Critical Control 8: Controlled Use of Administrative Privileges
A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that “offense must inform defense.” This means that actual attacks that have compromised system provide the essential foundation on which to construct effective defenses. The US ICE Act of 2009 (the new FISMA) makes this tenet central to their cyber defense initiative. Because federal agencies don’t have unlimited money, they hope to meet the ICE requirements by establishing a baseline of information security measures and controls that can be continuously monitored through automated mechanisms. This is where an effective implementation of a SIEM solution makes all the difference.
The reporting function of the Intellitactics SIEM solutions provides a report tree that is aligned to best practice controls - just like the ones suggested by the US ICE Act 2009. Effective and efficient security requires automated monitoring of critical controls. High speed searching of billions of logs is an entertaining way to view all the logs you've collected but a SIEM solution offers actionable reports and supports real time management of security events.
How do attackers exploit the lack of this control?
According to some Blue Team personnel as well as investigators of large-scale Personally Identifiable Information (PII) breaches, the misuse of administrator privileges is the number one method for attackers to spread inside a target enterprise. Two very common attacker techniques take advantage of uncontrolled administrative privileges:
In the first, a workstation user is fooled into opening a malicious email attachment, downloading and opening a file from a malicious web site, or simply surfing to a website hosting attacker content that can automatically exploit browsers. The file or exploit contains executable code that runs on the victim’s machine either automatically or by tricking the user into executing the attacker’s content. If the victim user’s account has administrative privileges, the attacker can take over the victim’s machine completely and install keystroke loggers, sniffers, and remote control software to find administrator passwords and other sensitive data.
The second common technique used by attackers is elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine. If administrative privileges are loosely and widely distributed, the attacker has a much easier time gaining full control of systems, because there are many more accounts that can act as avenues for the attacker to compromise administrative privileges. One of the most common of these attacks involves the domain administration privileges in large Windows environments, giving the attacker significant control over large numbers of machines and access to the data they contain.
Right here - tomorrow - we'll look at recommendations for implementing and automating this control and tell you how the Intellitactics SIEM solutions can work for you!
Powered by Compendium Blogware
Comments for Critical Security Control 8 and Your SIEM Solution