NIST Launches Cybersecurity Framework (CSF) 2.0

By: Shannon Murphy, Greg Young
March 20, 2024
Read time: 2 min (589 words)

On February 26, 2024, the National Institute of Standards and Technology (NIST) released the official 2.0 version of the Cyber Security Framework (CSF).

What is the NIST CSF?

The NIST CSF is a series of guidelines and best practices to reduce cyber risk and improve security posture. The framework is divided into pillars or “functions” and each function is subdivided into “categories” which outline specific outcomes.

As titled, it is a framework. Although it was published by a standards body, it is not a technical standard.

https://www.nist.gov/cyberframework

What Is the CSF Really Used For?

Unlike some very prescriptive NIST standards (for example, crypto standards like FIPS-140-2), the CSF framework is similar to the ISO 27001 certification guidance. It aims to set out general requirements to inventory security risk, design and implement compensating controls, and adopt an overarching process to ensure continuous improvement to meet shifting security needs.

It’s a high-level map for security leaders to identify categories of protection that are not being serviced well. Think of the CSF as a series of buckets with labels. You metaphorically put all the actions, technology deployments, and processes you do in cybersecurity into these buckets, and then look for buckets with too little activity in them or have too much activity — or repetitive activity — and not enough of other requirements in them.

The CSF hierarchy is that Functions contain many Categories — or in other words, there are big buckets that contain smaller buckets.

What Is New in CSF 2.0?

The most noteworthy change is the introduction of Governance as a sixth pillar in the CSF Framework. This shift sees governance being given significantly more importance from just a mention within the previous five Categories to now being its owna separate Function.

According to NIST the Govern function refers to how an organization’s, “cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.”  This is a positive and needed evolution, as when governance is weak, it often isn’t restricted to a single function (e.g. IAM) and can be systemic.

Governance aligns to a broader paradigm shift where we see cybersecurity becoming highly relevant within the business context as an operational risk. The Govern expectation is cybersecurity is integrated into the broader enterprise risk management strategy and requires dedicated accountability and oversight.

There are some other reassignments and minor changes in the remaining five Categories. CSF version 1.0 was published in 2014, and 1.1 in 2018. A lot has changed in security since then. The 2.0 update acknowledges that a review has been conducted.

As a framework, the CISO domain has not radically changed. Yes, the technology has radically evolved, but the greatest evolution in the CISO role really has been around governance: greater interaction with C-suite and board, while some activities have been handed off to operations.

NIST Cybersecurity Framework

So How Will This Impact Me in the Short Term?

The update to the NIST CSF provides a fresh opportunity to security leaders to start or reopen conversations with business leaders on evolving needs.

  • The greatest impact will be to auditors and consultants who will need to make formatting changes to their templates and work products to align with version 2.0.
  • CISOs and security leaders will have to make some similar changes to how they track and report compliance.
  • But overall, the greatest impact (aside from some extra billable cybersecurity consulting fees) will be a boost of relevance to the CSF that could attract new adherents both through security leaders choosing to look at themselves through the CSF lens and management asking the same of CISOs.
Category

Source :
https://www.trendmicro.com/it_it/research/24/c/nist-cybersecurity-framework-2024.html

The Ultimate Guide to Password Best Practices: Guarding Your Digital Identity

Dirk Schrader
Published: November 14, 2023
Updated: November 24, 2023

In the wake of escalating cyber-attacks and data breaches, the ubiquitous advice of “don’t share your password” is no longer enough. Passwords remain the primary keys to our most important digital assets, so following password security best practices is more critical than ever. Whether you’re securing email, networks, or individual user accounts, following password best practices can help protect your sensitive information from cyber threats.

Read this guide to explore password best practices that should be implemented in every organization — and learn how to protect vulnerable information while adhering to better security strategies.

The Secrets of Strong Passwords

A strong password is your first line of defense when it comes to protecting your accounts and networks. Implement these standard password creation best practices when thinking about a new password:

  • Complexity: Ensure your passwords contain a mix of uppercase and lowercase letters, numbers, and special characters. It should be noted that composition rules, such as lowercase, symbols, etc. are no longer recommended by NIST — so use at your own discretion.
  • Length: Longer passwords are generally stronger — and usually, length trumps complexity. Aim for at least 6-8 characters.
  • Unpredictability: Avoid using common phrases or patterns. Avoid using easily guessable information like birthdays or names. Instead, create unique strings that are difficult for hackers to guess.

Handpicked related content:

Combining these factors makes passwords harder to guess. For instance, if a password is 8 characters long and includes uppercase letters, lowercase letters, numbers and special characters, the total possible combinations would be (26 + 26 + 10 + 30)^8. This astronomical number of possibilities makes it exceedingly difficult for an attacker to guess the password.

Of course, given NIST’s updated guidance on passwords, the best approach to effective password security is using a password manager — this solution will not only help create and store your passwords, but it will automatically reject common, easy-to-guess passwords (those included in password dumps). Password managers greatly increase security against the following attack types.

Password-Guessing Attacks

Understanding the techniques that adversaries use to guess user passwords is essential for password security. Here are some of the key attacks to know about:

Brute-Force Attack

In a brute-force attack, an attacker systematically tries every possible combination of characters until the correct password is found. This method is time-consuming but can be effective if the password is weak.

Strong passwords help thwart brute force attacks because they increase the number of possible combinations an attacker must try, making it unlikely they can guess the password within a reasonable timeframe.

Dictionary Attack

A dictionary attack is a type of brute-force attack in which an adversary uses a list of common words, phrases and commonly used passwords to try to gain access.

Unique passwords are essential to thwarting dictionary attacks because attackers rely on common words and phrases. Using a password that isn’t a dictionary word or a known pattern significantly reduces the likelihood of being guessed. For example, the string “Xc78dW34aa12!” is not in the dictionary or on the list of commonly used passwords, making it much more secure than something generic like “password.”

Dictionary Attack with Character Variations

In some dictionary attacks, adversaries also use standard words but also try common character substitutions, such as replacing ‘a’ with ‘@’ or ‘e’ with ‘3’. For example, in addition to trying to log on using the word “password”, they might also try the variant “p@ssw0rd”.

Choosing complex and unpredictable passwords is necessary to thwart these attacks. By using unique combinations and avoiding easily guessable patterns, you make it challenging for attackers to guess your password.

How Password Managers Enhance Security

Password managers are indispensable for securely storing and organizing your passwords. These tools offer several key benefits:

  • Security: Password managers store passwords and enter them for you, eliminating the need for users to remember them all. All users need to remember is the master password for their password manager tool. Therefore, users can use long, complex passwords as recommended by best practices without worrying about forgetting their passwords or resorting to insecure practices like writing passwords down or reusing the same password for multiple sites or applications.
  • Password generation: Password managers can generate a strong and unique password for user accounts, eliminating the need for individuals to come up with them.
  • Encryption: Password managers encrypt password vaults, ensuring the safety of data — even if it is compromised.
  • Convenience: Password managers enable users to easily access passwords across multiple devices.

When selecting a password manager, it’s important to consider your organization’s specific needs, such as support for the platforms you use, price, ease of use and vendor breach history. Conduct research and read reviews to identify the one that best aligns with your organization’s requirements. Some noteworthy options include Netwrix Password Secure, LastPass, Dashlane, 1Password and Bitwarden.

How Multifactor Authentication (MFA) Adds an Extra Layer of Security

Multifactor authentication strengthens security by requiring two or more forms of verification before granting access. Specifically, you need to provide at least two of the following authentication factors:

  • Something you know: The classic example is your password.
  • Something you have: Usually this is a physical device like a smartphone or security token.
  • Something you are: This is biometric data like a fingerprint or facial recognition.

MFA renders a stolen password worthless, so implement it wherever possible.

Password Expiration Management

Password expiration policies play a crucial role in maintaining strong password security. Using a password manager that creates strong passwords also has an influence on password expiration. If you do not use a password manager yet, implement a strategy to check all passwords within your organization; with a rise in data breaches, password lists (like the known rockyou.txt and its variations) used in brute-force attacks are constantly growing. The website haveibeenpawned.com offers a service to check whether a certain password has been exposed. Here’s what users should know about password security best practices related to password expiration:

  • Follow policy guidelines: Adhere to your organization’s password expiration policy. This includes changing your password when prompted and selecting a new, strong password that meets the policy’s requirements.
  • Set reminders: If your organization doesn’t enforce password expiration via notifications, set your own reminders to change your password when it’s due. Regularly check your email or system notifications for prompts.
  • Avoid obvious patterns: When changing your password, refrain from using variations of the previous one or predictable patterns like “Password1,” “Password2” and so on.
  • Report suspicious activity: If you notice any suspicious account activity or unauthorized password change requests, report them immediately to your organization’s IT support service or helpdesk.
  • Be cautious with password reset emails: Best practice for good password security means being aware of scams. If you receive an unexpected email prompting you to reset your password, verify its authenticity. Phishing emails often impersonate legitimate organizations to steal your login credentials.

Password Security and Compliance

Compliance standards require password security and password management best practices as a means to safeguard data, maintain privacy and prevent unauthorized access. Here are a few of the laws that require password security:

  • HIPAA (Health Insurance Portability and Accountability Act): HIPAA mandates that healthcare organizations implement safeguards to protect electronic protected health information (ePHI), which includes secure password practices.
  • PCI DSS (Payment Card Industry Data Security Standard): PCI DSS requires organizations that handle payment card data on their website to implement strong access controls, including password security, to protect cardholder data.
  • GDPR (General Data Protection Regulation): GDPR requires organizations that store or process the data of EU residents to implement appropriate security measures to protect personal data. Password security is a fundamental aspect of data protection under GDPR.
  • FERPA (Family Educational Rights and Privacy Act): FERPA governs the privacy of student education records. It includes requirements for securing access to these records, which involves password security.

Organizations subject to these compliance standards need to implement robust password policies and password security best practices. Failure to do so can result in steep fines and other penalties.

There are also voluntary frameworks that help organizations establish strong password policies. Two of the most well known are the following:

  • NIST Cybersecurity Framework: The National Institute of Standards and Technology (NIST) provides guidelines and recommendations, including password best practices, to enhance cybersecurity.
  • ISO 27001: ISO 27001 is an international standard for information security management systems (ISMSs). It includes requirements related to password management as part of its broader security framework.

Password Best Practices in Action

Now, let’s put these password security best practices into action with an example:

Suppose your name is John Doe and your birthday is December 10, 1985. Instead of using “JohnDoe121085” as your password (which is easily guessable), follow these good password practices:

  • Create a long, unique (and unguessable) password, such as: “M3an85DJ121!”
  • Store it in a trusted password manager.
  • Enable multi-factor authentication whenever available.

10 Password Best Practices

If you are looking to strengthen your security, follow these password best practices:

  • Remove hints or knowledge-based authentication: NIST recommends not using knowledge-based authentication (KBA), such as questions like “What town were you born in?” but instead, using something more secure, like two-factor authentication.
  • Encrypt passwords: Protect passwords with encryption both when they are stored and when they are transmitted over networks. This makes them useless to any hacker who manages to steal them.
  • Avoid clear text and reversible forms: Users and applications should never store passwords in clear text or any form that could easily be transformed into clear text. Ensure your password management routine does not use clear text (like in an XLS file).
  • Choose unique passwords for different accounts: Don’t use the same, or even variations, of the same passwords for different accounts. Try to come up with unique passwords for different accounts.
  • Use a password management: This can help select new passwords that meet security requirements, send reminders of upcoming password expiration, and help update passwords through a user-friendly interface.
  • Enforce strong password policies: Implement and enforce strong password policies that include minimum length and complexity requirements, along with a password history rule to prevent the reuse of previous passwords.
  • Update passwords when needed: You should be checking and – if the results indicate so – updating your passwords to minimize the risk of unauthorized access, especially after data breaches.
  • Monitor for suspicious activity: Continuously monitor your accounts for suspicious activity, including multiple failed login attempts, and implement account lockouts and alerts to mitigate threats.
  • Educate users: Conduct or partake in regular security awareness training to learn about password best practices, phishing threats, and the importance of maintaining strong, unique passwords for each account.
  • Implement password expiration policies: Enforce password expiration policies that require password changes at defined circumstances to enhance security.

How Netwrix Can Help

Adhering to password best practices is vital to safeguarding sensitive information and preventing unauthorized access.

Netwrix Password Secure provides advanced capabilities for monitoring password policies, detecting and responding to suspicious activity and ensuring compliance with industry regulations. With features such as real-time alerts, comprehensive reporting and a user-friendly interface, it empowers organizations to proactively identify and address password-related risks, enforce strong password policies, and maintain strong security across their IT environment.

Conclusion

In a world where cyber threats are constantly evolving, adhering to password management best practices is essential to safeguard your digital presence. First and foremost, create a strong and unique password for each system or application — remember that using a password manager makes it much easier to adhere to this critical best practice. In addition, implement multifactor authentication whenever possible to thwart any attacker who manages to steal your password. By following the guidelines, you can enjoy a safer online experience and protect your valuable digital assets.

Dirk Schrader

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.

Source :
https://blog.netwrix.com/2023/11/15/password-best-practices/

How to Set Up a VLAN

Diego Asturias UPDATED: July 11, 2023


If you want to improve your network security and performance, learning how to set up a VLAN properly is all you need. Virtual LANs are powerful networking tools that allow you to segment your network into logical groups and isolate traffic between them.

In this post, we will go through the steps required to set up a VLAN in your network. We will configure two switches along with their interfaces and VLANs, respectively.

So, let’s dive in and learn how to set up VLANs and take your network to the next level.

Table of Contents

  • What is a VLAN?
  • Preparing for VLAN configuration
    • Our Lab
    • Network Diagram
  • How to set up a VLAN on a Switch?
    • Let’s connect to the Switch
    • Configure VLANs
    • Assign switch ports to VLANs
    • Configure trunk ports
  • Extra Configuration to Consider

What is a VLAN?

