Exchange that sanitises PDF files is available at Strategies to Mitigate Targeted Cyber Intrusions

Further guidance on malicious email mitigation strategies is available at Malicious Email Mitigation Guide

ISM controls: 0561, 1057, 1234, 1284-1285, 1288, 0649-0650, 0651-0652, 1389.

Mitigation Strategy #18 – Web content filtering

Mitigation

Implement web content filtering of incoming and outgoing traffic, whitelisting allowed types of web content and using behavioural analysis, Internet-based reputation ratings, heuristics and signatures.

Rationale

An effective web content filter reduces the risk of a malware infection or other inappropriate content from being accessed, as well as making it more difficult for cyber adversaries to communicate with their malware. Defining a whitelist will assist in removing one of the most common data delivery and exfiltration techniques used by malware.

Implementation Guidance

Preferably block all executable content by default and use a process to enable individual selected access if a business justification exists.

Preferably block access to websites that the web content filter considers to be ‘uncategorised’ or in a category that is not required for business purposes.

Disallow ActiveX, Java and Flash except for whitelisted websites that require this specific functionality for business purposes (e.g. if Flash is required to use a website for business purposes, allow only Flash but not ActiveX or Java).

Disallowing HTML inline frames and javascript, except for whitelisted websites, is ideal though challenging due to the large number of websites that require such functionality for business purposes.

Implement a solution that inspects SSL traffic for malicious content, especially SSL communications with unfamiliar websites.

Further Information

Refer to mitigation strategy #6 ‘Automated dynamic analysis of email and web content run in a sandbox’ for details about detecting web content exhibiting suspicious behaviour such as network traffic or changes to the file system or registry.

ISM controls: 0963, 0961, 1237, 1389, 1390.

Mitigation Strategy #19 – Web domain whitelisting for all domains

Mitigation

Implement web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.

Rationale

Defining a whitelist will assist in removing one of the most common data delivery and exfiltration techniques used by malware.

Implementation Guidance

To minimise the user resistance and the administrative overhead potentially associated with this mitigation strategy, implement a streamlined process for users to easily and quickly add domains to the whitelist.

Further Information

An example implementation is available at SourceForge: Example Implementation of Web Domain Whitelisting

ISM controls: 0263, 0995, 0958.

Mitigation Strategy #20 – Block spoofed emails

Mitigation

Block spoofed emails using Sender ID or Sender Policy Framework (SPF) to check incoming emails, and a ‘hard fail’ SPF record to help prevent spoofing of your organisation’s domain.

Rationale

SPF, or alternative implementations such as Sender ID, aid in the detection of spoofed emails and therefore reduce the success rate of such cyber intrusion methods.

Implementation Guidance

Configure SPF records for your organisation’s domains and subdomains, and configure a wildcard SPF record to match non-existent subdomains.

Sender ID is an alternative version of SPF that checks the legitimacy of the sender’s email address that is displayed to the email recipient. Additional implementations include DomainKeys Identified Mail (DKIM).

Domain-based Message Authentication, Reporting and Conformance (DMARC) standardises how email receivers perform email authentication using the SPF and DKIM mechanisms.

Reject emails from the Internet that have your organisation’s domain as the email sender.

Further Information

Further guidance on spoofed email mitigation strategies is available at Mitigating Spoofed Emails – Sender Policy Framework (SPF) Explained

ISM controls: 0574, 1151-1152, 0861, 1025-1027, 0561, 1183.

Mitigation Strategy #21 – Workstation and server configuration management

Mitigation

Perform workstation and server configuration management based on a hardened Standard Operating Environment, disabling unneeded/undesired functionality e.g. IPv6, autorun and LanMan.

Rationale

Benefits of workstations and servers having a consistent managed configuration include:

Implementation Guidance

Harden file and registry permissions, for example where possible, prevent users (and therefore malware running on the user’s behalf) from running system executables commonly used for reconnaissance as listed in mitigation strategy #15 ‘Centralised and time-synchronised logging of successful and failed computer events’.

Configure the Windows Task Scheduler service to prevent user workstations from creating scheduled tasks (especially on servers) to execute malicious programs.

