Learning Defense from NSA's Elite Offensive Hacking Teams – part 2

This is the second in a series of two blogs. Check out yesterday’s blog for the first set of best practice recommendations for keeping the NSA out of your environment! Rob Joyce, the NSA Chief of the Tailored Access Operations (TAO), gave a talk recently that provided some guidance on things you can do to disrupt nation state intruders from gaining access to your network. Joyce summarized his recommendations into a list of 10 best practices. In yesterday’s blog we discussed the first 5 – all about limiting access to privileged accounts, and enforcing good network, system and password hygiene. We continue our examination of Joyce’s recommendations today. 6. Remove legacy protocols This is a simple problem to state but extremely difficult to solve, requiring knowledge that most likely will be outside the expertise of the IT department. Regardless, as Rob Joyce said, you need to know your network and this may involve using companies that perform pen testing in order to identify broken or legacy protocols that could be used to successfully breach. 7. Establish a secure host baseline Knowing the difference between what is on your system and what should be on your system is a critical part of your security plan. When a system differs from the approved baseline configuration, plus approved changes, they should be isolated so they can be analyzed and replaced and/or destroyed if you cannot account for the differences. 8. Leverage reputation services for applications and URL’s Looking at external data like application digital signature details and certificate chains is valuable. Looking at reputation databases like the National Software Reference Library provides a higher level of confidence that an app that is attempting to launch is safe. 9. Two Factor Authentication Two Factor Token-based authentication, also known as one-time password authentication, provides an additional level of identity assurance. By adding a second form of authentication like a token (something the user has) in addition to the something they know (their username and password) you can ensure that the user really is who they claim to be. 10. Review logs Manually managing the number of logs generated by your network infrastructure is untenable. Some type of third-party log management system which automates the process should be introduced. This log management system should consolidate logs, and perform threat analytics, anomaly detection, behavior analysis, etc. Your logs contain the details of all attempts to breach your network, thus, staying vigilant will enable you catch intrusion attempts in your logs rather than successful intrusions during an incident review. Where to start? So how do we cost-effectively implement these defense techniques outlined by Rob Joyce without bringing business to a standstill? The first part is making the cultural shift to a security first mindset. The second part is determining where you need the most help based on risk tolerance. BeyondTrust recommends a programmatic approach to implementing privileged access management starting with password and session management, then progressing to higher levels of security maturity. To help guide you through the process, download our white paper that covers a 7-step strategy to achieving complete privileged access management. The paper uncovers how this process helps you unify control and establish accountability over accounts, users, assets, systems and activity.