Before we go deep into learning how to set up a VLAN and provide examples, let’s understand the foundations of VLANs (or Virtual Local Area Networks).

In a nutshell, VLANs are logical groupings of devices that rely on Layer 2 addresses (MAC) for communication. VLANs are implemented to segment a physical network (or large Layer two broadcast domains) into multiple smaller logical networks (isolated broadcast domains).

Each VLAN behaves as a separate network with its own broadcast domain. VLANs help prevent broadcast storms (extreme amounts of broadcast traffic). They also help control traffic and overall improve network security and performance.

Preparing for VLAN configuration

Although VLANs are usually left for Layer 2 switches, in reality, any device (including routers and L3 switches) with switching capabilities and support of VLAN configuration should be an excellent fit for VLANs. In addition, VLANs are supported by different vendors, and since each vendor has a different OS and code, the way the VLANs are configured may slightly change.

Furthermore, you can also use specific software such as network diagramming and simulation to help you create network diagrams and test your configuration.

Our Lab

We will configure a popular Cisco (IOS-based) switch for demonstration purposes. We will use Boson NetSim (a network simulator for Cisco networking hardware and software) to run Cisco IOS simulated commands. This simulation is like you were configuring an actual Cisco switch or router.

Network Diagram

To further illustrate how to set up a VLAN, we will work on the following network diagram. We will configure two VLANs in two different switches. We will then configure each port on the switches connected to a PC. We will then proceed to configure the trunk port, which is vital for VLAN traffic.

Network Diagram

Network diagram details

  • S2 and S3 (Switch 2 and Switch 3) – Two Cisco L2 Switches connecting PCs at different VLANs (VLAN 10 and VLAN 20) via Fast Ethernet interfaces.
  • VLANs 10 and VLAN20. These VLANs configured in L2 switches (S2 and S3) create a logical grouping of PCs within the network. In addition, each VLAN gets a name, VLAN 10 (Engineering) and VLAN 20 (Sales).
  • PCs. PC1, PC2, PC3, and PC4 are each connected to a specific L2 switch.

How to set up a VLAN on a Switch?

So now that you know the VLAN configuration we will be using, including the number of switches, VLAN ID, VLAN name, and the devices or ports that will be part of the configuration, let’s start setting up the VLANs.

Note: VLAN configuration is just a piece of the puzzle. Switches also need proper interface configuration, authentication, access, etc. To learn how to correctly connect and configure everything else, follow the step-by-step guide on how to configure a Cisco Switch. 

a. Let’s connect to the switch

Inspect your hardware and find the console port. This port is usually located on the back of your Cisco switch. You can connect to the switch’s “console port” using a console cable (or rollover). Connect one end of the console cable to the switch’s console port and the other to your computer’s serial port.

Note: Obviously, not all modern computers have serial ports. Some modern switches come with a Mini USB port or AUX port to help with this. But if your hardware doesn’t have these ports, you can also connect to the switch port using special cables like an RJ-45 rollover cable, a Serial DB9-to-RJ-45 console cable, or a serial-to-USB adapter. 

  • Depending on your switch’s model, you can configure it via Command Line Interface (CLI) or Graphical User Interface (GUI). We will connect to the most popular user interface: The IOS-based CLI. 
  • To connect to your switch’s IOS-based CLI, you must use a terminal emulator on your computer, such as PuTTY or SecureCRT.
  • You’ll need to configure the terminal emulator to use the correct serial port and set the baud rate to 9600. Learn how to properly set these parameters in the Cisco switching configuration guide.
  • In the terminal emulator, press Enter to activate the console session. The Cisco switch should display a prompt asking for a username and password.
  • Enter your username and password to log in to the switch.
connect to the switch

b. Configure VLANs

According to our previously shown network diagram, we will need two VLANs; VLAN 10 and VLAN 20.

  • To configure Layer 2 switches, you need to enter the privileged EXEC mode by typing “enable” and entering the password (if necessary).
  • Enter the configuration mode by typing “configure terminal.”
  • Create the VLAN with “vlan <vlan ID>” (e.g., “vlan 10”).
  • Name the VLAN by typing “name <vlan name>” (e.g., “name Sales”).
  • Repeat these two steps for each VLAN you want to create.

Configuration on Switch 2 (S2)

S2# configure terminal

S2(config)# vlan 10

S2(config-vlan)# name Engineering

S2(config-vlan)# end

S2# configure terminal

S2(config)# vlan 20

S2(config-vlan)# name Sales

S2(config-vlan)# end

Use the “show vlan” command to see the configured VLANs. From the output below, you’ll notice that the two new VLANs 10 (Engineering) and 20 (Sales) are indeed configured and active but not yet assigned to any port.

Configure VLANs

Configuration on Switch 3 (S3)

S3# configure terminal

S3(config)# vlan 10

S3(config-vlan)# name Engineering

S3(config-vlan)# end

S3# configure terminal

S3(config)# vlan 20

S3(config-vlan)# name Sales

S3(config-vlan)# end

Configuration on Switch 3 (S3)

Note: From the output above, you might have noticed VLAN 1 (default), which is currently active and is assigned to all the ports in the switch. This VLAN, also known as native VLAN, is the default VLAN on most Cisco switches. It is used for untagged traffic on a trunk port. This means that all traffic that is not explicitly tagged with VLAN information will be sent to this default VLAN. 

Now, let’s remove those VLAN 1 tags from interfaces Fa0/2 and Fa0/3. Or in simple words let’s assign the ports to our newly created VLANs.

c. Assign switch ports to VLANs

In the previous section, we created our VLANs; now, we must assign the appropriate switch ports to the correct VLANs. The proper steps to assign switch ports to VLANs are as follows:

  • Enter configuration mode. Remember to run these commands under the configuration mode (configure terminal).
  • Assign ports to the VLANs by typing “interface <interface ID>” (e.g., “interface GigabitEthernet0/1”).
  • Configure the port as an access port by typing “switchport mode access”
  • Assign the port to a VLAN by typing “switchport access vlan <vlan ID>” (e.g., “switchport access vlan 10”).
  • Repeat these steps for each port you want to assign to a VLAN.

Let’s refer to a section of our network diagram

network diagram

Configuration on Switch 2 (S2)

S2(config)# interface fastethernet 0/2

S2(config-if)# switchport mode access

S2(config-if)# switchport access vlan 10

S2(config)# interface fastethernet 0/3

S2(config-if)# switchport mode access

S2(config-if)# switchport access vlan 20

Configuration on Switch 2 (S2)

Use the “show running-configuration” to see the new configuration taking effect on the interfaces.

Configuration on Switch 3 (S3)

S3(config)# interface fastethernet 0/2

S3(config-if)# switchport mode access

S3(config-if)# switchport access vlan 10

S3(config)# interface fastethernet 0/3

S3(config-if)# switchport mode access

S3(config-if)# switchport access vlan 20

Configuration on Switch 3 (S3)

A “show running-configuration” can show you our configuration results.

show running-configuration

d. Configure trunk ports

Trunk ports are a type of switch port mode (just like access) that perform essential tasks like carrying traffic for multiple VLANs between switches, tagging VLAN traffic, supporting VLAN management, increasing bandwidth efficiency, and allowing inter-VLAN routing.

If we didn’t configure trunk ports between our switches, the PCs couldn’t talk to each other on different switches, even if they were on the same VLAN.

Here’s a step by step to configuring trunk ports

  • Configure a trunk port to carry traffic between VLANs by typing “interface <interface ID>” (e.g., “interface FastEthernet0/12”).
  • Set the trunk encapsulation method (dot1q). The IEEE 802.1Q (dot1q) trunk encapsulation method is the standard tagging Ethernet frames with VLAN information.
  • Configure the port as a trunk port by typing “switchport mode trunk”.
  • Repeat the steps for each trunk port you want to configure.

Note (on redundant trunk links): To keep our article simple, we will configure one trunk link. However, keep in mind that any good network design (including trunk links) would need redundancy. One trunk link between switches is not an optimal redundant solution for networks on production. To add redundancy, we recommend using EtherChannel to bundle physical links together and configure the logical link as a trunk port. You can also use Spanning Tree Protocol (STP) by using the “spanning-tree portfast trunk” command.

Let’s refer to our network diagram

network diagram

Configuration on Switch 2 (S2)

S2(config)# interface fastethernet 0/12

S2(config-if)# switchport trunk encapsulation dot1q

S2(config-if)# switchport mode trunk

S2(config-if)# exit

Configuration on Switch 2 (S2)

Configuration on Switch 3 (S3)

S3(config)# interface fastethernet 0/24

S3(config-if)# switchport trunk encapsulation dot1q

S3(config-if)# switchport mode trunk

S3(config-if)# exit

Configuration on Switch 3 (S3)

Note: You can use different types of trunk encapsulation such as dot1q and ISL, just make sure both ends match the type of encapsulation.

Extra Configuration to Consider

Once you finish with VLAN and trunk configuration, remember to test VLAN connectivity between PCs, you can do this by configuring the proper IP addressing and doing a simple ping. Below are other key configurations related to your new VLANs that you might want to consider.

a. Ensure all your interfaces are up and running

To ensure that your interfaces are not administratively down, issue a “no shutdown” (or ‘no shut’) command on all those newly configured interfaces. Additionally, you can also use the “show interfaces” to see the status of all the interfaces.

no shutdown command

b. (Optional) enable inter-VLAN

VLANs, as discussed earlier, separate broadcast domains (Layer 2) — they do not know how to route IP traffic because Layer 2 devices like switches can’t accept IP address configuration on their interfaces. To allow inter-VLAN communication (PCs on one VLAN communicate with PCs on another VLAN), you would need to use a Layer 3 device (a router or L3 switch) to route traffic.

There are three ways to implement inter-VLAN routing: an L3 router with multiple Ethernet interfaces, an L3 router with one router interface using subinterfaces (known as Router-On-a-Stick), and an L3 switch with SVI.

We will show a step-by-step on how to configure Router-On-a-Stick for inter-VLAN communications. 

  • Connect the router to one switch via a trunk port.
  • Configure subinterfaces on the router for each VLAN (10 and 20 in our example). To configure subinterfaces, use the “interface” command followed by the VLAN number with a period and a subinterface number (e.g., “interface FastEthernet0/0.10” for VLAN 10). For example, to configure subinterfaces for VLANs 10 and 20, you would use the following commands:

> router(config)# interface FastEthernet 0/0

> router(config-if)# no shutdown

> router(config-if)# interface FastEthernet 0/0.10

> router(config-subif)# encapsulation dot1Q 10

> router(config-subif)# ip address 192.168.10.1 255.255.255.0

> router(config-subif)# interface FastEthernet 0/0.20

> router(config-subif)# encapsulation dot1Q 20

> router(config-subif)# ip address 192.168.20.1 255.255.255.0

  • Configure a default route on the router using the “ip route” command. This is a default route to the Internet through a gateway at IP address 192.168.1.1. For example:

> router(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1

c. Configure DHCP Server

To automatically assign IP addresses to devices inside the VLANs, you will need to configure a DHCP server. Follow these steps:

  1. The DHCP server should also be connected to the VLAN.
  2. Configure the DHCP server to provide IP addresses to devices in the VLAN.
  3. Configure the router to forward DHCP requests to the DHCP server by typing “ip helper-address <ip address>” (e.g., “ip helper-address 192.168.10.2”).

Final Words

By following the steps outlined in this post, you can easily set up a VLAN on your switch and effectively segment your network. Keep in mind to thoroughly test your VLAN configuration and consider additional configuration options to optimize your network for your specific needs.

With proper setup and configuration, VLANs can greatly enhance your network’s capabilities and 10x increase its performance and security.

Source :
https://www.pcwdld.com/how-to-set-up-a-vlan/

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

Release Date October 05, 2023
Alert CodeAA23-278A

A plea for network defenders and software manufacturers to fix common problems.

EXECUTIVE SUMMARY

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:

  • Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.
  • Software manufacturers must reduce the prevalence of these misconfigurations—thus strengthening the security posture for customers—by incorporating secure-by-design and -default principles and tactics into their software development practices.[1]

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations.

  • Remove default credentials and harden configurations.
  • Disable unused services and implement access controls.
  • Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.[2]
  • Reduce, restrict, audit, and monitor administrative accounts and privileges.

NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:

  • Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
  • Eliminating default passwords.
  • Providing high-quality audit logs to customers at no extra charge.
  • Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.[3]

Download the PDF version of this report: PDF, 660 KB

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13, and the MITRE D3FEND™ cybersecurity countermeasures framework.[4],[5] See the Appendix: MITRE ATT&CK tactics and techniques section for tables summarizing the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques, and the Mitigations section for MITRE D3FEND countermeasures.

For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.[6],[7]

Overview

Over the years, the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense (DoD); Federal Civilian Executive Branch (FCEB); state, local, tribal, and territorial (SLTT) governments; and the private sector:

  • Depending on the needs of the assessment, NSA Defensive Network Operations (DNO) teams feature capabilities from Red Team (adversary emulation), Blue Team (strategic vulnerability assessment), Hunt (targeted hunt), and/or Tailored Mitigations (defensive countermeasure development).
  • CISA Vulnerability Management (VM) teams have assessed the security posture of over 1,000 network enclaves. CISA VM teams include Risk and Vulnerability Assessment (RVA) and CISA Red Team Assessments (RTA).[8] The RVA team conducts remote and onsite assessment services, including penetration testing and configuration review. RTA emulates cyber threat actors in coordination with an organization to assess the organization’s cyber detection and response capabilities.
  • CISA Hunt and Incident Response teams conduct proactive and reactive engagements, respectively, on organization networks to identify and detect cyber threats to U.S. infrastructure.

During these assessments, NSA and CISA identified the 10 most common network misconfigurations, which are detailed below. These misconfigurations (non-prioritized) are systemic weaknesses across many networks.

