Federal Friday - 9.5.14 - Keeping 3rd Parties Honest

Blog Post created by jschim Employee on Sep 5, 2014

Happy Friday, Federal friends! I hope all of you enjoyed the nice long Labor Day weekend, and the short week to follow. I happily took last week off as well, maximizing the effect of the "long" weekend effect. Additionally, a group of 25 Rapid7 Moose took on the "Great Northeast" Tough Mudder event back on 8/23. I'm happy to say all of the "Dirty Moose" made it through the mud and obstacles, for the 2nd year in a row, and we helped generate funds for the Wounded Warrior Project.


While I was off last week, I stumbled upon a great article in Forbes detailing some of the coming changes government contractors are going to face. The DOD is going to release new regulations, laws and updated standards primarily focusing on taking broad security measures in a push to better protect data. This signifies a big change from what has typically been the norm. The changes are specifically geared toward ensuring data, but most importantly the sensitive data many contractors have access to, is locked down. As we have seen over the last few years 3rd party breaches are getting to be more common, and can be devastating to the organizations that these contractors are working for. Whether it's the Pentagon or Target, a 3rd party breach can be devastating to an organization. The Intel side of the house is going to follow suit sometime in the FY15 time-frame as well. To some this step may be drastic as it could effectively shut an organization down for failure to report an incident. However, regulation around sharing threat and breach information is long overdue.

There was another article that caught my attention, in the spirit of 3rd party breaches, around the steps the Target attackers took to breach the retail giant. In a post on CIO the author lays out 11 steps that have been pointed out by a security researcher in a post-mortem on the breach. I fully recommend reading the article for the research, but given my place in the community, I found the 7 additional steps they slipped in at the end more relevant. Aside from the 11 steps the attackers took, the auther goes on to highlight 7 steps you can take to better protect your organization, which I've listed below. These steps, while not the holy grail for network defense, will give you a solid foundation to work with.

  1. Harden access controls. Monitor and profile access patterns to systems to identify abnormal and rogue access patterns. Where possible, use multi-factor authentication to sensitive systems to reduce risks associated with theft of credentials. Segregate networks, limit allowed protocols usage and limit users' excessive privileges.
  2. Monitor users' lists for the addition of new users, especially privileged ones.
  3. Monitor for signs of reconnaissance and information gathering. Pay special attention to excessive and abnormal LDAP queries.
  4. For sensitive, single-purpose servers, consider whitelisting of allowed programs.
  5. Don't rely on anti-malware solutions as a primary mitigation measure since attackers mostly leverage legitimate IT tools.
  6. Place security and monitoring controls around Active Directory as it is involved in nearly all stages of the attack.
  7. Participate in Information Sharing and Analysis Center (ISAC) and Cyber Intelligence Sharing Center (CISC) groups to gain valuable intelligence on attackers' Tactics, Techniques and Procedures (TTPs).

Football is back, as a NY sports fan I fully expect my G-Men to go 9-7 and do this....

David Tyree Catch