“You Want Me to Do What?” A Guide to Interpreting Cybersecurity Recommendations

December 01, 2015

| jweissert | From The Front Lines

Congratulations! You’ve reached the end of yet another proactive engagement with a security services provider. Now that the engagement is over, what does that mean for you and your business? It usually means that you now

have a list of recommendations to improve the security posture of your organization. This is important information for you and your team that will

help you identify the security

gaps that, if exploited, could

contribute to significant financial costs and reputational losses. The question now is, what should you do next? Perhaps you start working on each and every recommendation the same day you receive the list. More likely, you may wrap these recommendations into another project or initiative, schedule them for completion in the next 6-12 months, or simply throw them by the wayside. I would venture to guess that most vendors believe their recommendations to be your highest priority. So how do you, as a company’s security decision-maker, determine how to allocate your finite funding to maximize your return? In this article, I argue why cybersecurity demands a place at the top of your list. Horseshoes, Hand Grenades, and Cybersecurity? They say that close only counts in horseshoes and hand grenades. But could cybersecurity be another area where “close” is equivalent to “good enough”? Let’s consider this for a minute. If CrowdStrike provides you with a recommendation to disable local administrator rights for all of your employees and you respond by removing this access for all but 5% of your employee base, that’s pretty close right? In this situation, close simply isn’t good enough. More on that later. Let’s look at it another way though. Let’s assume CrowdStrike provides you with a list of recommendations with associated criticality ratings, including eight that are “critical”, four that are “high”, and two that are “medium”. In this instance, if you implement all of the critical and high recommendations, but skip the remaining two, again you have achieved “close” to completion. This time, however, we would praise you for your ability to accomplish the 12 more critical tasks. So when is “close” good enough within the view of cybersecurity? Let’s examine this more closely. Same Bat Issues, Same Bat Recommendations Our goal at CrowdStrike is to help you secure your business against the latest cybersecurity and advanced adversary threats. Our team of cybersecurity consultants and incident responders work with companies who find themselves in many different situations:

Companies who have experienced data loss of high value assets in the past
Companies who are currently suffering from an attack where adversaries are stealing data
Companies who are concerned they have or will be in one of the first two categories.

With each of these groups, we take a bit of a different approach to prioritize our recommendations, but the ultimate outcome is the same – plug the gaps and stop the bleeding. What could be more important than keeping your name out of the headlines or minimizing the impact once it’s already there? Depending on your scenario, the time to implement the recommendations may change slightly, but the items themselves hardly alter. Timing does make a difference though, as does the completeness of your implementation of those recommendations. Let’s discuss the timing component first. Active Adversary in Your Environment? Time is Not on Your Side During an incident investigation, CrowdStrike provides recommendations across three timelines – Posturing, Coordinated Remediation Event (CRE), and Post-Remediation. The Posturing phase includes all of the recommendations that you must implement to solidify your defenses against the attacker. These are your basic blocking and tackling recommendations that either lock down your “house” or get you set for the CRE. The CRE is the essential component of our remediation plan. It is during this time period, typically a long weekend, that we assist you in removing the adversary from your network and putting the finishing touches on your new defenses. Not only are you eliminating the threat in the present attack scenario, but you’re wiping out all of the other areas that would allow the attacker back in. Further, during the CRE you should be implementing or upgrading your tools to allow for better monitoring and defense, so that if an attacker finds a way in, you’re quickly able to identify the access and mitigate it accordingly. The final phase is Post-Remediation and it consists of recommendations for the next 6 months to a year, depending on your allocated budget and security plan. The “nice to haves” likely fall into this bucket. Organizations that successfully complete these recommendations typically embrace the long term view of cybersecurity and recognize that it’s not a battle to be won with just one remediation plan. Outside of an incident investigation, our other CrowdStrike services also include recommendations as part of our standard deliverable. The timing associated with the implementation of these recommendations is highly dependent upon the organization’s current maturity and the associated vulnerabilities and risks identified. To this end, CrowdStrike prioritizes these recommendations based on a combination of criticality, cost, and difficulty ratings. These ratings and prioritizations help an organization plan its cybersecurity roadmap. Stay tuned to my next blog post on how to successfully create and maintain a roadmap. The Swiss Cheese Implementation Approach – I Smell a Rat Once you understand the importance of timing, the second requirement for successfully implementing cybersecurity recommendations is completeness. Let’s go back to the tiered remediation approach. An organization will not be successful in eliminating a targeted adversary if it picks and chooses recommendations from the Posturing and CRE phases to implement. More importantly, perhaps, is the completeness of an individual recommendation. If you secure 90% of the windows and doors on your house, but leave 10% unlocked, a burglar will find the unrestricted access points. Using the example from earlier, if you remove 95% of local administrator rights, an adversary will eventually find some of the remaining 5% of users and leverage their administrative access to regain their foothold. The following case study really drives home the completeness requirement – not just upon initial implementation, but continued maintenance over time. Case Study: Implementing 95% is Still Not Good Enough This year, CrowdStrike worked with an organization that was in the midst of a security breach. The attacker had established several footholds within the network that prevented our customer from effectively ejecting them from their environment. Following a forensic investigation that revealed information about the attacker including their initial attack vector, the tools they utilized, and their path throughout the network, CrowdStrike assisted our customer with developing and implementing a full remediation plan. Over the course of 3-4 days, we worked to eject the adversary from their environment while simultaneously locking down the gaps that would allow them back in after the CRE. Fast forward a few months and we received a call from the customer indicating that they were re-compromised. We had to wonder – how did this happen? Within a few days of our secondary investigation, the answer became clear. One of the key defensive measures we helped them implement had failed because the customer’s administrative team was no longer following the established process. During the initial remediation, we assisted the customer in locking down Windows access via newly established Active Directory groups and associated access controls. Upon review of these groups after the re-compromise, we noted that there were users who were intentionally side stepping the access controls. Because these users were not restricted by the controls in place for the various groups, the adversary was able to compromise one of these accounts and move freely through the environment. 95% adherence is not the same as 100%. Unfortunately, in today’s age of ever-increasing adversary persistence, knowledge, and creativity, only 100% adherence to these types of cybersecurity recommendations will provide continued confidence in your security posture. What’s the Most Important for Me? You may be wondering how to determine which recommendations are mandatory and which are “nice to haves”. Certainly, your security provider should help you understand the importance of each recommendation, but part of the challenge comes from your corporate culture and conflicting priorities. You know that it’s important to maintain a roadmap, but how do you get started? At times, sorting through the endless recommendations and projects can feel like counting sand. I offer our view on building a cybersecurity roadmap and associated framework in my next blog post titled “The Security Roadmap – Planning for Job Security”.