Many of the assessments were of Microsoft® Windows® and Active Directory® environments. This advisory provides details about, and mitigations for, specific issues found during these assessments, and so mostly focuses on these products. However, it should be noted that many other environments contain similar misconfigurations. Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned below.

1. Default Configurations of Software and Applications

Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include:

  • Default credentials
  • Default service permissions and configurations settings
Default Credentials

Many software manufacturers release commercial off-the-shelf (COTS) network devices —which provide user access via applications or web portals—containing predefined default credentials for their built-in administrative accounts.[9] Malicious actors and assessment teams regularly abuse default credentials by:

  • Finding credentials with a simple web search [T1589.001] and using them [T1078.001] to gain authenticated access to a device.
  • Resetting built-in administrative accounts [T1098] via predictable forgotten passwords questions.
  • Leveraging default virtual private network (VPN) credentials for internal network access [T1133].
  • Leveraging publicly available setup information to identify built-in administrative credentials for web applications and gaining access to the application and its underlying database.
  • Leveraging default credentials on software deployment tools [T1072] for code execution and lateral movement.

In addition to devices that provide network access, printers, scanners, security cameras, conference room audiovisual (AV) equipment, voice over internet protocol (VoIP) phones, and internet of things (IoT) devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well. Further compounding this problem, printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them. Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain [T1078.002].

Default Service Permissions and Configuration Settings

Certain services may have overly permissive access controls or vulnerable configurations by default. Additionally, even if the providers do not enable these services by default, malicious actors can easily abuse these services if users or administrators enable them.

Assessment teams regularly find the following:

  • Insecure Active Directory Certificate Services
  • Insecure legacy protocols/services
  • Insecure Server Message Block (SMB) service
Insecure Active Directory Certificate Services

Active Directory Certificate Services (ADCS) is a feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of Active Directory (AD) environments. ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network.

Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges. These certificates and domain escalation paths may grant actors unauthorized, persistent access to systems and critical data, the ability to impersonate legitimate entities, and the ability to bypass security measures.

Assessment teams have observed organizations with the following misconfigurations:

  • ADCS servers running with web-enrollment enabled. If web-enrollment is enabled, unauthenticated actors can coerce a server to authenticate to an actor-controlled computer, which can relay the authentication to the ADCS web-enrollment service and obtain a certificate [T1649] for the server’s account. These fraudulent, trusted certificates enable actors to use adversary-in-the-middle techniques [T1557] to masquerade as trusted entities on the network. The actors can also use the certificate for AD authentication to obtain a Kerberos Ticket Granting Ticket (TGT) [T1558.001], which they can use to compromise the server and usually the entire domain.
  • ADCS templates where low-privileged users have enrollment rights, and the enrollee supplies a subject alternative name. Misconfiguring various elements of ADCS templates can result in domain escalation by unauthorized users (e.g., granting low-privileged users certificate enrollment rights, allowing requesters to specify a subjectAltName in the certificate signing request [CSR], not requiring authorized signatures for CSRs, granting FullControl or WriteDacl permissions to users). Malicious actors can use a low-privileged user account to request a certificate with a particular Subject Alternative Name (SAN) and gain a certificate where the SAN matches the User Principal Name (UPN) of a privileged account.

Note: For more information on known escalation paths, including PetitPotam NTLM relay techniques, see: Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints and Certified Pre-Owned, Active Directory Certificate Services.[10],[11],[12]

Insecure legacy protocols/services

Many vulnerable network services are enabled by default, and assessment teams have observed them enabled in production environments. Specifically, assessment teams have observed Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), which are Microsoft Windows components that serve as alternate methods of host identification. If these services are enabled in a network, actors can use spoofing, poisoning, and relay techniques [T1557.001] to obtain domain hashes, system access, and potential administrative system sessions. Malicious actors frequently exploit these protocols to compromise entire Windows’ environments.

Malicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic, effectively poisoning the service so that target computers will communicate with an actor-controlled system instead of the intended one. If the requested system requires identification/authentication, the target computer will send the user’s username and hash to the actor-controlled system. The actors then collect the hash and crack it offline to obtain the plain text password [T1110.002].

Insecure Server Message Block (SMB) service

The Server Message Block service is a Windows component primarily for file sharing. Its default configuration, including in the latest version of Windows, does not require signing network messages to ensure authenticity and integrity. If SMB servers do not enforce SMB signing, malicious actors can use machine-in-the-middle techniques, such as NTLM relay. Further, malicious actors can combine a lack of SMB signing with the name resolution poisoning issue (see above) to gain access to remote systems [T1021.002] without needing to capture and crack any hashes.

2. Improper Separation of User/Administrator Privilege

Administrators often assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures.

Assessment teams have observed the following common account separation misconfigurations:

  • Excessive account privileges
  • Elevated service account permissions
  • Non-essential use of elevated accounts
Excessive Account Privileges

Account privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a least-privilege security model. When account privileges are overly permissive, users can see and/or do things they should not be able to, which becomes a security issue as it increases risk exposure and attack surface.

Expanding organizations can undergo numerous changes in account management, personnel, and access requirements. These changes commonly lead to privilege creep—the granting of excessive access and unnecessary account privileges. Through the analysis of topical and nested AD groups, a malicious actor can find a user account [T1078] that has been granted account privileges that exceed their need-to-know or least-privilege function. Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain.

Elevated Service Account Permissions

Applications often operate using user accounts to access resources. These user accounts, which are known as service accounts, often require elevated privileges. When a malicious actor compromises an application or service using a service account, they will have the same privileges and access as the service account.

Malicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems. Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service, and because access to use the service can be requested by any valid domain user. Due to these factors, kerberoasting—a form of credential access achieved by cracking service account credentials—is a common technique used to gain control over service account targets [T1558.003].

Non-Essential Use of Elevated Accounts

IT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges. When an administrator account is logged into a compromised host, a malicious actor can steal and use the account’s credentials and an AD-generated authentication token [T1528] to move, using the elevated permissions, throughout the domain [T1550.001]. Using an elevated account for normal day-to-day, non-administrative tasks increases the account’s exposure and, therefore, its risk of compromise and its risk to the network.

Malicious actors prioritize obtaining valid domain credentials upon gaining access to a network. Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure, including discovery of elevated accounts and where the elevated accounts are used [T1087].

Targeting elevated accounts (such as domain administrator or system administrators) performing day-to-day activities provides the most direct path to achieve domain escalation. Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries, providing additional paths and escalation options.

After obtaining initial access via an account with administrative permissions, an assessment team compromised a domain in under a business day. The team first gained initial access to the system through phishing [T1566], by which they enticed the end user to download [T1204] and execute malicious payloads. The targeted end-user account had administrative permissions, enabling the team to quickly compromise the entire domain.

3. Insufficient Internal Network Monitoring

Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity.

Assessment teams have exploited insufficient monitoring to gain access to assessed networks. For example:

  • An assessment team observed an organization with host-based monitoring, but no network monitoring. Host-based monitoring informs defensive teams about adverse activities on singular hosts and network monitoring informs about adverse activities traversing hosts [TA0008]. In this example, the organization could identify infected hosts but could not identify where the infection was coming from, and thus could not stop future lateral movement and infections.
  • An assessment team gained persistent deep access to a large organization with a mature cyber posture. The organization did not detect the assessment team’s lateral movement, persistence, and command and control (C2) activity, including when the team attempted noisy activities to trigger a security response. For more information on this activity, see CSA CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks.[13]

4. Lack of Network Segmentation

Network segmentation separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques.

Lack of segmentation between IT and operational technology (OT) environments places OT environments at risk. For example, assessment teams have often gained access to OT networks—despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network—by finding special purpose, forgotten, or even accidental network connections [T1199].

5. Poor Patch Management

Vendors release patches and updates to address security vulnerabilities. Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes:

  • Lack of regular patching
  • Use of unsupported operating systems (OSs) and outdated firmware
Lack of Regular Patching

Failure to apply the latest patches can leave a system open to compromise from publicly available exploits. Due to their ease of discovery—via vulnerability scanning [T1595.002] and open source research [T1592]—and exploitation, these systems are immediate targets for adversaries. Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface. Organizations should prioritize patching known exploited vulnerabilities in their environments.[2]

Assessment teams have observed threat actors exploiting many CVEs in public-facing applications [T1190], including:

  • CVE-2019-18935 in an unpatched instance of Telerik® UI for ASP.NET running on a Microsoft IIS server.[14]
  • CVE-2021-44228 (Log4Shell) in an unpatched VMware® Horizon server.[15]
  • CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925 chained with CVE-2022-37042, or CVE-2022-30333 in an unpatched Zimbra® Collaboration Suite.[16]
Use of Unsupported OSs and Outdated Firmware

Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched. Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access, compromise sensitive data, and disrupt operations [T1210].

Assessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17-010 and MS08-67. These updates, released years ago, address critical remote code execution vulnerabilities.[17],[18]

6. Bypass of System Access Controls

A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH) [T1550.002]. By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection. Kerberoasting is also one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network.

7. Weak or Misconfigured MFA Methods

Misconfigured Smart Cards or Tokens

Some networks (generally government or DoD networks) require accounts to use smart cards or tokens. Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used—because the smart card or token is required instead—there is still a password hash for the account that can be used as an alternative credential for authentication. If the password hash never changes, once a malicious actor has an account’s password hash [T1111], the actor can use it indefinitely, via the PtH technique for as long as that account exists.

Lack of Phishing-Resistant MFA

Some forms of MFA are vulnerable to phishing, “push bombing” [T1621], exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or “SIM swap” techniques. These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems. (See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.)[3]

For example, assessment teams have used voice phishing to convince users to provide missing MFA information [T1598]. In one instance, an assessment team knew a user’s main credentials, but their login attempts were blocked by MFA requirements. The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone, allowing the team to complete their login attempt and gain access to the user’s email and other organizational resources.

8. Insufficient ACLs on Network Shares and Services

Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives.

Actors can use commands, open source tools, or custom malware to look for shared folders and drives [T1135].

  • In one compromise, a team observed actors use the net share command—which displays information about shared resources on the local computer—and the ntfsinfo command to search network shares on compromised computers. In the same compromise, the actors used a custom tool, CovalentStealer, which is designed to identify file shares on a system, categorize the files [T1083], and upload the files to a remote server [TA0010].[19],[20]
  • Ransomware actors have used the SoftPerfect® Network Scanner, netscan.exe—which can ping computers [T1018], scan ports [T1046], and discover shared folders—and SharpShares to enumerate accessible network shares in a domain.[21],[22]

Malicious actors can then collect and exfiltrate the data from the shared drives and folders. They can then use the data for a variety of purposes, such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise. Assessment teams routinely find sensitive information on network shares [T1039] that could facilitate follow-on activity or provide opportunities for extortion. Teams regularly find drives containing cleartext credentials [T1552] for service accounts, web applications, and even domain administrators.

Even when further access is not directly obtained from credentials in file shares, there can be a treasure trove of information for improving situational awareness of the target network, including the network’s topology, service tickets, or vulnerability scan data. In addition, teams regularly identify sensitive data and PII on shared drives (e.g., scanned documents, social security numbers, and tax returns) that could be used for extortion or social engineering of the organization or individuals.

9. Poor Credential Hygiene

Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes:

  • Easily crackable passwords
  • Cleartext password disclosure
Easily Crackable Passwords

Easily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources. The presence of easily crackable passwords on a network generally stems from a lack of password length (i.e., shorter than 15 characters) and randomness (i.e., is not unique or can be guessed). This is often due to lax requirements for passwords in organizational policies and user training. A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking. Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure, random passwords for each account.

Often, when a credential is obtained, it is a hash (one-way encryption) of the password and not the password itself. Although some hashes can be used directly with PtH techniques, many hashes need to be cracked to obtain usable credentials. The cracking process takes the captured hash of the user’s plaintext password and leverages dictionary wordlists and rulesets, often using a database of billions of previously compromised passwords, in an attempt to find the matching plaintext password [T1110.002].

One of the primary ways to crack passwords is with the open source tool, Hashcat, combined with password lists obtained from publicly released password breaches. Once a malicious actor has access to a plaintext password, they are usually limited only by the account’s permissions. In some cases, the actor may be restricted or detected by advanced defense-in-depth and zero trust implementations as well, but this has been a rare finding in assessments thus far.

Assessment teams have cracked password hashes for NTLM users, Kerberos service account tickets, NetNTLMv2, and PFX stores [T1555], enabling the team to elevate privileges and move laterally within networks. In 12 hours, one team cracked over 80% of all users’ passwords in an Active Directory, resulting in hundreds of valid credentials.

Cleartext Password Disclosure

Storing passwords in cleartext is a serious security risk. A malicious actor with access to files containing cleartext passwords [T1552.001] could use these credentials to log into the affected applications or systems under the guise of a legitimate user. Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systems.

Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining cleartext passwords. Assessment teams frequently discover cleartext passwords, allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account, such as a Domain or Enterprise Administrator. A common tool used for locating cleartext passwords is the open source tool, Snaffler.[23]

10. Unrestricted Code Execution

If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network.

Malicious actors often execute code after gaining initial access to a system. For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network.

Assessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) [T1059.005] to establish initial access, persistence, and lateral movement. In addition, actors often use scripting languages [T1059] to obscure their actions [T1027.010] and bypass allowlisting—where organizations restrict applications and other forms of code by default and only allow those that are known and trusted. Further, actors may load vulnerable drivers and then exploit the drivers’ known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device [T1068].

MITIGATIONS

Network Defenders

NSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) as well as with the MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND frameworks.

