Search This Blog
Showing posts with label host protection. Show all posts
Showing posts with label host protection. Show all posts

Wednesday, 11 June 2014

What if Target had followed a Zero Trust model?

Yes, I agree that I'm late to the table on yet another Target Breach Blog, but I want to throw a twist on the story..   

A fantastic "WHAT IF?"

I want to transport you momentarily, to a utopian world where Large Corporations understand that firewalls and segmentation do not provide complete security anymore (probably never did), and that to truly protect your Infrastructure, Applications, and Customer Data, you need to do so at the host!   
First, lets spend a minute reviewing what we know... 

Brian Krebs, of Krebs On Security has meticulously documented and unraveled the timeline and events that led up to the actual Breach.   I will not reiterate all the gory details here, but will refer to his findings along this journey...

Of specific note:   As of this date (June 13rd, 2014)  We still do not *know* for certain how the attackers got into Target's internal network, nor how they escalated privileges to install their malware. 

Krebs, Dell SecureWorks, and Malcovery have collected strong evidence to support a hypothesis. We do not need to fully understand the mechanics of the breach to conjecture a remediation strategy for those who have not identified their breaches as of yet.


In a nutshell, the attackers launched a phishing attack some time in October 2013, and managed to compromise one of Targets vendors.  The credentials for this vendor most likely gave the attackers access to Target's Online Billing system.    Coupled with a large amount of publicly available documentation intended to assist vendors in accessing the system, the attackers were able to capture enough detail of the Target network and Active Directory Infrastructure to launch a SQL injection attack.  It is believed that they used this SQL injection attack to install tools used in the remainder of their exercise.  

From the Dell SecureWorks documentation:

They were able to install three different sets of malware to enact their scheme:  First, they added a variant of a previously known   Point Of Sale memory Scraper.  This application would monitor the active processes memory on the Embedded Windows POS endpoints, and capture anything resembling Credit Card information.  The application would then periodically ftp that information to another server that was compromised through a privilege escalation in Active Directory.  Yet another compromised system would pick the data from that ftp service, and deliver it to several external ftp sites.



 
(trust me... you want to read that link!)


The immediate questions being:
  1. How did they compromise a public facing application to get "inside" the Corporate Network?
  2. Why were 3rd party credentials on an external facing application associated within an Internal Directory?
  3. Where was Intrusion Prevention between their DMZ and the Corporate Network?  
  4. How did an Admin Account on a single server get privilege escalated to the Active Directory? 
  5. Once in the Production Environment, how did they get to the POS network?  I mean they are PCI compliant, aren't they?  There should be no direct path between the two...
  6. Where was Intrusion Prevention between the corporate network and the POS network? 
  7. How was an FTP service allowed to communicate from the Data Center out to the Internet?
  8. Where was Intrusion Prevention between the Corporate Network and the Internet?  
  9. If IPS was in fact in place (I have to believe it was...)  was it detuned or ignored?
Target isn't talking, so.... 



Lets assume for the sake of the remainder of this posting, that they had put a Zero Trust security model in place.  How would this scenario have played out?  What are the points of contact that would have raised alerts/sounded alarms?



In a true Zero Trust model, there would not only be network segmentation between zones of trust (production, dev, test), but between the tiers of an application stack (presentation, application, data). Applications, and Lines of Business would be segregated from one another as well. 

 Where there were zones containing or processing sensitive data, the demarcation between such segments would be augmented with addition controls such as Intrusion Prevention, Data Loss Prevention, Network AntiMalwarePrivilege Password Vaults would be used to manage any level of administrative access required across the board - Windows/UNIX/Mainframe/Network...

Seems like an impossible task?  Too late to retrofit into an existing production infrastructure!  It will never work!!!  Or... Can it?

The cost, both financially and in time, would be extremely prohibitive to retrofit an existing corporate network.  VLAN segmentation, layer 2 and layer 3 firewalls, as well as a myriad of network security appliances are needed to inspect and enforce traffic moving between hosts...

But what if you could make the the servers themselves complicit in the overall security 


By having a properly configured and managed host based security suite in place, applications residing on those hosts would only allow traffic communications from known sources, on known ports, using known protocols.  Attempts to brute force passwords, scan ports, or escalate privileges would not only be immediately blocked at the server being attacked, but all other systems within the management policy.  Alerts would be sent to the Corporate SIEM, and multiple layers of alarms would be generated.  If a server were actually compromised, the incident could be contained to that one host.

You could gradually integrate the Zero Trust model into your environment, one host at a time, by creating Virtual Zones of Trust.  Start with low hanging fruit, by grouping systems belonging to a common application, and applying a policy that rejects traffic from other applications, essentially "sandboxing" the application.  


