Thinking like an attacker
CyberArk's Brandon Traffanstedt began his presentation at Security Week's ICS Cyber Security Conference by noting that organizations now need to assume not only that they'll be attacked, but that they'll be re-attacked, and "complacent assumptions lead to us being re-attacked successfully." Too often, he said, the reasons enterprises give for their security investments come down to meeting audit and compliance requirements. Our security decisions tend to be compliance-driven. This is no longer sufficient. When high-end cyber criminals now have capabilities approaching those of advanced nation states, defending your systems requires thinking like an attacker. And what attackers are interested in above all is privilege.
Defend what's valuable.
The beginning of effective defense is clarity about what's important. With industrial control systems, Traffanstedt argued, "the crown jewels are availability and safety." And once this is recognized, when one looks at the typical attack lifecycle, one sees that the most important part of any breach is escalation. The attacker's goal is to "get in, move around, elevate, and profit." Thus the importance phishing and spearphishing have assumed in cyber attacks.
Seven steps to better security.
Traffanstedt outlined seven steps infrastructure operators can take to better defend their systems.
First, focus on eliminating irreversible network takeover attacks. The attacker's goal is to establish persistence, so an enterprise's defenders should put privileged access under multifactor authentication. Stop creation of tier 0 accounts.
Second, control and secure infrastructure and endpoints. Move toward one-hundred-percent managed accounts. Manage all well-known infrastructure accounts, and rotate passwords after use.
Third, limit lateral movement. Completely remove all endpoint users from the local admin group on Windows workstations. Leverage a least privilege approach to enable removal of local administrative rights.
Fourth, protect third-party privileged application accounts.
Fifth, manage SSH key on critical Unix servers: "Too often, SSH key management is the wild, wild West." Bring them under management.
Sixth, defend cloud and DevOps processes and accounts. In this respect, remember that agility and ease-of-use can be (and usually are) in tension with security. Take care that the security measures put in place don't drive users toward insecure workarounds.
Seventh, secure shared IDs for business users. All access to shared IDs should be isolated from the end user, and their use should require multifactor authentication.
To manage risk (and better ensure compliance) Traffanstedt recommends developing a better understanding of attack vectors. This will help enable an enterprise to close doors to hackers, achieve early warning about compromised assets, and develop capability for swift and targeted mitigation. Locking down credentials, isolating and controlling sessions, and continuously monitoring the network will help maintain safety and availability.