The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.[24]

Mitigate Default Configurations of Software and Applications
MisconfigurationRecommendations for Network Defenders
Default configurations of software and applicationsModify the default configuration of applications and appliances before deployment in a production environment [M1013],[D3-ACH]. Refer to hardening guidelines provided by the vendor and related cybersecurity guidance (e.g., DISA’s Security Technical Implementation Guides (STIGs) and configuration guides).[25],[26],[27]
Default configurations of software and applications: Default CredentialsChange or disable vendor-supplied default usernames and passwords of services, software, and equipment when installing or commissioning [CPG 2.A]. When resetting passwords, enforce the use of “strong” passwords (i.e., passwords that are more than 15 characters and random [CPG 2.B]) and follow hardening guidelines provided by the vendor, STIGsNSA, and/or NIST [M1027],[D3-SPP].[25],[26],[28],[29]
Default service permissions and configuration settings: Insecure Active Directory Certificate ServicesEnsure the secure configuration of ADCS implementations. Regularly update and patch the controlling infrastructure (e.g., for CVE-2021-36942), employ monitoring and auditing mechanisms, and implement strong access controls to protect the infrastructure.If not needed, disable web-enrollment in ADCS servers. See Microsoft: Uninstall-AdcsWebEnrollment (ADCSDeployment) for guidance.[30]If web enrollment is needed on ADCS servers:Enable Extended Protection for Authentication (EPA) for Client Authority Web Enrollment. This is done by choosing the “Required” option. For guidance, see Microsoft: KB5021989: Extended Protection for Authentication.[31]Enable “Require SSL” on the ADCS server.Disable NTLM on all ADCS servers. For guidance, see Microsoft: Network security Restrict NTLM in this domain – Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic – Windows Security.[32],[33]Disable SAN for UPN Mapping. For guidance see, Microsoft: How to disable the SAN for UPN mapping – Windows Server. Instead, smart card authentication can use the altSecurityIdentities attribute for explicit mapping of certificates to accounts more securely.[34]Review all permissions on the ADCS templates on applicable servers. Restrict enrollment rights to only those users or groups that require it. Disable the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag from templates to prevent users from supplying and editing sensitive security settings within these templates. Enforce manager approval for requested certificates. Remove FullControlWriteDacl, and Write property permissions from low-privileged groups, such as domain users, to certificate template objects.
Default service permissions and configuration settings: Insecure legacy protocols/servicesDetermine if LLMNR and NetBIOS are required for essential business operations.If not required, disable LLMNR and NetBIOS in local computer security settings or by group policy.
Default service permissions and configuration settings: Insecure SMB serviceRequire SMB signing for both SMB client and server on all systems.[25] This should prevent certain adversary-in-the-middle and pass-the-hash techniques. For more information on SMB signing, see Microsoft: Overview of Server Message Block Signing. [35] Note: Beginning in Microsoft Windows 11 Insider Preview Build 25381, Windows requires SMB signing for all communications.[36]
Mitigate Improper Separation of User/Administrator Privilege
MisconfigurationRecommendations for Network Defenders
Improper separation of user/administrator privilege:Excessive account privileges,Elevated service account permissions, andNon-essential use of elevated accountsImplement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform, and review logs of user actions to detect unauthorized use and abuse. Apply least privilege principles to user accounts and groups allowing only the performance of authorized actions.Audit user accounts and remove those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.Restrict use of privileged accounts to perform general tasks, such as accessing emails and browsing the Internet [CPG 2.E],[D3-UAP]. See NSA Cybersecurity Information Sheet (CSI) Defend Privileges and Accounts for more information.[37]Limit the number of users within the organization with an identity and access management (IAM) role that has administrator privileges. Strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles, and policies.Implement time-based access for privileged accounts. For example, the just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. In cloud environments, just-in-time elevation is also appropriate and may be implemented using per-session federated claims or privileged access management tools.Restrict domain users from being in the local administrator group on multiple systems.Run daemonized applications (services) with non-administrator accounts when possible.Only configure service accounts with the permissions necessary for the services they control to operate.Disable unused services and implement ACLs to protect services.
Mitigate Insufficient Internal Network Monitoring
MisconfigurationRecommendations for Network Defenders
Insufficient internal network monitoringEstablish a baseline of applications and services, and routinely audit their access and use, especially for administrative activity [D3-ANAA]. For instance, administrators should routinely audit the access lists and permissions for of all web applications and services [CPG 2.O],[M1047]. Look for suspicious accounts, investigate them, and remove accounts and credentials, as appropriate, such as accounts of former staff.[39]Establish a baseline that represents an organization’s normal traffic activity, network performance, host application activity, and user behavior; investigate any deviations from that baseline [D3-NTCD],[D3-CSPP],[D3-UBA].[40]Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them [M1047].Implement a security information and event management (SIEM) system to provide log aggregation, correlation, querying, visualization, and alerting from network endpoints, logging systems, endpoint and detection response (EDR) systems and intrusion detection systems (IDS) [CPG 2.T],[D3-NTA].
Mitigate Lack of Network Segmentation
MisconfigurationRecommendations for Network Defenders
Lack of network segmentationImplement next-generation firewalls to perform deep packet filtering, stateful inspection, and application-level packet inspection [D3-NTF]. Deny or drop improperly formatted traffic that is incongruent with application-specific traffic permitted on the network. This practice limits an actor’s ability to abuse allowed application protocols. The practice of allowlisting network applications does not rely on generic ports as filtering criteria, enhancing filtering fidelity. For more information on application-aware defenses, see NSA CSI Segment Networks and Deploy Application-Aware Defenses.[41]Engineer network segments to isolate critical systems, functions, and resources [CPG 2.F],[D3-NI]. Establish physical and logical segmentation controls, such as virtual local area network (VLAN) configurations and properly configured access control lists (ACLs) on infrastructure devices [M1030]. These devices should be baselined and audited to prevent access to potentially sensitive systems and information. Leverage properly configured Demilitarized Zones (DMZs) to reduce service exposure to the Internet.[42],[43],[44]Implement separate Virtual Private Cloud (VPC) instances to isolate essential cloud systems. Where possible, implement Virtual Machines (VM) and Network Function Virtualization (NFV) to enable micro-segmentation of networks in virtualized environments and cloud data centers. Employ secure VM firewall configurations in tandem with macro segmentation.
Mitigate Poor Patch Management
MisconfigurationRecommendations for Network Defenders
Poor patch management: Lack of regular patchingEnsure organizations implement and maintain an efficient patch management process that enforces the use of up-to-date, stable versions of OSs, browsers, and software [M1051],[D3-SU].[45]Update software regularly by employing patch management for externally exposed applications, internal enterprise endpoints, and servers. Prioritize patching known exploited vulnerabilities.[2]Automate the update process as much as possible and use vendor-provided updates. Consider using automated patch management tools and software update tools.Where patching is not possible due to limitations, segment networks to limit exposure of the vulnerable system or host.
Poor patch management: Use of unsupported OSs and outdated firmwareEvaluate the use of unsupported hardware and software and discontinue use as soon as possible. If discontinuing is not possible, implement additional network protections to mitigate the risk.[45]Patch the Basic Input/Output System (BIOS) and other firmware to prevent exploitation of known vulnerabilities.
Mitigate Bypass of System Access Controls
MisconfigurationRecommendations for Network Defenders
Bypass of system access controlsLimit credential overlap across systems to prevent credential compromise and reduce a malicious actor’s ability to move laterally between systems [M1026],[D3-CH]. Implement a method for monitoring non-standard logon events through host log monitoring [CPG 2.G].Implement an effective and routine patch management process. Mitigate PtH techniques by applying patch KB2871997 to Windows 7 and newer versions to limit default access of accounts in the local administrator group [M1051],[D3-SU].[46]Enable the PtH mitigations to apply User Account Control (UAC) restrictions to local accounts upon network logon [M1052],[D3-UAP].Deny domain users the ability to be in the local administrator group on multiple systems [M1018],[D3-UAP].Limit workstation-to-workstation communications. All workstation communications should occur through a server to prevent lateral movement [M1018],[D3-UAP].Use privileged accounts only on systems requiring those privileges [M1018],[D3-UAP]. Consider using dedicated Privileged Access Workstations for privileged accounts to better isolate and protect them.[37]
Mitigate Weak or Misconfigured MFA Methods
MisconfigurationRecommendations for Network Defenders
Weak or misconfigured MFA methods: Misconfigured smart cards or tokens In Windows environments:Disable the use of New Technology LAN Manager (NTLM) and other legacy authentication protocols that are susceptible to PtH due to their use of password hashes [M1032],[D3-MFA]. For guidance, see Microsoft: Network security Restrict NTLM in this domain – Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic – Windows Security.[32],[33]Use built-in functionality via Windows Hello for Business or Group Policy Objects (GPOs) to regularly re-randomize password hashes associated with smartcard-required accounts. Ensure that the hashes are changed at least as often as organizational policy requires passwords to be changed [M1027],[D3-CRO]. Prioritize upgrading any environments that cannot utilize this built-in functionality.As a longer-term effort, implement cloud-primary authentication solution using modern open standards. See CISA’s Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture for more information.[47] Note: this document is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies to secure their cloud business application environments and to protect federal information that is created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project’s guidance is applicable to all organizations.[48]
Weak or misconfigured MFA methods: Lack of phishing-resistant MFAEnforce phishing-resistant MFA universally for access to sensitive data and on as many other resources and services as possible [CPG 2.H].[3],[49]
Mitigate Insufficient ACLs on Network Shares and Services
MisconfigurationRecommendations for Network Defenders
Insufficient ACLs on network shares and servicesImplement secure configurations for all storage devices and network shares that grant access to authorized users only.Apply the principal of least privilege to important information resources to reduce risk of unauthorized data access and manipulation.Apply restrictive permissions to files and directories, and prevent adversaries from modifying ACLs [M1022],[D3-LFP].Set restrictive permissions on files and folders containing sensitive private keys to prevent unintended access [M1022],[D3-LFP].Enable the Windows Group Policy security setting, “Do Not Allow Anonymous Enumeration of Security Account Manager (SAM) Accounts and Shares,” to limit users who can enumerate network shares.
Mitigate Poor Credential Hygiene
MisconfigurationRecommendations for Network Defenders
Poor credential hygiene: easily crackable passwords Follow National Institute of Standards and Technologies (NIST) guidelines when creating password policies to enforce use of “strong” passwords that cannot be cracked [M1027],[D3-SPP].[29] Consider using password managers to generate and store passwords.Do not reuse local administrator account passwords across systems. Ensure that passwords are “strong” and unique [CPG 2.B],[M1027],[D3-SPP].Use “strong” passphrases for private keys to make cracking resource intensive. Do not store credentials within the registry in Windows systems. Establish an organizational policy that prohibits password storage in files.Ensure adequate password length (ideally 25+ characters) and complexity requirements for Windows service accounts and implement passwords with periodic expiration on these accounts [CPG 2.B],[M1027],[D3-SPP]. Use Managed Service Accounts, when possible, to manage service account passwords automatically.
Poor credential hygiene: cleartext password disclosure Implement a review process for files and systems to look for cleartext account credentials. When credentials are found, remove, change, or encrypt them [D3-FE]. Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, protected health information) or credentials are stored. Weigh the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is of significant concern, technical controls, policy, and user training may prevent storage of credentials in improper locations.Store hashed passwords using Committee on National Security Systems Policy (CNSSP)-15 and Commercial National Security Algorithm Suite (CNSA) approved algorithms.[50],[51]Consider using group Managed Service Accounts (gMSAs) or third-party software to implement secure password-storage applications.
Mitigate Unrestricted Code Execution
MisconfigurationRecommendations for Network Defenders
Unrestricted code executionEnable system settings that prevent the ability to run applications downloaded from untrusted sources.[52]Use application control tools that restrict program execution by default, also known as allowlisting [D3-EAL]. Ensure that the tools examine digital signatures and other key attributes, rather than just relying on filenames, especially since malware often attempts to masquerade as common Operating System (OS) utilities [M1038]. Explicitly allow certain .exe files to run, while blocking all others by default.Block or prevent the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment [D3-OSM].Constrain scripting languages to prevent malicious activities, audit script logs, and restrict scripting languages that are not used in the environment [D3-SEA]. See joint Cybersecurity Information Sheet: Keeping PowerShell: Security Measures to Use and Embrace.[53]Use read-only containers and minimal images, when possible, to prevent the running of commands.Regularly analyze border and host-level protections, including spam-filtering capabilities, to ensure their continued effectiveness in blocking the delivery and execution of malware [D3-MA]. Assess whether HTML Application (HTA) files are used for business purposes in your environment; if HTAs are not used, remap the default program for opening them from mshta.exe to notepad.exe.