From my previous article:
A Host Protection Service must:

Operate on the significant majority of our Host Operating Systems, and support all of our existing Database and Middleware
Protect against Zero-Day malware and malicious actor attacks.
Prevent unauthorized changes or actions, even if the perpetrator has administrative rights.
Enable demonstrable change control on mission-critical systems.
Centralize configuration protection across the enterprise, reducing administrative burden.
Support a library of pre-defined rules that recognize common security events.
Support policies across logical groups of hosts, helping to ensure the appropriate level of security and ease administrative burden.
Run pre-defined and customized reports on policies and security events enterprise-wide across heterogeneous systems.
Automatically trigger alerts and actions, based on pre-defined thresholds, when an event matches a rule.
Record the event in a centralized corporate SEIM.

How could Host Based Protection have helped Target?

With Host Protection installed on the Point of Sale Embedded Windows OS terminals, a policy would restrict the system from accepting patches/updates, or installing software/executables from anywhere other than the official SECURED software distribution infrastructure.  This would have eliminated the potential of an attacker installing anything, unless they had already compromised your software distribution infrastructure.  The POS application would run in a "sandbox", basically a separate secured process that does not expose it's memory or connectivity to other processes on the host. This would have eliminated the potential for memory scrapers.  Essentially, phase1 of the attack would not have been achieved.

 With Host protection running in the core data center servers (both physical and virtual), there would be no way to install the data transfer software... even if you had the credentials to an administrative service account on the server. The Host Protection would only allow software updates, patches, or executables to be pushed from 
the official SECURED software distribution infrastructure.  If the data transfer software were already installed, then any change to the configuration of this software, even with a compromised administrative service account, would raise an alert, and log all activity to the console.   If the alert was not responded to within a period of time, the configuration could be rolled back automatically. Essentially, phase2 of the attack would not have been achieved.






With no Phase1, and no Phase2... Exfiltration of the customer data through this methodology would not have happened, and CEO Gregg Steinhafel and CIO Beth Jacob would still have their jobs...







Additional controls to consider, beyond those provided by Host Based Server Protection:
  • Segment POS network from the corporately accessed network
  • Segment Database network from the corporately accessed network 
  • Encrypt all transactions between POS network and servers outside POS network
  • Employ a Privilege Access Management Strategy
  • Enforce scheduled maintenance windows for software updates/installations
  • Enforce specific hosts/accounts allowed to deploy software updates/installations
  • Patch Applications as well as Operating System as patches become available
  • Use Heuristic Analysis as well as Signature based AntiMalware. 
  • Subscribe to and USE live Threat Analysis Feeds
  • Do not log locally, but rather stream log events to a SIEM 
  • Remove - not just disable - all not pertinent applications/executables
  • Run AntiMalware at your Internet Egress point, as well as on your hosts
  • Run Data Loss Protection on your hosts as well as at ALL egress points






References:





Posted by at No comments:
Labels: , , , , , , , , , ,

Wednesday, 9 October 2013

Host Protection - Standards and Reference Controls


The Concept of Zero-Trust

To allow for near-future work models, where employees can bring their own mobile devices into the workplace,  where “work from home” is standard practice, and where the Data Center is being virtualized and services abstracted to external third party providers,  the Security Industry is rethinking the traditional concepts of  boundaries and perimeters.

The concept of Zero-Trust is an approach to network and device security that places security at the core of the network and makes it central to all network transactions

This security centric approach advocates a number of principles to design a secure and flexible network that can protect against modern malware and threats.  

Key to this design is the transformation from classical security overlay which simply inspects packets destined to and from the Internet, to ensuring every packet is securely delivered to its destination.

TheZero Trust model provides an innovative data-centric approach to security that protects against sophisticated and targeted attacks. 

 Regardless of the reason, your data center is expanding beyond your bricks and mortar controls.  Many call this the Shrinking Perimeter. (Here, and Here, and Here,)   Firewalls at the edge of your network are no longer adequate, and provide for a false sense of comfort.

Empowered users are accessing the network from a variety of devices (e.g., laptops, tablets, and smart phones) and from a variety of locations. 


The expectation of anytime anywhere “workspaces” for these users enable new gains in productivity, but also leads to new security challenges in differentiating access based on user, application, device-type or access type (wired, wireless, VPN).
 

A typical "Data Center" is constantly under threat, both from 
external sources as well as internal entities.
 
What is "Host Protection"?
 
