Podcast Not one administrator to rule them all, but a few: that's the advice offered by seasoned penetration testers Aaron Beuhring and Kyle Salous to enterprises wanting to be less attractive to hackers.
In a presentation at the MIRCon 2014 conference in Washington the duo listed a series of low cost changes to access controls, whitelisting, and group policies that could harden the enterprise enough to make targeted malware attacks quite expensive, hopefully prohibitively so.
"You can train users all you want, but unless they are reverse-engineers, they aren't going to stop clicking things," Beuhring said.
"We're not saying whitelisting is easy ... you need to create inventory of programs you run and you need to understand the protocols they run on.
The cost of implementing a whitelist could be next to nothing, Beuhring said, with cost determined by the time required to determine an organisation's requirements rather than the need to buy kit.
Whitelists are the new black, he said, and enterprises should place their application control systems into listening mode to understand what is being used.
Another tip offered was that users should never be allowed to operate as admins. Godmode should not even be granted to all tech staff.
"None of your users should ever log in as administrator," Salous said. "Create a separate admin account for everyone in your tech department."
"Every time we make them (attackers) work [harder], it's an opportunity to detect their activity."
This approach not only served to make pivoting within the network more difficult for attackers and all but eliminated malware phishing of non-IT staff, but thanks to logging could greatly cut down the number of hours paid to expensive breach forensic experts.
With these structures in place, an organisation could reduce the noise of regular malware threats to focus only on advanced persistent threats.
The advice offered by the pair is best practice, yet is rarely adopted. A passing glance at the Australian Signals Directorate's lauded top four defence strategies, for example, reveals whitelisting as the first priority of security teams. Item 22 in the sigint agency's list is deploying anti-virus software - and even then it is not regarded as essential.
The pair also said organisations should where possible block Shockwave, scripting such as Autolt, Python, and Perl, and "anything made by Apple". ®
Listen to or download this podcast on the researcher's presentation.
Darren Pauli travelled to Washington DC as a guest of FireEye.