From 512717f0b638126eabe5e5efc434946702dd9413 Mon Sep 17 00:00:00 2001 From: Tony Phipps Date: Tue, 7 Jan 2025 15:23:19 -0700 Subject: [PATCH] updates --- hardening/general-security.md | 5 ++ hardening/network.md | 79 +++++++++++++++-------------- hardening/software-manufacturers.md | 6 +++ 3 files changed, 53 insertions(+), 37 deletions(-) create mode 100644 hardening/general-security.md create mode 100644 hardening/software-manufacturers.md diff --git a/hardening/general-security.md b/hardening/general-security.md new file mode 100644 index 0000000..29df56c --- /dev/null +++ b/hardening/general-security.md @@ -0,0 +1,5 @@ +# Apply defense-in-depth principles +- by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions. + +# Resources +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID \ No newline at end of file diff --git a/hardening/network.md b/hardening/network.md index 8bf53d9..c3a5989 100644 --- a/hardening/network.md +++ b/hardening/network.md @@ -1,37 +1,42 @@ -- [Endpoint Segmentation](#endpoint-segmentation) -- [Threat Intelligence-Based Blocking](#threat-intelligence-based-blocking) -- [Services](#services) - - [Remote Desktop Protocol](#remote-desktop-protocol) -- [Maintain Network Documentation](#maintain-network-documentation) -- [Resources](#resources) - -# Endpoint Segmentation -Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. - - Endpoints should NOT be allowed to communicate with each other unless absolutely necessary. This peer-level communication can be controlled via [Private VLANs](https://en.wikipedia.org/wiki/Private_VLAN) (AKA port isolation) on switches. - - Generally, it is best to limit the following scenarios - - Workstation-to-workstation communication - - Server-to-server communication - - Server-to-workstation communication - - At a minimum, consider restrict the following ports where possible - - Server Message Block (SMB) (TCP/445, TCP/135, TCP/139) - - Remote Desktop Protocol (RDP) (TCP/3389) - - Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986) - - Windows Management Instrumentation (WMI) (Dynamic/DCOM) - -# Threat Intelligence-Based Blocking -Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. -- Ideally performed automatically with a curated threat intelligence feed, but also allowing for management of a manual block/allowlist. - -# Services -## Remote Desktop Protocol -- RDP was designed to be used internally and should never be exposed to the Internet. Instead, expose VPN to the Internet and make RDP accessible internally only. - - After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. - -# Maintain Network Documentation -Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. - - Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. - - -# Resources -- Mandiant Whitepaper: Ransomware Protection and Containment Strategies - - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf \ No newline at end of file +- [Endpoint Segmentation](#endpoint-segmentation) +- [Threat Intelligence-Based Blocking](#threat-intelligence-based-blocking) +- [Services](#services) + - [Remote Desktop Protocol](#remote-desktop-protocol) +- [Maintain Network Documentation](#maintain-network-documentation) +- [](#) +- [Resources](#resources) + +# Endpoint Segmentation +Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. + - Endpoints should NOT be allowed to communicate with each other unless absolutely necessary. This peer-level communication can be controlled via [Private VLANs](https://en.wikipedia.org/wiki/Private_VLAN) (AKA port isolation) on switches. + - Generally, it is best to limit the following scenarios + - Workstation-to-workstation communication + - Server-to-server communication + - Server-to-workstation communication + - At a minimum, consider restrict the following ports where possible + - Server Message Block (SMB) (TCP/445, TCP/135, TCP/139) + - Remote Desktop Protocol (RDP) (TCP/3389) + - Windows Remote Management (WinRM) (TCP/80, TCP/5985, TCP/5986) + - Windows Management Instrumentation (WMI) (Dynamic/DCOM) + +# Threat Intelligence-Based Blocking +Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. +- Ideally performed automatically with a curated threat intelligence feed, but also allowing for management of a manual block/allowlist. + +# Services +## Remote Desktop Protocol +- RDP was designed to be used internally and should never be exposed to the Internet. Instead, expose VPN to the Internet and make RDP accessible internally only. + - After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. + +# Maintain Network Documentation +Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. + - Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. + +# +Establish baselines of network traffic, application execution, and account authentication. +Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric. + +# Resources +- Mandiant Whitepaper: Ransomware Protection and Containment Strategies + - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID \ No newline at end of file diff --git a/hardening/software-manufacturers.md b/hardening/software-manufacturers.md new file mode 100644 index 0000000..39c5fa0 --- /dev/null +++ b/hardening/software-manufacturers.md @@ -0,0 +1,6 @@ +# Eliminate default passwords +# Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers + - in conjunction with customers - to understand how response teams use logs to investigate incidents. + +# Resources +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a?mc_cid=78cd2ac95a&mc_eid=UNIQID \ No newline at end of file