Software Manufacturers

NSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory. These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure “out of the box” and do not require customers to spend additional resources making configuration changes, performing monitoring, and conducting routine updates to keep their systems secure.[1]

MisconfigurationRecommendations for Software Manufacturers
Default configurations of software and applicationsEmbed security controls into product architecture from the start of development and throughout the entire SDLC by following best practices in NIST’s Secure Software Development Framework (SSDF), SP 800-218.[54]Provide software with security features enabled “out of the box” and accompanied with “loosening” guides instead of hardening guides. “Loosening” guides should explain the business risk of decisions in plain, understandable language.
Default configurations of software and applications: Default credentialsEliminate default passwords: Do not provide software with default passwords that are universally shared. To eliminate default passwords, require administrators to set a “strong” password [CPG 2.B] during installation and configuration.
Default configurations of software and applications: Default service permissions and configuration settingsConsider the user experience consequences of security settings: Each new setting increases the cognitive burden on end users and should be assessed in conjunction with the business benefit it derives. Ideally, a setting should not exist; instead, the most secure setting should be integrated into the product by default. When configuration is necessary, the default option should be broadly secure against common threats.
Improper separation of user/administrator privilege:Excessive account privileges,Elevated service account permissions, andNon-essential use of elevated accountsDesign products so that the compromise of a single security control does not result in compromise of the entire system. For example, ensuring that user privileges are narrowly provisioned by default and ACLs are employed can reduce the impact of a compromised account. Also, software sandboxing techniques can quarantine a vulnerability to limit compromise of an entire application.Automatically generate reports for:Administrators of inactive accounts. Prompt administrators to set a maximum inactive time and automatically suspend accounts that exceed that threshold.Administrators of accounts with administrator privileges and suggest ways to reduce privilege sprawl.Automatically alert administrators of infrequently used services and provide recommendations for disabling them or implementing ACLs.
Insufficient internal network monitoring Provide high-quality audit logs to customers at no extra charge. Audit logs are crucial for detecting and escalating potential security incidents. They are also crucial during an investigation of a suspected or confirmed security incident. Consider best practices such as providing easy integration with a security information and event management (SIEM) system with application programming interface (API) access that uses coordinated universal time (UTC), standard time zone formatting, and robust documentation techniques.
Lack of network segmentationEnsure products are compatible with and tested in segmented network environments.
Poor patch management: Lack of regular patchingTake steps to eliminate entire classes of vulnerabilities by embedding security controls into product architecture from the start of development and throughout the SDLC by following best practices in NIST’s SSDFSP 800-218.[54] Pay special attention to:Following secure coding practices [SSDF PW 5.1]. Use memory-safe programming languages where possible, parametrized queries, and web template languages.Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, and logic flaws.Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2].Ensure that published CVEs include root cause or common weakness enumeration (CWE) to enable industry-wide analysis of software security design flaws.
Poor patch management: Use of unsupported operating OSs and outdated firmwareCommunicate the business risk of using unsupported OSs and firmware in plain, understandable language.
Bypass of system access controlsProvide sufficient detail in audit records to detect bypass of system controls and queries to monitor audit logs for traces of such suspicious activity (e.g., for when an essential step of an authentication or authorization flow is missing).
Weak or Misconfigured MFA Methods: Misconfigured Smart Cards or Tokens Fully support MFA for all users, making MFA the default rather than an opt-in feature. Utilize threat modeling for authentication assertions and alternate credentials to examine how they could be abused to bypass MFA requirements.
Weak or Misconfigured MFA Methods: Lack of phishing-resistant MFAMandate MFA, ideally phishing-resistant, for privileged users and make MFA a default rather than an opt-in feature.[3]
Insufficient ACL on network shares and servicesEnforce use of ACLs with default ACLs only allowing the minimum access needed, along with easy-to-use tools to regularly audit and adjust ACLs to the minimum access needed.
Poor credential hygiene: easily crackable passwords Allow administrators to configure a password policy consistent with NIST’s guidelines—do not require counterproductive restrictions such as enforcing character types or the periodic rotation of passwords.[29]Allow users to use password managers to effortlessly generate and use secure, random passwords within products.
Poor credential hygiene: cleartext password disclosureSalt and hash passwords using a secure hashing algorithm with high computational cost to make brute force cracking more difficult.
Unrestricted code executionSupport execution controls within operating systems and applications “out of the box” by default at no extra charge for all customers, to limit malicious actors’ ability to abuse functionality or launch unusual applications without administrator or informed user approval.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, NSA and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 12–Table 21).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

LEARN FROM HISTORY

The misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations above properly to protect the network, its sensitive information, and critical missions.

WORKS CITED

[1]   Joint Guide: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (2023), https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf
[2]   CISA, Known Exploited Vulnerabilities Catalog, https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3]   CISA, Implementing Phishing-Resistant MFA, https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
[4]   MITRE, ATT&CK for Enterprise, https://attack.mitre.org/versions/v13/matrices/enterprise/
[5]   MITRE, D3FEND, https://d3fend.mitre.org/
[6]   CISA, Best Practices for MITRE ATT&CK Mapping, https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
[7]   CISA, Decider Tool, https://github.com/cisagov/Decider/
[8]   CISA, Cyber Assessment Fact Sheet, https://www.cisa.gov/sites/default/files/publications/VM_Assessments_Fact_Sheet_RVA_508C.pdf
[9]   Joint CSA: Weak Security Controls and Practices Routinely Exploited for Initial Access, https://media.defense.gov/2022/May/17/2002998718/-1/-1/0/CSA_WEAK_SECURITY_CONTROLS_PRACTICES_EXPLOITED_FOR_INITIAL_ACCESS.PDF
[10]  Microsoft KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
[11]  Raj Chandel, Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints, https://www.hackingarticles.in/domain-escalation-petitpotam-ntlm-relay-to-adcs-endpoints/
[12]  SpecterOps – Will Schroeder, Certified Pre-Owned, https://posts.specterops.io/certified-pre-owned-d95910965cd2
[13]  CISA, CSA: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
[14]  Joint CSA: Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
[15]  Joint CSA: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
[16]  Joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a
[17]  Microsoft, How to verify that MS17-010 is installed, https://support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8
[18]  Microsoft, Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644), https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
[19]  Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
[20]  CISA, Malware Analysis Report: 10365227.r1.v1, https://www.cisa.gov/sites/default/files/2023-06/mar-10365227.r1.v1.clear_.pdf
[21]  Joint CSA: #StopRansomware: BianLian Ransomware Group, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
[22]  CISA Analysis Report: FiveHands Ransomware, https://www.cisa.gov/news-events/analysis-reports/ar21-126a
[23]  Snaffler, https://github.com/SnaffCon/Snaffler
[24]  CISA, Cross-Sector Cybersecurity Performance Goals, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
[25]  Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), https://public.cyber.mil/stigs/
[26]  NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[27]  NSA, Actively Manage Systems and Configurations, https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf
[28]  NSA, Cybersecurity Advisories & Guidance, https://www.nsa.gov/cybersecurity-guidance
[29]  National Institute of Standards and Technologies (NIST), NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, https://csrc.nist.gov/pubs/sp/800/63/b/upd2/final
[30]  Microsoft, Uninstall-AdcsWebEnrollment, https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/uninstall-adcswebenrollment
[31]  Microsoft, KB5021989: Extended Protection for Authentication, https://support.microsoft.com/en-au/topic/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f
[32]  Microsoft, Network security: Restrict NTLM: NTLM authentication in this domain, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
[33]  Microsoft, Network security: Restrict NTLM: Incoming NTLM traffic, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
[34]  Microsoft, How to disable the Subject Alternative Name for UPN mapping, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-subject-alternative-name-upn-mapping
[35]  Microsoft, Overview of Server Message Block signing, https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
[36]  Microsoft, SMB signing required by default in Windows Insider, https://aka.ms/SmbSigningRequired
[37]  NSA, Defend Privileges and Accounts, https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf
[38]  NSA, Advancing Zero Trust Maturity Throughout the User Pillar, https://media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_Zero_Trust_User_Pillar_v1.1.PDF
[39]  NSA, Continuously Hunt for Network Intrusions, https://media.defense.gov/2019/Sep/09/2002180360/-1/-1/0/Continuously%20Hunt%20for%20Network%20Intrusions%20-%20Copy.pdf
[40]  Joint CSI: Detect and Prevent Web Shell Malware, https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
[41]  NSA, Segment Networks and Deploy Application-aware Defenses, https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
[42]  Joint CSA: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
[43]  NSA, Stop Malicious Cyber Activity Against Connected Operational Technology, https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
[44]  NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
[45]  NSA, Update and Upgrade Software Immediately, https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf
[46]  Microsoft, Microsoft Security Advisory 2871997: Update to Improve Credentials Protection and Management, https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997
[47]  CISA, Secure Cloud Business Applications Hybrid Identity Solutions Architecture, https://www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf
[48]  CISA, Secure Cloud Business Applications (SCuBA) Project, https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
[49]  NSA, Transition to Multi-factor Authentication, https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multi-factor%20Authentication%20-%20Copy.pdf
[50]  Committee on National Security Systems (CNSS), CNSS Policy 15, https://www.cnss.gov/CNSS/issuances/Policies.cfm
[51]  NSA, NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems, https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
[52]  NSA, Enforce Signed Software Execution Policies, https://media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf
[53]  Joint CSI: Keeping PowerShell: Security Measures to Use and Embrace, https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[54]  NIST, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, https://csrc.nist.gov/publications/detail/sp/800-218/final

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Trademarks

Active Directory, Microsoft, and Windows are registered trademarks of Microsoft Corporation.
MITRE ATT&CK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation.
SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company.
Telerik is a registered trademark of Progress Software Corporation.
VMware is a registered trademark of VMWare, Inc.
Zimbra is a registered trademark of Synacor, Inc.

Purpose

This document was developed in furtherance of the authoring cybersecurity organizations’ missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

Cybersecurity Report Feedback: CybersecurityReports@nsa.gov
General Cybersecurity Inquiries: Cybersecurity_Requests@nsa.gov 
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov 

To report suspicious activity contact CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Appendix: MITRE ATT&CK Tactics and Techniques

See Table 12–Table 21 for all referenced threat actor tactics and techniques in this advisory.

Technique TitleIDUse
Active Scanning: Vulnerability ScanningT1595.002Malicious actors scan victims for vulnerabilities that be exploited for initial access.
Gather Victim Host InformationT1592Malicious actors gather information on victim client configurations and/or vulnerabilities through vulnerabilities scans and searching the web.
Gather Victim Identity Information: CredentialsT1589.001Malicious actors find default credentials through searching the web.
Phishing for InformationT1598Malicious actors masquerade as IT staff and convince a target user to provide their MFA code over the phone to gain access to email and other organizational resources.
Technique TitleIDUse
External Remote ServicesT1133Malicious actors use default credentials for VPN access to internal networks.
Valid Accounts: Default AccountsT1078.001Malicious actors gain authenticated access to devices by finding default credentials through searching the web.Malicious actors use default credentials for VPN access to internal networks, and default administrative credentials to gain access to web applications and databases.
Exploit Public-Facing ApplicationT1190Malicious actors exploit CVEs in Telerik UI, VM Horizon, Zimbra Collaboration Suite, and other applications for initial access to victim organizations.
PhishingT1566Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads.
Trust RelationshipT1199Malicious actors gain access to OT networks despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network, by finding special purpose, forgotten, or even accidental network connections.
Technique TitleIDUse
Software Deployment ToolsT1072Malicious actors use default or captured credentials on software deployment tools to execute code and move laterally.
User ExecutionT1204Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads or to run code on their workstations.
Command and Scripting InterpreterT1059Malicious actors use scripting languages to obscure their actions and bypass allowlisting.
Command and Scripting Interpreter: Visual BasicT1059.005Malicious actors use macros for initial access, persistence, and lateral movement.
Technique TitleIDUse
Account ManipulationT1098Malicious actors reset built-in administrative accounts via predictable, forgotten password questions.
Technique TitleIDUse
Valid AccountsT1078Malicious actors analyze topical and nested Active Directory groups to find privileged accounts to target.
Valid Accounts: Domain AccountsT1078.002Malicious actors obtain loaded domain credentials from printers and scanners and use them to move laterally from the network device.
Exploitation for Privilege EscalationT1068Malicious actors load vulnerable drivers and then exploit their known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device.
Technique TitleIDUse
Obfuscated Files or Information: Command ObfuscationT1027.010Malicious actors often use scripting languages to obscure their actions.
Technique TitleIDUse
Adversary-in-the-MiddleT1557Malicious actors force a device to communicate through actor-controlled systems, so they can collect information or perform additional actions.
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB RelayT1557.001Malicious actors execute spoofing, poisoning, and relay techniques if Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Server Message Block (SMB) services are enabled in a network.
Brute Force: Password CrackingT1110.002Malicious actors capture user hashes and leverage dictionary wordlists and rulesets to extract cleartext passwords.
Credentials from Password StoresT1555Malicious actors gain access to and crack credentials from PFX stores, enabling elevation of privileges and lateral movement within networks.
Multi-Factor Authentication InterceptionT1111Malicious actors can obtain password hashes for accounts enabled for MFA with smart codes or tokens and use the hash via PtH techniques.
Multi-Factor Authentication Request GenerationT1621Malicious actors use “push bombing” against non-phishing resistant MFA to induce “MFA fatigue” in victims, gaining access to MFA authentication credentials or bypassing MFA, and accessing the MFA-protected system.
Steal Application Access TokenT1528Malicious actors can steal administrator account credentials and the authentication token generated by Active Directory when the account is logged into a compromised host.
Steal or Forge Authentication CertificatesT1649Unauthenticated malicious actors coerce an ADCS server to authenticate to an actor-controlled server, and then relay that authentication to the web certificate enrollment application to obtain a trusted illegitimate certificate.
Steal or Forge Kerberos Tickets: Golden TicketT1558.001Malicious actors who have obtained authentication certificates can use the certificate for Active Directory authentication to obtain a Kerberos TGT.
Steal or Forge Kerberos Tickets: KerberoastingT1558.003Malicious actors obtain and abuse valid Kerberos TGTs to elevate privileges and laterally move throughout an organization’s network.
Unsecured Credentials: Credentials in FilesT1552.001Malicious actors find cleartext credentials that organizations or individual users store in spreadsheets, configuration files, and other documents.
Technique TitleIDUse
Account DiscoveryT1087Malicious actors with valid domain credentials enumerate the AD to discover elevated accounts and where they are used.
File and Directory DiscoveryT1083Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer to discover and categorize files.Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining desired information, such as cleartext passwords.
Network Share DiscoveryT1135Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer, to look for shared folders and drives.
Technique TitleIDUse
Exploitation of Remote ServicesT1210Malicious actors can exploit OS and firmware vulnerabilities to gain unauthorized network access, compromise sensitive data, and disrupt operations.
Remote Services: SMB/Windows Admin SharesT1021.002If SMB signing is not enforced, malicious actors can use name resolution poisoning to access remote systems.
Use Alternate Authentication Material: Application Access TokenT1550.001Malicious actors with stolen administrator account credentials and AD authentication tokens can use them to operate with elevated permissions throughout the domain.
Use Alternate Authentication Material: Pass the HashT1550.002Malicious actors collect hashes in a network and authenticate as a user without having access to the user’s cleartext password.
Technique TitleIDUse
Data from Network Shared DriveT1039Malicious actors find sensitive information on network shares that could facilitate follow-on activity or provide opportunities for extortion.