Configure the DLL search path algorithm to help mitigate malicious DLL files being loaded; see Microsoft Support: A new CWDIllegalInDllSearch Registry Entry is Available to Control the DLL Search Path Algorithm

Further Information

Australian government agencies can access a Microsoft Windows 7 SP1 Standard Operating Environment build guideline as part of the Australian Government Common Operating Environment.

ISM controls: 0380, 0382, 0383, 0341, 1055.

Mitigation Strategy #22 – Antivirus software using heuristics and automated Internet-based reputation ratings

Mitigation

Implement antivirus software using heuristics and automated Internet-based reputation ratings to check a program’s prevalence and its digital signature’s trustworthiness prior to execution. Specifically, this includes checking the prevalence of a questionable file among the Internet user base, and checking whether a digitally signed file uses a reputable vendor certificate that hasn’t expired or been revoked.

Rationale

Antivirus software helps to prevent, detect and remove malware that includes computer viruses, worms, Trojans, spyware and adware.

Implementation Guidance

Configure the heuristic behaviour analysis capability to achieve an acceptable balance between identifying malware, while avoiding negatively impacting users and your organisation’s incident response team due to false positives.

Scan files when they are accessed and on a scheduled basis.

Endpoint protection or anti-malware software from some vendors includes heuristics and automated Internet-based reputation rating functionality.

Further Information

ISM controls: 0380, 1033, 1288, 1390.

Mitigation Strategy #23 – Deny direct Internet access from workstations

Mitigation

Deny direct Internet access from workstations by using an IPv6-capable firewall to force traffic through a split DNS server, an email server, or an authenticated web proxy server.

Rationale

Malware used in cyber intrusions of low sophistication can fail to exfiltrate data and operate correctly if it expects direct Internet connectivity and is therefore unable to traverse an organisation’s Internet gateway, resulting in the Internet gateway detecting and blocking such unauthorised attempts to directly access the Internet.

Implementation Guidance

The firewall should only allow approved networking ports and protocols required for business functionality.

Implement a web proxy that inspects SSL traffic for malicious content, especially SSL communications with unfamiliar websites.

Preferably configure workstations with a non-routing network capture device as the default route to help detect malware attempting to directly communicate with the Internet, noting that some legitimate applications or operating system functionality might generate false positives.

Further Information

ISM controls: 0569, 0260-0261, 0996, 0263, 0841-0842, 0385, 0953, 0628, 0631, 0639.

Mitigation Strategy #24 – Server application configuration hardening

Mitigation

Perform server application configuration hardening e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems.

Rationale

Server application configuration hardening helps an organisation to conduct its business with a reduced risk of malicious data access, theft, exposure, corruption and loss.

Implementation Guidance

OWASP guidelines help mitigate web application vulnerabilities such as SQL injection. These guidelines cover code review, data validation and sanitisation, user and session management, protection of data in transit and storage, error handling, user authentication, logging and auditing.

Further Information

Further guidance on protecting web applications is available at Protecting Web Applications and Users – Technical guidance for improving web application security through implementing web browser based mitigations

ISM controls: 0401, 0971, 0393, 1244-1253, 1254-1278.

Mitigation Strategy #25 – Enforce a strong passphrase policy

Mitigation

Enforce a strong passphrase policy covering complexity, length, expiry, and avoiding both passphrase reuse and the use of a single dictionary word.

This is especially important for service accounts and all other accounts with administrative privileges.

Rationale

It is more challenging for cyber adversaries to crack passphrase hashes and propagate throughout an organisation’s network as part of the second stage of a cyber intrusion if passphrases are complex, long and hashed with a cryptographically strong algorithm.

Implementation Guidance

The use of an appropriately configured and secured passphrase vault can assist with storing and managing many complex passphrases.

Further Information

ISM controls: 0417, 0421-0422, 0423-0426.

Mitigation Strategy #26 – Removable and portable media control

Mitigation

Control removable and portable media as part of a Data Loss Prevention strategy, including storage, handling, whitelisting allowed USB devices, encryption and destruction.

Rationale

Using media in a controlled and accountable manner reduces the risk of malware execution and unauthorised data exposure. USB flash storage devices infected with malware have been inadvertently distributed by major vendors at several Australian IT security conferences. Additionally, penetration testers have been known to scatter malicious USB flash storage devices, CDs and DVDs in the car park of targeted users.