A “Host Protection” service must ensure the integrity of all resources within the system it is protecting.  This would include monitoring of and prevention against unwanted or malicious Network traffic coming in and out of the host, monitoring and management of file integrity, memory integrity, and in the case of Windows Servers, registry integrity


Host protection will employ centrally managed rules and profiles to ensure that applications on the host behave appropriately and that user and service accounts only have appropriate access to files and applications through whitelisting and blacklisting


A Host Protection Service must:

Operate on the significant majority of our Host Operating Systems, and support all of our existing Database and Middleware
Protect against Zero-Day malware and malicious actor attacks.
Prevent unauthorized changes or actions, even if the perpetrator has administrative rights.
Enable demonstrable change control on mission-critical systems.
Centralize configuration protection across the enterprise, reducing administrative burden.
Support a library of pre-defined rules that recognize common security events.
Support policies across logical groups of hosts, helping to ensure the appropriate level of security and ease administrative burden.
Run pre-defined and customized reports on policies and security events enterprise-wide across heterogeneous systems.
Automatically trigger alerts and actions, based on pre-defined thresholds, when an event matches a rule.
Record the event in a centralized corporate SEIM.


What is considered a Host?




In the simplest terms, a  Host” is just a network connected server that provides services to other systems.  These services may include database, mail, web, file share, print, etc…


  • A host can be physical or virtual, and may run any of a dozen operating systems. 
  • A host typically will have additional software added to provide it’s specific functionality. This may include various commercial database and/or application server packages from a multitude of vendors.
  • A host will generally have a specific purpose or “role” within the data center which would be defined by it’s configuration and/or applications/services running on it. 
    • Similar hosts may be “clustered” together to provide a single service for performance or availability reasons.
    • Hosts may be grouped together by similar role
    • Hosts that work together to provide a specific service may be grouped together
    • Hosts that belong to a specific Business Unit may be grouped together



A managed host may reside anywhere that connectivity and general network security is provided.  This includes data center, branch/campus, telco service provider, 3rd party business partner, hosting provider or cloud service provider.

 
Regardless of Operating System, Almost all Servers are 
comprised of the above layers.

All layers above the Operating System kernel are potential places for vulnerabilities, and exploitation.  A complete Host Protection Service must take all of these into account.


Protecting a Heterogeneous Environment



Any system or service devised to protect a typical data center environment must be all-encompassing. 


Broad Spectrum of Host Operating System coverage:
  • Any Host protection system deployed must operate and protect the majority of Operating Systems that can be found within the environment. This includes but is not limited to Microsoft Windows Server, IBM AIX , HPUX, Solaris, Linux, VMware, Xen, Microsoft HyperV
Broad Spectrum of Database Server coverage:
  • Any Host protection system deployed must operate and protect the majority of Database Systems that can be found within the environment. This includes but is not limited to Microsoft SQL Server, Oracle SQL, Sybase, IBM DB2, Ingres, PosGreSQL, MySQL,

Broad Spectrum of Application Server coverage:
  • Any Host protection system deployed must operate and protect the majority of Application Servers and Frameworks that can be found within the environment.  This includes but is not limited to Microsoft Active Directory, Exchange, SharePoint, and ISA, WebLogic, Oracle, WebSphere, Jboss,  IBM Domino,  Java, ASP.Net, PHP


Broad Spectrum of Web Server coverage:
  • Any Host protection system deployed must operate and protect the majority of Web Servers that can be found within the environment.  This includes but is not limited to Microsoft IIS, Apache, Tomcat, Weblogic, Oracle

 

Host Protection - Operating System Layer

  • File Integrity Monitoring and Prevention:
    • Identify changes to files in real-time, including who made the change and what changed within the file.
  • Memory Integrity Monitoring and Prevention: 
    • Identify in real-time, any attempt to modify or corrupt memory outside of the boundaries of that owned or managed by a specific application or service.
  • Registry Integrity Monitoring and Prevention: 
    • Identify changes to Windows Registry settings in real-time, including who made the change and what changed within the registry.
  • Device Control: 
    • Identify, prevent and alert on attempts to access system devices which are outside of a particular security profile.
  • Configuration Monitoring: 
    • Identify policy violations, suspicious administrators or intruder activity in real-time.
  • Targeted Prevention Policy: 
    • Respond to server incursion or compromise immediately with quickly customizable hardening policies.
  • Granular Intrusion Prevention Policies: 
    • Protect against zero day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.
  • File, system and admin lock down: 
    • Harden virtual and physical servers to maximize system uptime and avoid ongoing support costs for legacy operating systems.

Host Protection - Network Layer
A Host Protection Service must be able to provide a means to identify and control network traffic into and out of the host in  question.


Centralized management, reporting, alerting of standard Layer 3 firewall functionality is mandatory

Source / Destination / Port / Service   for each packet must be validated

Stateful inspection is “nice to have” but not a requirement 

Centralized management, reporting, alerting of  Layer 4 through 7 “Application Firewall” functionality is mandatory for systems not protected by Network based WAFs. Depending on the purpose of the host, the WAF profile will differ:


At minimum recognize and protect against OWASP top 10 application vulnerabilities

Intrusion Prevention through any of signature / whitelist / blacklist or heuristics, identify malicious or malformed traffic, and based on policy settings: prevent, log, and alert.



