Fortifying the Fort: System Hardening Against LOTL Threats
Hardening strategies are aimed at reducing the attack surface and enhancing the security posture of organizations and their critical infrastructure.
Hardening Guidance
📌 Vendor and Industry Hardening Guidance: Organizations should strengthen software and system configurations based on vendor-provided or industry, sector, or government hardening guidance, such as those from NIST, to reduce the attack surface.
Platform-Specific Hardening:
📌 Windows: Apply security updates and patches from Microsoft, follow Windows Security Baselines Guide or CIS Benchmarks, harden commonly exploited services like SMB and RDP, and disable unnecessary services and features.
📌 Linux: Check binary permissions and adhere to CIS’s Red Hat Enterprise Linux Benchmarks.
📌 macOS: Regularly update and patch the system, use built-in security features like Gatekeeper, XProtect, and FileVault, and follow the macOS Security Compliance Project's guidelines.
Cloud Infrastructure Hardening:
📌 Microsoft Cloud: Refer to CISA’s Microsoft 365 security configuration baseline guides for secure configuration baselines across various Microsoft cloud services.
📌 Google Cloud: Consult CISA’s Google Workspace security configuration baseline guides for secure configuration baselines across Google cloud services.
📌 Universal Hardening Measures: Minimize running services, apply the principle of least privilege, and secure network communications.
📌 Critical Asset Security: Apply vendor hardening measures for critical assets like ADFS and ADCS and limit the applications and services that can be used or accessed by them.
📌 Administrative Tools: Use tools that do not cache credentials on the remote host to prevent threat actors from reusing compromised credentials.
Application Allowlisting
📌 Constrain Execution Environment: Implement application allowlisting to channel user and administrative activity through a narrow path, enhancing monitoring and reducing alert volume.
Platform-Specific Allowlisting:
📌 macOS: Configure Gatekeeper settings to prevent execution of unsigned or unauthorized applications.
📌 Windows: Use AppLocker and Windows Defender Application Control to regulate executable files, scripts, MSI files, DLLs, and packaged app formats.
Network Segmentation and Monitoring
📌 Limit Lateral Movement: Implement network segmentation to limit the access of users to the minimum necessary applications and services, reducing the impact of compromised credentials.
📌 Network Traffic Analysis: Use tools to monitor traffic between segments and place network sensors at critical points for comprehensive traffic analysis.
📌 Network Traffic Metadata Parsing: Utilize parsers like Zeek and integrate NIDS like Snort or Suricata to detect LOTL activities.
Authentication Controls
📌 Phishing-Resistant MFA: Enforce MFA across all systems, especially for privileged accounts.
📌 Privileged Access Management (PAM): Deploy robust PAM solutions with just-in-time access and time-based controls, complemented by role-based access control (RBAC).
📌 Cloud Identity and Credential Access Management (ICAM): Enforce strict ICAM policies, audit configurations, and rotate access keys.
📌 Sudoers File Review: For macOS and Unix, regularly review the sudoers file for misconfigurations and adhere to the principle of least privilege.
Zero Trust Architecture
As a long-term strategy, the guidance recommends implementing zero trust architectures to ensure that binaries and accounts are not automatically trusted and their use is restricted and examined for trustworthy behavior.
Additional Recommendations
📌 Due Diligence in Vendor Selection: Choose vendors with secure by design principles and hold them accountable for their software’s default configurations.
📌 Audit Remote Access Software: Identify authorized remote access software and apply best practices for securing remote access.
📌 Restrict Outbound Internet Connectivity: Limit internet access for back-end servers and monitor outbound connectivity for essential services.