First thing first you have to decide if you care about the security of your company or not. If not and you like gambling then go on and don’t “waste” money on cybersecurity, but when you get ransomed don’t blame everybody else. Everybody can make a mistake, visit an infected website, download an attachment with malware and everybody can be tricked. As a CEO your word is the last when we are talking about the budget so you have the responsibility if your systems are not prepared for cyberattacks.
Let’s imagine that after an incident our CEO decided to promote us to become CISO and ask us to make the network secure. What we can do? Firstly gather a team, some pizza and drinks and get to work.
Finding solutions always have to start with a piece of paper and writing down what we have (assets, resources, money), what we want to achieve (goals, objectives) and when. Securing a system is a PROJECT, maintain it secure is a PROCESS, the only difference is that projects have deadlines while processes are repeating.
So we have a small company, with a router, a server with Active Directory, SAMBA and a Web Server, some Windows Pcs and 2-3 departments.
So in our example, the adversary is cut out by an external company, now the first thing we have to do is analyze the data that we have looking for the report given by the external company for entry points.
The second is to patch this system up as soon as possible, update the antivirus of the endpoints (if they don’t have installed one), install a firewall on endpoints, and collect data and some network traffic for further analysis. All this can be done free (except for paying our resources which is the staff) but imagine that you have to up to every PC to analyze the events and the logs, that would be a lot of work.
Instead, we can set up a SIEM solution!SIEM stands for Security information and event management, SIEM solution gathers log data from all infrastructure components in an organization—routers, switches, firewalls, servers, personal computers and devices, applications, cloud environments, and more. We can think about it as a centralized management system, so we don’t have to go up and collect and analyze data from endpoints just to make some queries in the SIEM.
There are the agent and agentless SIEM solutions, in agent-based solutions you have to install an agent on every device to collect data, and then the agent will parse and filter this data before sending it o the SIEM. If you are choosing the agentless option then the SIEM server will collect, parse and filter the logs and events. Popular SIEM solutions are ELK and SPLUNK, the problem with them is the licensing and training of your staff to properly use them, which costs a lot for a small company. There are a ton of awesome free products you can set up in your company like Wazuh, Suricata, Snort and my favourite Security Onion.
Services logs inbound and outbound connections, modifications, executed commands…etc, events can be anything realized in an OS, like deleting a file, making a new user, downloading something or executing a command.
For a smaller company, having their network properly segmented, setting up a firewall with good rules, some free SIEM solution on their server, the software-based firewall on endpoints, up to date antivirus on every system should be enough. Also, assigning 1-2 people to keep everything up to date, do some hardening on the systems and services and realize threat hunts every 2-3 months would be a great idea.
And something that has no cost and can mitigate Social Engineering attacks is doing an internal Security Awareness training every half a year, explaining to employees the new social media, email, and message phishing techniques.
Tools can be used for collecting network traffic: Tcpdump, tshark, and Wireshark.
Tools can be used for analyzing network traffic: Wireshark, Zeek, Rita, Nagios
Tools can be used on endpoints for analyzing purposes: Sysinternals, Windows event logs, Sysmon
Tools for Incident Response: Volatility and Autopsy, but RedLine also can be a great choice.
So if we are the CISO of a smaller company who don’t want to give too much budget for security solutions and our CEO asks us if we are secure we can say it with confidence than not 100% but we did everything we could with the low to prevent being hacked.
If we are working for a medium-sized company which has 50-250 employees and we got the task the making their system secure the first thing we need is a budget. With this size, usually comes a lower staff like 3-5 people on IT and that’s all so we have to automatize everything.
What does a medium-sized company have? A lot of PCs, laptops, phones, racks, switches, and machinery, for the machinery you need PLCs (Programmable Logical Controller) and an ICS (Industrial Control System).
First thing first, we research the company looking for threat intel. What it produces, what APTs (Advanced persistent threats) may target the company, is it governmental or not, etc…After gaining some threat intel we can decide where to focus. For example, if we are a manufacturer we can be a target of various APTs like FIN6, Cobalt Group or APT29. This APT used spearphishing, malicious links and email attachments to exploit people. So we are gonna focus on more our endpoints.
The basic security which every network must have is a Firewall, a DMZ to separate the internal network from the external, a segmented network (subnets, VLANs), a good password policy and some SIEM solutions.
For this size, we have to work with a lot of assets so implementing a Zero–trust network solution is a must to know which devices and users are connected to the network. We can use Fortinet’s Zero-trust Network Access solution (ZTNA). What it does is whenever a device wants to connect to our network the FortiNetAuthenticator challenges it and if it can provide the valid credentials can have access to the system and get a token assigned (like using Kerberos)
IMPORTANT: We talk about zero–trust when we verify both the user and the device and the basic idea behind this is “never trust, always verify”.Nowadays it’s a popular concept when we are having people working from home, assets in the cloud, people working in the internal network with their own devices (BYOD), etc…
Installing a Sandbox solution would be beneficial, sandboxes create virtual environments for suspicious files to play around when a file starts to delete or edit the registry, try to encrypt something then it will be flagged as malware and removed from the system. Sandboxes also give some level of protection against zero-day (never seen or used exploits) attacks by using this isolation technique.
Another solution to fight against phishing attacks is UEBA, User and Entity Behaviour analytics is a cybersecurity solution that uses algorithms and machine learning to detect anomalies in the behaviour of not only the users in a corporate network but also the routers, servers, and endpoints in that network. So you will be alerted when Carl from Marketing starts executing commands like Get-NetIPAddress or the printer starts to send HTTP requests to the web server.
To enhance our security we can put an IDS/IPS solution in between our firewall and router or just buy a real Next Generation firewall with this type of solution so you are not spending that much money. However, not all firewalls are next-generation firewalls. Also, a firewall blocks and filters network traffic, while IDS and IPS detect and alert or block an exploit attempt, depending on the configuration. IDS and IPS act on traffic after the firewall filters the traffic, according to configured policy.
Here i would like to mention that IDS (Intrusion Detecion System) is responsible for identifying attacks and techniques and is often deployed out of band in a listen-only mode so that it can analyze all traffic and generate intrusion events from suspect or malicious traffic.It does not block an IP, does not prevent an attack its DETECT and report.
IPS (Intrudor Prevention System) is deployed in the path of traffic so that all traffic must pass through the appliance to continue to its destination. Upon detection of malicious traffic, the IPS breaks the connection and drops the session or traffic.So its not only detect but prevents the exploitation.
The last two technologies are the watchful eyes of our network, logging and preventing malicious traffic, our firewall filters the traffic, and our SIEM collects all the logs and events so we know what happens in our endpoints. Our UEBA solution analyzes and learns the behaviour of our users and looks for anomalies which can it report to us. And at the end, our Sandbox solution is watching and searching for Polymorphic malware which can slip through some of our defending layers or zero-day attacks which we have no idea that they exist in our network.
There are a lot of solutions like SASE (Secure Access Service Edge), SOAR (Security orchestration, automation and response) or we are talking about web apps than web application firewalls and we didn’t even touch Cyber deception with decoys, honeypots or cloud security. I could be here all day saying solutions but the most important part is learning the theory, and the methods and acting accordingly. Every case is different and we have to study it to propose a good solution. Also, I recommend you do your research on what more can fit in a Blue Teamers tool case, the more you know the more you can propose and the better decisions you make!