Host Protection - Application Layer

A Host Protection Service must be able to provide a means to identify and control appropriate access within and  between applications…..



A host protection service must be able to monitor/collect/report on all resources that an application uses over a period of time to define a “baseline” for appropriate behavior or functionality.  These resources include, but are not limited to:

  • Files
  • Folders
  • registry settings
  • device drivers
  • Libraries
  • network connections
  • service accounts

Once the baseline has been set, any deviation from that must get escalated for review and/or remediation.

This baseline can them be used as a template for other hosts running this same application.

A profile or role can be made, based on this baseline, and a centralized policy defined to manage all hosts that use this template.

 

Host Protection - Database Layer

A Host Protection Service must be able to proactively prevent or provide remediation for security risks to database systems.



These risks include, but are not limited to:
  • Unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers.
  • Unauthorized or unintended activity or misuse by or by unauthorized users
  • Unauthorized or unintended privilege escalation
  • Malware infections causing unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems
  • Design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities

 

Host Protection - Web Layer

According to OWASP (http://www.owasp.org) and SANS ( http://www.sans.org) The top Web Server vulnerabilities include:


  • Cross Site Scripting,
  • SQL Injection,
  • PHP Injection,
  • Javascript Injection,
  • Path Disclosure,
  • Denial of Service,
  • Code Execution,
  • Memory Corruption,
  • Cross Site Request Forgery,
  • Information Disclosure,
  • Arbitrary File,
  • Local File Include,
  • Remote File Include,
  • Overflow,
  • Other,









OWASP is the emerging standards body for Web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database[8] and also produced open source best practice documents on Web application security.

 

Host Protection - Managing Profiles



A Host Protection Service must be able to centrally manage security profiles and templates, proactively alert on deviations, accept real-time updates from external threat intelligence providers, and feed a centralized SIEM or SOC.

Management of security profiles will allow for granular nesting of roles/profiles

For example:
  • Nested security profiles, akin to Active Directory’s “Group Policy” management will enable quick access and visibility to host assets by Owner, Role, or Location
  • A high level role would be assigned to “Operating System Platform”
    • A nested role would be assigned to SPECIFIC Operating Systems (Windows Server 2003, Windows Server 2007, AIX 5.3, AIX 6.0, HPUX 11…) to refine control
  • A high level role would be assigned to each Database System Platform
    • A nested role would be assigned to SPECIFIC Database Systems to refine control
    • A nested role would be assigned to Critical Database Systems to refine control
  • A high level role would be assigned to each Application Type
    • A nested role would be assigned to SPECIFIC Application Instances to refine control
  • A high level role would be assigned to each Web Server Platform
    • A nested role would be assigned to SPECIFIC Web Server types to refine control
    • A nested role would be assigned to Critical Web Servers to refine control

Security profiles can be nested and grouped by role, owner, or location.

 
To be effective, a Host Protection Service must be managed centrally, receive
 live threat and signature updates, and report into a SEIM or SOC in real-time.

 

 So?  Who are the players in this field? 
Symantec Critical System Protection   - To date, Symantec CSP provides the widest coverage for server roles across the most Operating Systems - Both Physical and Virtual.  Their System Protection Console cleanly integrates their Security and Malware product suites into a single pane of glass.
TripWire Enterprise File Integrity Monitor - TripWire has been the industry leader in this space for over a decade, and is perfect for small to medium enterprises.
McAfee File Integrity Monitor - McAfee provides a suite of tools that are well integrated for protecting Windows Based Servers and Databases..
IBM Tivoli Virtual Server Protection - VMware ESX protection suite.

SafeNet Data Protection Suite
NewNetTechnologies NNT
Splunk Change Monitor

Further Reading:
http://www.infosecurity-magazine.com/view/30067/51-of-uk-networks-compromised-by-byod
http://www.novell.com/docrep/2010/03/Log_Event_Mgmt_WP_DrAntonChuvakin_March2010_Single_en.pdf
http://www.acunetix.com/websitesecurity/webserver-security/
http://www.symantec.com/page.jsp?id=protection-center
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/09/25/protect-objects-from-accidential-deletion-in-windows-server-2008.aspx
http://eval.veritas.com/mktginfo/enterprise/white_papers/ent-whitepaper_protecting_active_directory.pdf
 http://www.sans.org/reading_room/analysts_program/mcafee-server-protection-june-2010.pdf
http://www.newnettechnologies.com/tripwire-alternative.html?gclid=CO3A8cn1uLUCFShgMgodLloAtw
McAfee Total Protection for Endpoint Datasheet
McAfee Total Protection for Virtualization Solution Breif Datasheet

3rd party List of System Integrity Tools:
https://mosaicsecurity.com/categories/83-system-integrity-tools?direction=desc&sort=products.name


Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)