Source :
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

Top 5 Security Misconfigurations Causing Data Breaches in 2023

Edward Kost
updated May 15, 2023

Security misconfigurations are a common and significant cybersecurity issue that can leave businesses vulnerable to data breaches. According to the latest data breach investigation report by IBM and the Ponemon Institute, the average cost of a breach has peaked at US$4.35 million. Many data breaches are caused by avoidable errors like security misconfiguration. By following the tips in this article, you could identify and address a security error that could save you millions of dollars in damages.

Learn how UpGuard can help you detect data breach risks >

What is a Security Misconfiguration?

A security misconfiguration occurs when a system, application, or network device’s settings are not correctly configured, leaving it exposed to potential cyber threats. This could be due to default configurations left unchanged, unnecessary features enabled, or permissions set too broadly. Hackers often exploit these misconfigurations to gain unauthorized access to sensitive data, launch malware attacks, or carry out phishing attacks, among other malicious activities.

What Causes Security Misconfigurations?

Security misconfigurations can result from various factors, including human error, lack of awareness, and insufficient security measures. For instance, employees might configure systems without a thorough understanding of security best practices, security teams might overlook crucial security updates due to the growing complexity of cloud services and infrastructures.

Additionally, the rapid shift to remote work during the pandemic has increased the attack surface for cybercriminals, making it more challenging for security teams to manage and monitor potential vulnerabilities.

List of Common Types of Security Configurations Facilitating Data Breaches

Some common types of security misconfigurations include:

1. Default Settings

With the rise of cloud solutions such as Amazon Web Services (AWS) and Microsoft Azure, companies increasingly rely on these platforms to store and manage their data. However, using cloud services also introduces new security risks, such as the potential for misconfigured settings or unauthorized access.

A prominent example of insecure default software settings that could have facilitated a significant breach is the Microsoft Power Apps data leak incident of 2021. By default, Power Apps portal data feeds were set to be accessible to the public.

Unless developers specified for OData feeds to be set to private, virtually anyone could access the backend databases of applications built with Power Apps. UpGuard researchers located the exposure and notified Microsoft, who promptly addressed the leak. UpGuard’s detection helped Microsoft avoid a large-scale breach that could have potentially compromised 38 million records.

Read this whitepaper to learn how to prevent data breaches >

2. Unnecessary Features

Enabling features or services not required for a system’s operation can increase its attack surface, making it more vulnerable to threats. Some examples of unnecessary product features include remote administration tools, file-sharing services, and unused network ports. To mitigate data breach risks, organizations should conduct regular reviews of their systems and applications to identify and disable or remove features that are not necessary for their operations.

Additionally, organizations should practice the principle of least functionality, ensuring that systems are deployed with only the minimal set of features and services required for their specific use case.

3. Insecure Permissions

Overly permissive access controls can allow unauthorized users to access sensitive data or perform malicious actions. To address this issue, organizations should implement the principle of least privilege, granting users the minimum level of access necessary to perform their job functions. This can be achieved through proper role-based access control (RBAC) configurations and regular audits of user privileges. Additionally, organizations should ensure that sensitive data is appropriately encrypted both in transit and at rest, further reducing the risk of unauthorized access.

4. Outdated Software

Failing to apply security patches and updates can expose systems to known vulnerabilities. To protect against data breaches resulting from outdated software, organizations should have a robust patch management program in place. This includes regularly monitoring for available patches and updates, prioritizing their deployment based on the severity of the vulnerabilities being addressed, and verifying the successful installation of these patches.

Additionally, organizations should consider implementing automated patch management solutions and vulnerability scanning tools to streamline the patching process and minimize the risk of human error.

5. Insecure API Configurations

APIs that are not adequately secured can allow threat actors to access sensitive information or manipulate systems. API misconfigurations – like the one that led to T-Mobile’s 2023 data breach, are becoming more common. As more companies move their services to the cloud, securing these APIs and preventing the data leaks they facilitate is becoming a bigger challenge.

To mitigate the risks associated with insecure API configurations, organizations should implement strong authentication and authorization mechanisms, such as OAuth 2.0 or API keys, to ensure only authorized clients can access their APIs. Additionally, organizations should conduct regular security assessments and penetration testing to identify and remediate potential vulnerabilities in their API configurations.

Finally, adopting a secure software development lifecycle (SSDLC) and employing API security best practices, such as rate limiting and input validation, can help prevent data breaches stemming from insecure APIs.

Learn how UpGuard protects against third-party breaches >

How to Avoid Security Misconfigurations Impacting Your Data Breach Resilience

To protect against security misconfigurations, organizations should:

1. Implement a Comprehensive Security Policy

Implement a cybersecurity policy covering all system and application configuration aspects, including guidelines for setting permissions, enabling features, and updating software.

2. Implement a Cyber Threat Awareness Program

An essential security measure that should accompany the remediation of security misconfigurations is employee threat awareness training. Of those who recently suffered cloud security breaches, 55% of respondents identified human error as the primary cause.

With your employees equipped to correctly respond to common cybercrime tactics that preceded data breaches, such as social engineering attacks and social media phishing attacks, your business could avoid a security incident should threat actors find and exploit an overlooked security misconfiguration.

Phishing attacks involve tricking individuals into revealing sensitive information that could be used to compromise an account or facilitate a data breach. During these attacks, threat actors target account login credentials, credit card numbers, and even phone numbers to exploit Multi-Factor authentication.

Learn the common ways MFA can be exploited >

Phishing attacks are becoming increasingly sophisticated, with cybercriminals using automation and other tools to target large numbers of individuals. 

Here’s an example of a phishing campaign where a hacker has built a fake login page to steal a customer’s banking credentials. As you can see, the fake login page looks almost identical to the actual page, and an unsuspecting eye will not notice anything suspicious.

Real Commonwealth Bank Login Page
Real Commonwealth Bank Login Page.
Fake Commonwealth Bank Login Page
Fake Commonwealth Bank Login Page

Because this poor cybersecurity habit is common amongst the general population, phishing campaigns could involve fake login pages for social media websites, such as LinkedIn, popular websites like Amazon, and even SaaS products. Hackers implementing such tactics hope the same credentials are used for logging into banking websites.

Cyber threat awareness training is the best defense against phishing, the most common attack vector leading to data breaches and ransomware attacks.

Because small businesses often lack the resources and expertise of larger companies, they usually don’t have the budget for additional security programs like awareness training. This is why, according to a recent report, 61% of small and medium-sized businesses experienced at least one cyber attack in the past year, and 40% experienced eight or more attacks.

Luckily, with the help of ChatGPT, small businesses can implement an internal threat awareness program at a fraction of the cost. Industries at a heightened risk of suffering a data breach, such as healthcare, should especially prioritize awareness of the cyber threat landscape.

Learn how to implement an internal cyber threat awareness campaign >

3. Use Multi-Factor Authentication

MFA and strong access management control to limit unauthorized access to sensitive systems and data.

Previously compromised passwords are often used to hack into accounts. MFA adds additional authentication protocols to the login process, making it difficult to compromise an account, even if hackers get their hands on a stolen password

4. Use Strong Access Management Controls

Identity and Access Management (IAM) systems ensure users only have access to the data and applications they need to do their jobs and that permissions are revoked when an employee leaves the company or changes roles.

The 2023 Thales Dara Threat Report found that 28% of respondents found IAM to be the most effective data security control preventing personal data compromise.

5. Keep All Software Patched and Updated

Keep all environments up-to-date by promptly applying patches and updates. Consider patching a “golden image” and deploying it across your environment. Perform regular scans and audits to identify potential security misconfigurations and missing patches.

An attack surface monitoring solution, such as UpGuard, can detect vulnerable software versions that have been impacted by zero-days and other known security flaws.

6. Deploy Security Tools

Security tools, such as intrusion detection and prevention systems (IDPS) and security information and event management (SIEM) solutions, to monitor and respond to potential threats.

It’s essential also to implement tools to defend against tactics often used to complement data breach attempts, for example. DDoS attacks – a type of attack where a server is flooded with fake traffic to force it offline, allowing hackers to exploit security misconfigurations during the chaos of excessive downtime.

Another important security tool is a data leak detection solution for discovering compromised account credentials published on the dark web. These credentials, if exploited, allow hackers to compress the data breach lifecycle, making these events harder to detect and intercept.

Dara leaks compressing the data breach lifecycle.

Learn how to detect and prevent data leaks >

7. Implement a Zero-Trust Architecture

One of the main ways that companies can protect themselves from cloud-related security threats is by implementing a Zero Trust security architecture. This approach assumes all requests for access to resources are potentially malicious and, therefore, require additional verification before granting access.

Learn how to implement a Zero-Trust Architecture >

A Zero-Trust approach to security assumes that all users, devices, and networks are untrustworthy until proven otherwise.

8. Develop a Repeatable Hardening Process

Establish a process that can be easily replicated to ensure consistent, secure configurations across production, development, and QA environments. Use different passwords for each environment and automate the process for efficient deployment. Be sure to address IoT devices in the hardening process. 

These devices tend to be secured with their default factory passwords, making them highly vulnerable to DDoS attacks.

9. Implement a Secure Application Architecture

Design your application architecture to obfuscate general access to sensitive resources using the principle of network segmentation.

Learn more about network segmentation >

Cloud infrastructure has become a significant cybersecurity issue in the last decade. Barely a month goes by without a major security breach at a cloud service provider or a large corporation using cloud services.

10. Maintain a Structured Development Cycle

Facilitate security testing during development by adhering to a well-organized development process. Following cybersecurity best practices this early in the development process sets the foundation for a resilient security posture that will protect your data even as your company scales.

Implement a secure software development lifecycle (SSDLC) that incorporates security checkpoints at each stage of development, including requirements gathering, design, implementation, testing, and deployment. Additionally, train your development team in secure coding practices and encourage a culture of security awareness to help identify and remediate potential vulnerabilities before they make their way into production environments.

11. Review Custom Code

If using custom code, employ a static code security scanner before integrating it into the production environment. These scanners can automatically analyze code for potential vulnerabilities and compliance issues, reducing the risk of security misconfigurations.

Additionally, have security professionals conduct manual reviews and dynamic testing to identify issues that may not be detected by automated tools. This combination of automated and manual testing ensures that custom code is thoroughly vetted for security risks before deployment.

12. Utilize a Minimal Platform

Remove unused features, insecure frameworks, and unnecessary documentation, samples, or components from your platform. Adopt a “lean” approach to your software stack by only including components that are essential for your application’s functionality.

This reduces the attack surface and minimizes the chances of security misconfigurations. Furthermore, keep an inventory of all components and their associated security risks to better manage and mitigate potential vulnerabilities.

13. Review Cloud Storage Permissions

Regularly examine permissions for cloud storage, such as S3 buckets, and incorporate security configuration updates and reviews into your patch management process. This process should be a standard inclusion across all cloud security measures. Ensure that access controls are properly configured to follow the principle of least privilege, and encrypt sensitive data both in transit and at rest.

Implement monitoring and alerting mechanisms to detect unauthorized access or changes to your cloud storage configurations. By regularly reviewing and updating your cloud storage permissions, you can proactively identify and address potential security misconfigurations, thereby enhancing your organization’s data breach resilience.

How UpGuard Can Help

UpGuard’s IP monitoring feature monitors all IP addresses associated with your attack surface for security issues, misconfigurations, and vulnerabilities. UpGuard’s attack surface monitoring solution can also identify common misconfigurations and security issues shared across your organization and its subsidiaries, including the exposure of WordPress user names, vulnerable server versions, and a range of attack vectors facilitating first and third data breaches.

UpGuard's Risk Profile feature displays security vulnerabilities associated with end-of-life software.
UpGuard’s Risk Profile feature displays security vulnerabilities associated with end-of-life software.

To further expand its mitigation of data breach threat categories, UpGuard offersa data leak detection solution that scans ransomware blogs on the dark web for compromised credentials, and any leaked data could help hackers breach your network and sensitive resources.

UpGuard's ransomware blog detection feature.
UpGuard’s ransomware blog detection feature.

Source :
https://www.upguard.com/blog/security-misconfigurations-causing-data-breaches

How to Build Network Security for Your Business in 2023

28.06.2023

Network security is paramount for businesses of all sizes. With the ever-evolving threat landscape and increasing cyber-attacks, it is crucial to implement robust network security measures to safeguard sensitive data, protect customer information, and ensure uninterrupted operations.

Read on to discover the concept of network security for businesses in 2023. We will also discuss various strategies, tools, and best practices to build secure network infrastructure.

What is Network Security for Businesses?

Network security for businesses refers to a set of measures and practices implemented to protect a company’s computer network from unauthorized access, data breaches, and other cyber threats.

It involves safeguarding the network infrastructure, including hardware, software, and data, by implementing layers of security controls.

Network security also aims to maintain the confidentiality, integrity, and availability of the network, ensuring that only authorized users can access resources and sensitive information while preventing malicious actors from compromising the system. 

The following points cover what you need to know about network security:

How Does Network Security Work? 

Network security operates on multiple layers and employs numerous technologies and protocols to safeguard the network infrastructure. 

For example:

  • Firewalls act as a barrier between an internal network and external networks, monitoring and controlling incoming and outgoing network traffic based on predefined security rules. They examine data packets, filter out potential threats, and prevent unauthorized access to the network. 
  • Virtual Private Networks (VPNs) establish secure, encrypted connections over public networks, such as the Internet, allowing remote users to access the company’s network resources securely. By encrypting data transmitted between the user and the network, business VPNs protect sensitive information from interception and unauthorized access. 
  • Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS) tools monitor network traffic in real-time, identifying, and alerting administrators about potential security breaches, anomalies, or malicious activities. IDS identifies threats, while IPS actively blocks or mitigates attacks. 
  • Secure Web Gateways (SWGs) provide secure web browsing by filtering internet traffic, blocking malicious websites, preventing malware downloads, and enforcing acceptable use policies. They protect users from web-based threats and help maintain a secure browsing environment.
  • Zero Trust assumes that no user or device within or outside the network is inherently trustworthy. It enforces strict access controls, verifies identities, and continuously evaluates trustworthiness, even for users and devices inside the network perimeter. Zero Trust architecture reduces the attack surface and enhances overall network security. 

