Preview Mode Links will not work in preview mode

Nov 21, 2021

In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges.


ADDITIONAL RESOURCES

 


OUR REDDIT AMA

https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/ 

 


MFA

https://attack.mitre.org/mitigations/M1032/ 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 

https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/ 

 


INCIDENT RESPONSE

https://www.nist.gov/cyberframework/respond 

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf 

 


POWERSHELL BEST PRACTICES

https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/ 

https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security 

https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/ 

https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/ 

 


RISK: A lack of MFA where available or using SMS based MFA for critical applications.
Please do not use SMS based MFA for critical applications. [6] [7]
This is an easy layer of defense that has historically been very effective [5]
One-Time Passwords (OTP) good but [8] FIDO U2F better
Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key).
MITIGATION: 
Blumira requires use of MFA
MFA related detections (e.g. AWS, Duo)
BLUMIRA HELPS:

 


Incident Response Procedures

 


RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes.
A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared. 
If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4]
The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there. 
Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi))
MITIGATION:
Workflows
Blumira helps with this by providing built-in guidance with workflows.
Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion.
provides additional details to help operators make informed decisions in response to new findings.
Finding analysis 
BLUMIRA HELPS:

 


Recent or Frequent IT Staff Turnover

 


RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment
Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they are more likely to make mistakes, will be less prepared to go the extra mile when it is needed because they’ll already be tapped out of energy, and may be more likely to consider opportunities elsewhere.
You want to limit keystone employees, meaning that if an employee leaves for whatever reason you do not want that employee’s absence to cause a breakdown in processes for others. Redundancy is best here in most cases IMO.
MITIGATION:
Blumira works hard to create fewer, more actionable findings. 
We strive to keep our alerts simple to provide the information that operators need to make informed decisions.
We try to focus on findings that require action and provide workflows to provide additional guidance to help share recommendations on what to investigate next to evaluate the impact of a security event
BLUMIRA HELPS: 

 


PowerShell Scripting Best Practices

 


RISK:
Detections will be less helpful if staff are frequently dismissing events in response to approved administrative behavior like maintenance scripts.
Follow the PowerShell recommendations shared by Microsoft [1] including:
Sign your scripts (lol Microsoft has this bolded by the way hint hint wink wink) “another method for keeping scripts security is vetting and signing your scripts
Do not store secrets in PoSH scripts; if you are doing this you’re gonna want to google “secrets management” [2] and learn more about how to secure store and access secrets across an enterprise environment 
Briefly, there is a powershell module for vault secret extensions [3] some vault extensions include KeePass, LastPass, Hashicorp Vault, Azure KeyVault, KeyChain, and CredMan
Use a recent version of Powershell (we are on version 7, but this article recommends 5+)
Enable and collect powershell logs
MITIGATION:
Blumira detects on malicious powershell usage.
BLUMIRA HELPS:

 

 

ADDITIONAL LINKS AND SOURCES: 

[1] https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security 

[2] https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/ 

[3] https://github.com/PowerShell/SecretManagement 

[3] https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/ 

[4] https://www.nist.gov/cyberframework/respond 

[5] https://attack.mitre.org/mitigations/M1032/ 

[6] https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 

[7] https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/

[8] https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/ 


https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/