Security’s focus has always been on protecting against complicated, advanced attacks. The battle between advanced attackers and awesome defenders makes for a great story. You know, good vs. evil.
Many of you have likely been preparing for a cyber-attack from Russia, given their war with Ukraine. The US Government has told us to expect an attack. I’m not sure if Russia will launch significant cyber attacks against the West, but if they do, what kind of attacks will they launch? I’d posit that the answer is the simplest attack that will get the job done. Every nation-state with significant cyber capabilities is sitting on dozens (if not more) of zero-day attacks. But why would they burn a sophisticated attack unless they are forced?
Logical attackers look for the path of least resistance to gain a foothold in your environment. That means taking advantage of the weakest link, and that’s usually simple stuff like misconfigurations and other basic security errors. When someone asks what the best way to protect themselves against these attacks, I typically respond by telling them to do the simple stuff well. You know, blocking and tackling to use a football analogy.
My partner (and DisruptOps co-founder) Rich Mogull has always said that “simple doesn’t scale,” and he’s right. Making a firewall change on two devices isn’t difficult. Enforcing firewall policies on hundreds of devices across the globe is very, very difficult. And doing it right every single time makes it even more challenging.
So let’s talk about solutions to doing the simple stuff well and consistently. Surprisingly enough, it involves a combination of people, process, and technology. And we focus heavily on the process because that’s the best way to achieve consistency. If everyone knows what they are supposed to do and you have the means to track their activities, you tend to get consistent results.
These five tips should provide you with a map to improve security hygiene, as well as your overall security posture.
Tip 1: Get Alignment on Policy
If you don’t know where you are going, you have no idea when you will get there—or even where “there” is. So the first tip is to set your hygiene policy so you know what success looks like. Whether setting a goal to patch within a week or blocking outbound connectivity to specific geographies, having defined and documented policies will ensure everyone is on the same page — before you start blocking stuff.
Tip 2: Expand Visibility
I suspect you’ve heard the adage that if you can’t see it, you can’t manage it. It happens to be true. Once everyone is aligned on the policies, you’ll need to figure out what’s in the environment. To be clear, you should know a bit already. Like your locations and the infrastructure already installed. Maybe you even have a CMDB that (allegedly) has asset information. That’s a start.
Whatever asset list and posture information you have is likely out of date, especially with cloud and SaaS proliferating. So you need a defined process and tooling to ensure you understand the entire technology estate, both on-prem and in the cloud.
Tip 3: Manage Changes
Another critical process to get implemented is change control. Who makes what changes when? This process should be thought through before you learn about Log4j (or the next widespread vulnerability). The key to consistent and successful operations is ensuring that everyone knows their job. In an all-hands-on-deck situation, the last thing you need is uncertainty about roles and responsibilities.
Are there approvals required to make changes? Do the approvers have an RTO (response time objective)? Are there situations where it’s urgent enough to make the change without approval? How much downtime is acceptable? These are the kinds of situations the change control process needs to handle.
Also, be sure to audit who is making changes as part of the process. You’ll want to know who screwed up in the event of a faulty change (I’m only half kidding on that one). And in the event an admin device is compromised, any changes made by the attacker will be logged so you can roll them back quickly.
Tip 4: Continuous Monitoring
At this point, you’ve probably had enough of processes: now you need to do things. That’s the fun part, right? The key to hygiene is monitoring. Like you want to go to the dentist twice a year to check for cavities, you want to watch your infrastructure to make sure everything complies with the policies.
That means checking the devices for configuration changes. As mentioned above, a misconfiguration tends to be the path of least resistance for attackers, so you’ll want to make sure you know if/when a config is changed.
You’ll also want to monitor for available patches. You may wait until the next patch window to apply the patches, but you want to know which devices need to be updated and the relative urgency of the patch so you can effectively plan the work.
Notice that I said “continuous” above, but that is a relative term. Should you be checking configurations every minute? Or every hour? Or every day? It depends, but in general more monitoring is better than less. The best option is actually to look for changes in your log streams. For example, you can set an alert when a change is made to a security group in AWS or a firewall rule in Panorama (if you use Palo Alto firewalls). That trigger can ensure you know about a change as soon as it happens, and if a malicious actor made the change – you can bet that every minute counts.
Tip 5: Automate (almost) Everything
We are big fans of automation. In fact, it’s a core aspect of all our products. Remember that “simple doesn’t scale,” so as your environment gets bigger and more complicated, embracing automation is absolutely critical. Given the security skills gap and challenge of finding and retaining security staff, the more the machines can do, the better.
You can automate applying fixes to your devices, and you can automate rolling back unauthorized changes. You can let the machines monitor information sources that tell you about patches, and those same machines can gather a bunch of information about changes to pinpoint out-of-cycle or unauthorized changes.
Our friends at AWS believe that any time a human changes their infrastructure, it’s a failure to automate. That’s aspirational for a vast majority of companies, but it’s a good vision. As you burn in your processes and see what rote tasks your people are doing over and over again: automate them. There is (in some cases, understandable) hesitation to automate too much. Don’t automate faster than you’re comfortable with, but by the same token don’t let a fear of change hamstring your organization.
To wrap up, you *don’t* want to be the path of least resistance for the attackers. Your security posture will be significantly stronger if you can consistently ensure security hygiene from an operational standpoint. We aren’t saying you’ll be impervious to attack, but you’ll make the attackers work for it.