These are just a few examples of the mechanisms employed in network security. Businesses often implement a combination of technologies and strategies tailored to their specific needs and risk profiles.

The key is to establish multiple layers of security controls that work together to detect, prevent, and mitigate threats to the network infrastructure.

Benefits of Network Security For Businesses

Implementing robust network security measures, as outlined in the provided sources, offers several benefits to businesses as follows:

  • Protection of sensitive data: As mentioned above, network security measures, such as firewalls, VPNs, and encryption, play a vital role in safeguarding sensitive data. They help protect customer information, financial records, and proprietary data from unauthorized access, data breaches, and theft. By implementing these measures, businesses can ensure the confidentiality and integrity of their data, preserving customer trust and complying with data protection regulations.
  • Continuity of operations: Network security measures contribute to the smooth functioning of business operations. By detecting and mitigating potential risks and threats, businesses can prevent disruptions caused by malware, DDoS attacks, or unauthorized access attempts. This leads to improved productivity, reduced downtime, and minimized financial losses associated with network outages or data breaches. Network security solutions, such as SIEM systems and intrusion detection/prevention systems, enable businesses to proactively monitor and respond to security incidents, maintaining operational continuity 
  • Meeting regulatory requirements: compliance with industry-specific standards, such as HIPAA for healthcare or GDPR for data privacy, is crucial for avoiding penalties and maintaining the trust of customers and partners. Implementing robust network security measures, including vulnerability scanning and regular software updates, helps businesses adhere to these standards and protect sensitive information.

In summary, the implementation of strong network security measures, as recommended by the provided sources, ensures the protection of sensitive data, maintains operational continuity, and facilitates regulatory compliance for businesses. These benefits contribute to the overall security posture of the organization and help build trust with customers and partners.

Potential Dangers to Business Network Security

Business network security faces numerous potential dangers today. Cyber-attacks pose a significant threat, with attackers employing techniques such as phishing, malware, and ransomware to gain unauthorized access, compromise data, and disrupt operations.

Insider threats from internal employees or contractors can also jeopardize network security, ranging from accidental data breaches to intentional malicious activities. Weak passwords and authentication practices create vulnerabilities, allowing attackers to exploit credentials.

Additionally, the explosion of Bring Your Own Device (BYOD) policies and mobile devices introduces new risks, including device loss or theft. Cloud security is another concern, as misconfigurations or vulnerabilities in cloud platforms can lead to data breaches.

Understanding and addressing these potential dangers is vital for businesses to protect their assets, maintain operational continuity, and safeguard their reputation. Lastly, implementing robust cloud security measures such as encryption, access controls, and regular security assessments helps safeguard data and applications in the cloud.

By understanding and proactively addressing these potential dangers, businesses can fortify their network security defenses and mitigate risks effectively.

Some of the main threats to consider are:

Viruses

Viruses are malicious software programs designed to replicate themselves and infect other files or systems. They can spread via email attachments, infected websites, or removable storage devices.

Once a virus infects a business network, it can cause major damage, including data corruption, system crashes, and unauthorized access.

Viruses often exploit software vulnerabilities or user actions, such as clicking on infected links or downloading malicious files.

To protect against viruses, businesses should deploy up-to-date antivirus software that can detect and remove known viruses. Regular software updates, employee training on safe browsing habits, and caution when opening email attachments or downloading files are essential preventive measures.

Spyware

Spyware is software that secretly gathers information about a user’s activities, usually without their knowledge or consent. Spyware can monitor keystrokes, capture login credentials, track web browsing habits, and collect sensitive data.

It can be installed through malicious downloads, infected websites, and even bundled with legitimate software. Once installed, spyware operates in the background, compromising user privacy and potentially exposing sensitive business information.

Preventive measures against spyware include using reputable antivirus and anti-spyware software, regularly scanning systems for malware, and educating employees about safe online practices. Firewalls and web filters can also help block access to malicious websites known for distributing spyware.

Worms

Worms are self-replicating malware that spread through computer networks without requiring user intervention. They work by exploiting vulnerabilities in network protocols or software to gain unauthorized access and propagate rapidly.

Worms can consume network bandwidth, disrupt system performance, and deliver payloads such as additional malware or remote-control functionality. To defend against worms, businesses should regularly update operating systems and software to patch known vulnerabilities.

Network segmentation and strong access controls limit the spread of worms within the network. Intrusion detection and prevention systems (IDS/IPS) help detect and block worm-related activities, and firewalls can be configured to filter incoming and outgoing traffic to prevent worm propagation.

Adware

Adware is software that displays unwanted advertisements, often in the form of pop-ups, on a user’s device. Today, adware is commonly bundled with free software or downloaded unknowingly from malicious websites.

It can slow down system performance, consume network bandwidth, and compromise user privacy. In some cases, adware may even track user behavior and collect personal information for targeted advertising purposes.

Preventing adware requires implementing robust security measures such as using reputable antivirus software, exercising caution when downloading software from unfamiliar sources, and regularly scanning devices for malware.

Browser extensions or plugins that block or filter unwanted advertisements can also help mitigate the risks associated with adware.

Trojans

Trojans (taken from the concept of Trojan horses) are deceptive programs that masquerade as legitimate software or files to fool users into executing them. Once activated, these Trojans can grant unauthorized access to attackers, enabling them to steal sensitive data, install additional malware, or control the infected system remotely.

Trojans are often spread through email attachments, malicious downloads, or compromised websites. To protect against Trojans, businesses need to implement strong email security measures, including spam filters and email authentication protocols.

Regularly updating software, using reputable antivirus software, and educating employees about safe browsing habits and email hygiene are crucial in preventing Trojan infections.

Ransomware

Ransomware is a type of malware that encrypts a user’s files or entire systems, rendering them inaccessible until a ransom is paid to the attacker. Ransomware attacks can have severe consequences, including financial loss, operational disruption, and reputational damage.

Attackers often exploit vulnerabilities in software or use social engineering techniques to trick users into downloading or executing the malware.

Preventing ransomware requires a multi-layered approach, including regular backups of critical data, implementing strong email security measures, keeping systems and software up to date, and educating employees about phishing techniques and safe computing practices.

Network segmentation and robust access controls help limit the spread of ransomware within the network, and security solutions such as advanced endpoint protection and behavior-based detection can aid in early detection and mitigation.

By understanding the potential dangers posed by viruses, spyware, worms, adware, Trojans, and ransomware, businesses can implement comprehensive security measures to mitigate these risks.

Regular software updates, employee training, strong access controls, and deploying reputable security solutions are essential in maintaining a secure network environment and protecting sensitive business data.

Types of Network Security Solutions

As you have already read, protecting your business network from cyber threats is of paramount importance. Various types of network security solutions have emerged to safeguard organizations’ sensitive data and critical systems. From access control to cloud network security, these solutions form the foundation of a robust network defense strategy.

Below, we explore the most commonly available network security solutions, each addressing specific vulnerabilities and providing unique protective measures.

Access Control

Access control is the foundation of network security, ensuring that only authorized individuals can access sensitive resources and information. By implementing user authentication mechanisms such as strong passwords, multi-factor authentication, and access privilege management, businesses can enforce strict control over network access and reduce the risk of unauthorized entry.

Application Security

Application security focuses on protecting software and web applications from vulnerabilities and exploitation. This involves implementing secure coding practices, regularly updating applications, and utilizing web application firewalls (WAFs) to detect and block potential threats. By securing applications, businesses can prevent breaches that exploit application weaknesses.

Anti-Virus and Anti-Malware

To combat the evolving landscape of malware and viruses, businesses should deploy robust anti-virus and anti-malware solutions. These software applications scan files, emails, and websites for malicious code and remove or quarantine any detected threats. Regular updates and real-time scanning help ensure protection against the latest malware strains.

Firewalls

Firewalls are the most common first line of defense for network security. They monitor and control both incoming and outgoing network traffic based on predefined security rules. They also establish a barrier between trusted internal networks and external networks, effectively blocking unauthorized access and potentially malicious connections.

Intrusion Prevention Systems (IPS)

IPS solutions detect and prevent unauthorized access attempts and network attacks in real time. By monitoring network traffic for known attack signatures or anomalous behavior, IPS systems can take immediate action to block and mitigate potential threats, enhancing network security.

Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments, creating barriers that limit unauthorized access and the lateral movement of threats. By implementing network segmentation, businesses can contain breaches, reduce the impact of successful attacks, and protect critical resources.

Mobile Security

Mobile security measures include implementing mobile device management (MDM) solutions, enforcing strong passwords, encrypting data, and deploying remote wipe capabilities to protect sensitive information if a device is lost or stolen.

VPN (Virtual Private Network)

VPN creates a secure, encrypted connection over a public network, enabling users to access the company’s network resources remotely. By utilizing a VPN, businesses can ensure that data transmitted between remote users and the network remains secure, protecting sensitive information from interception.

Web Security

Web security solutions protect businesses from web-based threats, such as malicious websites, phishing attempts, and drive-by downloads. These solutions include web filtering, content scanning, and URL categorization, effectively preventing employees from accessing dangerous websites and reducing the risk of infection.

Data Loss Prevention

Data loss prevention (DLP) solutions help businesses protect sensitive information from unauthorized access, accidental exposure, or intentional data theft. By implementing DLP measures, such as encryption, access controls, and content monitoring, organizations can identify, monitor, and prevent the unauthorized transmission or storage of sensitive data. This can help dramatically reduce the risk of data breaches and compliance violations.

Behavioral Analytics

Behavioral analytics utilizes machine learning (ML) and artificial intelligence (AI) algorithms to detect anomalous user behavior within a network. By establishing baselines of normal behavior, these solutions can identify deviations that may indicate insider threats or compromised accounts.

Behavioral analytics enhances network security by providing real-time threat detection and response capabilities.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a security model that assumes no trust, even for users and devices within the network perimeter. It verifies each user and device, granting access only to authorized resources based on granular policies. ZTNA enhances network security by reducing the attack surface and providing secure access control, regardless of the user’s location or network connection.

Sandboxing

Sandboxing involves isolating potentially malicious files, programs, or activities in a controlled environment to analyze their behavior without risking harm to the network. By executing files within a sandbox, businesses can detect and mitigate threats such as zero-day exploits, malware, and ransomware before they can cause damage.

Hyperscale Network Security

Hypersecale network security refers to security measures designed to protect highly scalable and distributed network architectures, such as those found in cloud environments. It involves implementing security measures that can scale dynamically to accommodate the ever-changing demands of large-scale networks, ensuring robust protection against cyber threats.

Cloud Network Security

Cloud network security involves implementing security controls and solutions specifically designed for cloud environments. It includes measures such as encryption, access controls, data loss prevention, and security monitoring to safeguard data and applications hosted in the cloud.

Email Security

Email remains a common entry point for cyber-attacks. Email security solutions include spam filters, anti-phishing measures, attachment scanning, and encryption. By implementing robust email security measures, businesses can prevent malicious emails from reaching users’ inboxes and protect against email-based threats such as phishing and malware.

In conclusion: by considering and implementing a comprehensive range of network security solutions, businesses can significantly enhance their defenses against modern cyber threats. However, it is essential to tailor these solutions to your organization’s specific needs and regularly update and test them to ensure their effectiveness in safeguarding your network, data, and sensitive assets.

With a proactive and layered approach to network security, businesses can mitigate risks and maintain a secure digital environment.

How to Build Your Network Security

Building a strong network security infrastructure is crucial in order to establish comprehensive security measures that address potential vulnerabilities and safeguard against cyber threats.  

Here are 12 best practices for how to go about it:

Monitor Traffic

  • Implement network monitoring tools to gain visibility into network traffic.
  • Analyze and identify abnormal and/or suspicious activities indicative of potential security breaches.
  • Monitor both inbound and outbound traffic to detect and respond to threats promptly.

Run Network Audits Regularly

  • Conduct regular network audits to assess the overall security posture of your network.
  • Identify and address any vulnerabilities, misconfigurations, or outdated security protocols.
  • Review access controls, firewall rules, and network segmentation to ensure they align with your security requirements.

Stay Informed on New Threats

  • Stay updated with the latest security trends, vulnerabilities, and attack techniques.
  • Subscribe to security bulletins, follow reputable security blogs, and participate in industry forums to stay informed.
  • Regularly assess your network security measures against emerging threats and adapt your defenses accordingly.

Build and Update Your Firewall and Antivirus

  • Deploy a robust firewall solution to monitor and control network traffic based on predefined security policies.
  • Regularly update firewall rules to incorporate new security requirements and address emerging threats.
  • Utilize reputable anti-virus software and keep it up to date to protect against malware, viruses, and other malicious software.

Use MFA (Multi-Factor Authentication)

  • Implement multi-factor authentication to add an extra layer of security to user login processes.
  • Require users to provide additional verification factors, such as a unique code or biometric information, along with their credentials.
  • MFA significantly reduces the risk of unauthorized access even if passwords are compromised.

Implement Single Sign-On (SSO)

  • Deploy a single sign-on solution to streamline user authentication across multiple applications and services.
  • SSO reduces the number of passwords users need to remember, simplifies access management, and enhances security by enforcing strong authentication practices.

Train Employees Regularly

  • Provide regular security awareness training to employees to educate them about common security threats and best practices.
  • Train employees on identifying phishing emails, handling sensitive information, and practicing secure browsing habits.
  • Encourage employees to report any security incidents or suspicious activities promptly.

Create Secure Passwords

  • Educate employees about the importance of strong passwords and enforce password policies.
  • Encourage the use of complex passwords with a mix of uppercase and lowercase letters, numbers, and special characters.
  • Implement password management tools to securely store and manage passwords.

