Make them fight YOUR fight
Bejtlich over at Tao Security has a good post today about making the bad guys fight your fight, or as he puts it, fight your strengths.
At the end he asks how others force the fight, so I figure I’ll chime in.
IPS/IDS
While IPS/IDS is certainly evadable by a skilled attacker, it adds to the difficulty of his attack. It also serves the purpose of giving you situational awareness in that the tuning process brings you to a more intimate level with your network. Not to mention the amount of automated attacks IPS units can defend against.
Surprisingly, our IPS and UTM units stop more desktop-bound malware, pound for pound than they do targeted attacks against critical servers/services.
Least Privilege
When George Washington had to retreat from New York during the revolutionary war, he wanted to burn the city to the ground so that the enemy couldn’t use anything to further their aggression (it was later burned badly but the cause is unknown, I think GW ordered it burned). Giving your users least privilege does much the same. When a machine gets compromised in the context of the user, as long as the user has minimal privileges, the attacker also has minimal privileges and is forced to escalate privileges, thus you’ve added to the difficulty of their attack.
Control Attack Vectors
In the Battle of Jericho spies were sent into the city to report on the status of the cities defenses. These spies then secretly put a rope over the wall of the city and while the Israeli army marched circles around the city blasting trumpets as a diversion, special forces troops were climbing the rope into the city. They did this for several days until there was enough troops already inside the city to fight their way to the gates and open them for the invading Israelis. Had the Canaan wall been defended sufficiently from the inside as it was from the outside, the Israeli special forces wouldn’t have been able to open the front gates to let the attackers inside the walls of the city.
Egress filtering on your firewalls goes a long way. Blocking the default IRC ports out of your network and also having your IPS units snipe the “/join” and “/nick” commands at the gateway effectively blocks *most* bot C&C channels (and blocks on these rules will alert you to possibly compromised hosts).
While you’re at it, block IM attachments and filter email attachments by name as well as with AV tech. These actions reduce the routes into your network for malware.
These are all pretty basic, best practices that when done properly, free up a lot of time for your incident handlers to focus on bigger, more focused attacks.
Very good post Michael. I am trying to roll out least privilege in my XP world, but it really is hard. Between Palm devices that need admin access, and some other mission critical software that “likes” it…it is hard to get them downgraded. I need to check to see if my CRAPPY SonicWall firewall does egress filtering. I am trying to get a Cisco device in to replace it…maybe next year.
By Micha on 04.18.07 10:44 am
I worked with SonicWall years ago. A friend of mine referred to them as the ‘my first firewall’ firewall and for me it indeed was.
If you have it deployed in a small office, you might consider a Fortinet or ISS UTM device to get more bang for your buck. That way you can get AV, firewall, and IPS (and possibly more) at your gateway.
If it boils down to price, SonicWall also offers a UTM device and anything is better than nothing.
I know the Palm fight all too well. Sometimes you just have to make the exception and do your best to work around it. When security interferes with business you’ve shot yourself in the foot.
It has taken us a couple of years to sell least privilege to our help desks and then get it implemented. It does increase calls when people are used to doing certain things and they suddenly can’t now. But in the long run we’ve benefitted with fewer virus outbreaks and fewer hosed machines due to stupid screen savers, animated cursors, etc.
By Michael on 04.18.07 10:59 am