Implementation Guidance

Follow a robust media transfer policy and process when using portable media to transfer data between workstations or servers, especially if they are located on different networks or in different security domains.

Further Information

ISM controls: 0161-0162, 0322-0323, 0325, 0330-0335, 0336, 0337-0338, 0341-0345, 0346, 0347, 0348, 0831-0832, 1059, 0350, 0351-0353, 0354, 0356-0357, 0358-0360, 0835, 0836, 0947, 1065-1068, 0361, 0362, 0363-0364, 0366, 0368, 0370-0373, 0838, 0839-0840, 1160, 1360, 1361, 1069, 0329, 0374, 0375, 0378, 0159, 1169, 1347, 1359.

Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS

Mitigation

Restrict access to Server Message Block (SMB) and NetBIOS services running on workstations and on servers where possible.

Rationale

This mitigation strategy primarily helps to mitigate internal reconnaissance and network propagation as part of the second stage of a cyber intrusion.

Implementation Guidance

Access to these services can be restricted by using a firewall or by disabling unneeded services.

Further Information

ISM controls: 0520, 1182.

Mitigation Strategy #28 – User education

Mitigation

Educate users, especially Most Likely Targets, about Internet threats such as identifying spear phishing socially engineered emails or unexpected duplicate emails, and reporting such emails to the IT security team. Users should also report suspicious phone calls, such as unidentified callers attempting to solicit details about the organisation’s IT environment. Such education should focus on influencing user behaviour.

Rationale

User education can complement technical mitigation strategies. Users can notice and report unexpected behaviour such as a suspicious email, or a blank document or irrelevant document content being displayed when an email attachment is opened. This can assist in detecting spear phishing emails as an intrusion vector. However, to prevent and automatically detect a cyber intrusion, implementing a technical mitigation strategy (such as application whitelisting configured to log and report violations) is preferable to relying on user education.

Putting users in the position of making a security related decision and hoping that they are all educated to always choose correctly, is likely to result in some users choosing incorrectly resulting in compromise.

ASD is aware of some spear phishing emails that use clever tradecraft and are believable such that no amount of user education would help to prevent or detect the cyber intrusion attempt.

User education won’t prevent a user from visiting a legitimate website that has been temporarily compromised to serve malicious content as part of a ‘watering hole’ or ‘drive by download’. Visiting such a website might compromise the user’s workstation without any obvious indications of compromise for the user to detect.

Implementation Guidance

Educate users to avoid:

Educate users as to why following IT security policies helps them to protect and appropriately handle the sensitive information they have been entrusted to handle. Share with users the anecdotal details of previous cyber intrusion attempts targeting the organisation and similar organisations, highlighting the impact that cyber intrusions have to the organisation and to the user. Such education might reduce the level of user resistance to the implementation of mitigation strategies. For example, users might be less likely to resist the removal of their unnecessary administrative privileges if they understand why the mitigation strategy is required.

User education needs to be tailored to the job role of the user. Additional specialised education is useful for users with specific roles, for example:

The success of educating users needs to be measured using evidence such as whether user education contributed to:

Further Information

Further guidance for users on detecting socially-engineered emails is available at Detecting Socially-Engineered Emails

ISM controls: 0058, 0251-0253, 0255-0256, 0266, 0413, 0817-0820, 0821, 0922, 0576, 0609-0610, 1340, 1083, 1147, 1298.

Mitigation Strategy #29 – Workstation inspection of Microsoft Office files

Mitigation

Perform workstation inspection of Microsoft Office files for potentially malicious abnormalities.

Rationale

Inspection and validation of Microsoft Office files can assist with identifying malformed content, thereby enabling potentially malicious content to be blocked.

Implementation Guidance

Inspection and validation of Microsoft Office files can be performed using the Microsoft Office File Validation or Protected View feature; see Carnegie Mellon CERT: Effectiveness of Microsoft Office File Validation, Microsoft Office: What is Protected View? and Microsoft Office: Plan Office File Validation Settings for Office 2013.

Further Information

ISM controls: 1284-1285.

Mitigation Strategy #30 – Signature-based antivirus software

Mitigation

Use signature-based antivirus software that primarily relies on up to date signatures to identify malware. Use gateway and desktop antivirus software from different vendors.

Rationale

Antivirus software helps prevent, detect and remove malware that includes computer viruses, worms, Trojans, spyware and adware.

However, signature-based antivirus software is a reactive approach that has difficulty protecting against targeted malware that is not yet known to the antivirus vendor.

Implementation Guidance

Scan files when they are accessed and on a scheduled basis.

Further Information

ISM controls: 0380, 1033, 1288.

Mitigation Strategy #31 – TLS encryption between email servers

Mitigation

Use TLS encryption between email servers.

Rationale

Enabling TLS encryption on both the originating and accepting email servers helps to prevent legitimate emails being intercepted in transit and subsequently being used for social engineering.

Implementation Guidance

Perform content scanning after email traffic is decrypted.

Further Information

ISM controls: 0572, 0263.

Mitigation Strategy #32 – Block attempts to access websites by their IP address

Mitigation

Block attempts to access websites by their IP address instead of by their domain name.

Rationale

This mitigation strategy forces cyber adversaries to obtain a domain name, resulting in an audit trail that can assist with identifying related cyber intrusions.

Implementation Guidance

A web proxy server can be used to implement this mitigation strategy.

Further Information

ISM control: 1171.

Mitigation Strategy #33 – Network-based Intrusion Detection/Prevention System

Mitigation

Implement a network-based Intrusion Detection/Prevention System (IDS/IPS) using signatures and heuristics to identify anomalies listed in mitigation strategy #16 ‘Centralised and time-synchronised logging of allowed and blocked network activity’.

Rationale

A network-based IDS/IPS, when configured correctly, kept up to date with signatures, and supported by appropriate processes, assists with identifying and responding to known cyber intrusion profiles.

Implementation Guidance

Inspect traffic crossing perimeter boundaries for keywords such as classification markings that indicate sensitive information, noting that cyber adversaries usually compress and/or encrypt exfiltrated data in an attempt to defeat such inspection.

Further Information

ISM controls: 0576, 0577, 0578, 1028-1029, 1030, 1031, 1184-1185.

Mitigation Strategy #34 – Gateway blacklisting

Mitigation

Implement gateway blacklisting to block access to known malicious domains and IP addresses.

Rationale

Gateway blacklisting reduces the risk of users connecting to domains and IP addresses known to be controlled by cyber adversaries.

Implementation Guidance

Cyber intrusions commonly involve the use of dynamic domains and other domains provided free to anonymous Internet users, due to the lack of attribution. Block access to such domains after checking that your organisation does not access any legitimate websites using these domains.

Further Information

An example implementation is available at SANS Institute: Windows DNS Server Blackhole Blacklist

An example list of dynamic domains (for which ASD accepts no liability) is available at Malware Domains (ZIP)

ISM controls: 0959-0960, 1236.

Mitigation Strategy #35 – Capture network traffic

Mitigation

Capture network traffic to/from internal critical asset workstations and servers, as well as traffic traversing the network perimeter, to perform post-intrusion analysis.

Rationale

Capturing network traffic can assist an organisation to determine the techniques used by cyber adversaries, and to assess the extent of damage if a cyber intrusion occurs. Analysis after a successful cyber intrusion helps to ensure that the compromise has been remediated.

Implementation Guidance

Focus on capturing traffic from workstations and servers on internal networks that store or access sensitive information. Preferably also capture traffic from the network perimeter, noting that its usefulness is diminished by exfiltrated data typically being encrypted and sent to a computer that probably can’t be attributed to cyber adversaries.

Ensure that users are aware that network traffic on the organisation’s network is monitored for security purposes.

When a successful cyber intrusion occurs, retain a copy of network traffic for several days prior to remediation, as well as for several days following remediation during which time cyber adversaries are likely to attempt to regain access to the organisation’s network.

Metadata relating to network connections can complement logging, and consumes less storage space than network packets.

Further Information

ISM control: 1213.

Further Reading

Additional information about implementing the Strategies to Mitigate Targeted Cyber Intrusions, and the Top 4 in particular, is available on the ASD internet site.

Alternative computer security guidance is available at Council on Cyber Security: Critical Security Controls.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.