Disable File Sharing Outside of File Servers

  • Restrict file sharing to designated file servers or secure collaboration platforms.
  • Disable or restrict file-sharing features on endpoints to prevent unauthorized access or accidental exposure of sensitive data.

Backup Your Data

  • Regularly back up your critical data to a secure, offsite location.
  • Implement automated backup solutions to ensure data availability in the event of a system failure, natural disaster, or cyber-attack.
  • Test data restoration processes periodically to ensure the integrity and reliability of backups.

Update Router Firmware

  • Keep your router’s firmware up to date to address security vulnerabilities and take advantage of the latest security features.
  • Enable automatic firmware updates or establish a regular schedule to ensure timely updates.

Create Data Recovery Plans

  • Develop comprehensive data recovery plans to outline procedures for restoring data and resuming operations after a security incident or system failure.
  • Test and refine these plans regularly to ensure they are effective

Make Your Business a Fortress Against Cyber Threats

Businesses today absolutely must prioritize network security. By implementing a multi-layered approach, embracing emerging technologies, educating employees, and maintaining regular security practices, organizations can build a strong fortress against cyber threats.

This ongoing commitment to network security not only protects sensitive data and ensures operational continuity but also fosters trust with customers and partners. Need a hand? Book a demo today!

FAQs

How is network security used in business? 

Network security involves implementing a range of security measures, such as firewalls, intrusion detection systems, encryption, access controls, and user authentication, to safeguard networks from unauthorized access, data breaches, malware, and other cyber threats. Network security also plays a vital role in regulatory compliance and maintaining the trust of customers and partners.

How do I secure my business network?

Securing a business network involves implementing a combination of technical and organizational measures. Here are some essential steps to secure your business network:

– Use strong network security solutions, such as firewalls, antivirus software, and intrusion detection systems.
– Implement strong access controls, including strong passwords, multi-factor authentication (MFA), and role-based access controls.
– Regularly update software and firmware to patch vulnerabilities and address security flaws.
– Train employees on security best practices, such as identifying phishing emails, practicing safe browsing habits, and protecting sensitive data.
– Segment your network to isolate critical systems and limit the impact of a potential breach.
– Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
– Conduct regular network assessments and audits to identify vulnerabilities and address them promptly.
– Develop an incident response plan to effectively respond to and mitigate security incidents.
– Regularly back up critical data and test data restoration procedures to ensure data availability and quick recovery in case of a breach or system failure.
– Stay informed about the latest security threats and trends and adapt your security measures accordingly.

What are the 5 types of network security?

The five types of network security are:

1. Perimeter Security: This includes measures such as firewalls, intrusion detection systems, and virtual private networks (VPNs) to protect the network’s perimeter from unauthorized access and external threats.

2. Endpoint Security: Endpoint security focuses on securing individual devices connected to the network, such as laptops, smartphones, and IoT devices. It involves implementing antivirus software, patch management, and encryption to protect endpoints from malware and unauthorized access.

3. Network Access Control (NAC): NAC ensures that only authorized devices and users can connect to the network. It verifies the identity and security posture of devices before granting network access, enforcing security policies, and minimizing the risk of unauthorized or compromised devices accessing the network.

4. Data Security: Data security involves protecting sensitive information from unauthorized access, alteration, or theft. It includes encryption, access controls, data loss prevention (DLP), and backup and recovery strategies to safeguard critical data.

5. Security Monitoring and Incident Response: This type of security focuses on detecting and responding to security incidents. It includes security monitoring tools, intrusion detection and prevention systems (IDPS), security information and event management (SIEM), and incident response plans to identify, mitigate, and recover from security breaches.

What are the 3 elements of network security?

The three elements of network security are commonly referred to as the CIA triad, which stands for:

1. Confidentiality: Confidentiality ensures that sensitive data is protected from unauthorized access and disclosure. Encryption, access controls, and secure transmission protocols are used to maintain the confidentiality of information.

2. Integrity: Integrity ensures that data remains unaltered and trustworthy throughout its lifecycle. Data integrity measures, such as digital signatures, checksums, and access controls, prevent unauthorized modifications or tampering of data.

3. Availability: Availability ensures that network resources and services are accessible and operational when needed. Network security measures, such as redundancy, load balancing, and disaster recovery plans, are implemented to minimize downtime and ensure continuous availability.

Source :
https://www.perimeter81.com/blog/network/network-security-for-business

What is Firewall Design?

27.07.2023

firewall is a network security device designed to monitor and control network traffic flow based on predetermined security rules. It acts as a barrier, selectively allowing or blocking incoming and outgoing network connections to protect the internal network from external threats. Essentially, a firewall ensures that only authorized and secure connections are made by filtering network traffic based on defined criteria.

Firewalls operate using a combination of rule-based filtering and packet inspection techniques. When network traffic passes through a firewall, it undergoes scrutiny based on various parameters, including source and destination IP addresses, ports, protocols, and the state of connections.

The Importance of Firewall Design for Network Security

So how does firewall design impact your network security? Here are the top reasons.

Protecting Against Unauthorized Access

One of the primary functions of firewall design is to prevent unauthorized access to an organization’s network resources. Firewalls act as gatekeepers, examining incoming and outgoing network traffic and enforcing access control policies based on predefined rules.

Identifying and configuring firewalls carefully will help organizations prevent unauthorized access by ensuring that only legitimate connections are allowed.

Mitigating Cyber Threats

Firewalls employ packet filtering, deep packet inspection, and stateful inspection to analyze network traffic and identify potential threats. They can detect and block suspicious or malicious traffic. Organizations can reduce the risk of successful attacks and protect their networks and sensitive information.

Preventing Data Breaches

Data breaches can severely affect organizations, resulting in financial losses, reputational damage, and legal liabilities. Firewall design prevents data breaches by monitoring and controlling network traffic. Also, firewall design principles advocate for network segmentation, which helps contain potential breaches and limit the impact on critical assets.

Enforcing Security Policies

Firewall design allows organizations to enforce and manage their security policies effectively. Organizations can align firewall configurations with security objectives and compliance requirements by defining rules and access controls.

Firewall policies can be customized based on traffic, user roles, and data sensitivity. Regular review and updates of firewall policies can ensure the effectiveness of their security measures.

Compliance with Regulations

Compliance with industry regulations and data protection laws is crucial for organizations across various sectors. Firewall design plays a significant role in achieving compliance by implementing security controls and access restrictions mandated by regulatory frameworks.

Organizations can demonstrate their commitment to protecting sensitive data by enforcing policies in line with GDPR, HIPAA, or PCI DSS regulations.

Characteristics of a Firewall

1. Physical Barrier

A firewall is a physical barrier between an internal network and the external world. It inspects incoming and outgoing network traffic, allowing or blocking connections based on predetermined security rules. By serving as a protective boundary, a firewall helps safeguard the internal network from unauthorized access and potential threats.

2. Multi-Purpose

A firewall is a versatile security tool that performs various functions beyond basic network traffic filtering. It can support additional security features, such as intrusion detection/prevention systems, VPN connectivity, antivirus scanning, content filtering, and more. This multi-purpose nature enables firewalls to provide comprehensive security measures tailored to an organization’s needs.

3. Security Platform

Firewalls serve as a security platform by integrating different security mechanisms into a unified system. They combine packet filtering, stateful inspection, application-level gateways, and other security technologies to protect against cyber threats. By functioning as a consolidated security platform, firewalls offer a layered defense strategy against potential attacks.

4. Flexible Security Policies

Firewalls offer flexible security policy implementation, allowing organizations to define and enforce customized rules and access controls. These policies can be based on various factors, including source/destination IP addresses, ports, protocols, user identities, and time of day.

With the ability to tailor security policies to specific requirements, organizations can effectively manage network traffic and adapt to evolving security needs.

5. Access Handler

A firewall acts as an access handler by controlling and managing network access permissions. It determines what connections are allowed or denied using predefined rules and policies. By regulating access to network resources, a firewall ensures that only authorized users and devices can establish connections, reducing the risk of unauthorized access and potential data breaches.

Firewall Design Principles

It is important to remember certain principles when designing a firewall to ensure its effectiveness in safeguarding network security. These principles serve as guidelines for architects and administrators, helping them design robust firewall architectures that protect against unauthorized access and potential threats.

  • Defense-in-Depth Approach: A fundamental principle in firewall design is adopting a defense-in-depth strategy. Rather than relying solely on a single firewall, organizations should deploy multiple firewalls, intrusion detection/prevention systems, and other security measures to create a layered defense architecture. 
  • Least Privilege Principle: The principle of least privilege is crucial in firewall design to minimize the potential attack surface. It advocates granting the minimum level of privileges and access necessary for users and systems to perform their required functions. This minimizes exposure to potential threats and reduces the risk of unauthorized access or malicious activities.
  • Rule Set Optimization: Firewall rule set optimization is another important design principle. As firewalls employ rule-based filtering mechanisms, regularly reviewing and optimizing the rule sets is essential. This involves removing unnecessary or redundant rules, consolidating overlapping rules, and organizing rules logically and efficiently. 
  • Secure Default Configurations: Firewall design should prioritize secure default configurations to ensure a strong foundation for network security. Default settings often allow all traffic, leaving the network vulnerable to attacks. Secure defaults are a starting point for designing effective firewall policies and help prevent misconfigurations that may lead to security gaps.
  • Regular Monitoring and Updates: Monitoring and updating firewalls are critical principles in firewall design. Regular monitoring allows organizations to promptly detect and respond to security incidents, identify unauthorized access attempts, and analyze network traffic patterns. 

7 Steps to Designing the Perfect Firewall For Your Business

Designing an effective firewall for your business requires careful planning and consideration of specific requirements. This section presents a step-by-step approach to creating the perfect firewall. 

1. Identify Requirements

The first step in designing a firewall is to identify the specific requirements of your business. This involves understanding the network topology, the types of applications and services in use, the security objectives, and any regulatory or compliance requirements.

2. Outline Policies

The next step is to outline the firewall policies based on the requirements. You can decide which traffic is allowed or denied for each source and destination address, port, protocol, and role using rules and access controls.

3. Set Restrictions

Setting restrictions involves configuring the firewall to enforce the outlined policies. This may include blocking certain types of traffic, implementing intrusion prevention mechanisms, enabling VPN connectivity, or configuring content filtering rules.

4. Identify the Deployment Location

This involves determining whether the firewall will be placed at the network perimeter, between internal segments, or within a demilitarized zone (DMZ), depending on the network architecture and security requirements.

5. Identify Firewall Enforcement Points

Identifying firewall enforcement points involves determining where the firewall will be implemented within the network topology. This includes considering factors such as the location of critical assets, the flow of network traffic, and the points where the firewall can effectively inspect and control the traffic.

6. Identify Permitted Communications

As part of the design process, it is important to identify the permitted communications the firewall will allow. This includes identifying the necessary communication channels for business-critical applications, remote access requirements, and any specific exceptions to the firewall policies.

7. Launch

Lastly, launch the firewall and ensure all configurations are correct. This includes testing the firewall’s functionality, monitoring its performance, and conducting regular audits to ensure compliance with security policies and industry best practices.

Safeguarding Networks with Strong Firewall Design – Protect Your Business Today

Take charge of your network security today and safeguard your business from cyber threats. Don’t wait for a security breach to occur—proactively design and deploy a powerful firewall that acts as a shield, protecting your network and ensuring the continuity of your operations.

Take the first step towards a secure network—consult with experts, assess your requirements, and design a robust firewall solution that suits your business needs. Protect your valuable assets, preserve customer trust, and stay one step ahead of potential threats with a well-designed firewall architecture. Safeguard your network and fortify your business with Perimeter 81’s Firewall as a Service.

FAQs

What are 3 common firewall designs?

– Packet Filtering Firewalls: They inspect packets based on rules, operating at Layer 3 of the OSI model.
– Stateful Inspection Firewalls: These track network connections and analyze entire network packets.
– Next-Generation Firewalls (NGFW): NGFWs combine traditional firewall features with intrusion prevention, application awareness, and deep packet inspection.

What are the four basic types of firewall rules?

1. Allow: This rule permits specific traffic to pass through the firewall based on defined criteria, such as source/destination IP addresses, ports, and protocols.
2. Deny: This rule blocks specific traffic from passing through the firewall based on defined criteria. Denied traffic is typically dropped or rejected.
3. NAT (Network Address Translation): NAT rules modify network packets’ source or destination IP addresses.
4. Session Control: These rules define how the firewall handles and manages sessions.

What are the 4 common architectural implementations of firewalls?

1. Network-based Firewalls: Positioned at the network’s edge, they offer centralized security, filtering and monitoring all inbound and outbound traffic.
2. Host-based Firewalls: These are installed directly on devices like servers or workstations, providing tailored protection and control over device-specific traffic.
3. Virtual Firewalls: They ensure security within virtualized environments. Apart from protecting virtual machines, they control and isolate network traffic between VMs.
4. Cloud-based Firewalls: Positioned within cloud environments, they ensure robust security for cloud-based applications and infrastructure, balancing scalability and centralized control.

Source :
https://www.perimeter81.com/blog/network/firewall-design

Exploring Firewall Design Principles for Secure Networks

27.07.2023

Firewall design principles are the bedrock of network security, providing a robust defense mechanism against both internal and external threats. These principles help in developing a security policy that can enforce stringent rulesets and offer layered protection for your private network.

Firewall design principles are crucial for maintaining a secure network. There are different types of firewalls like packet filter firewalls, stateful inspection firewalls, and proxy firewalls along with their unique features.

If you want to be able to design your firewall the right way you need to master the different key components in firewall design such as policies, rulesets, and interfaces, and learn the advanced features like Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI) and be aware of best practices to implement these designs effectively. 

This comprehensive understanding of firewall design principles will empower you to make informed decisions about your organization’s network security infrastructure.

What are Firewall Design Principles?

The realm of network security is complex and vast, with firewalls serving as the critical line of defense against cyber threats. They’re like the bouncers of the internet, keeping the bad guys out and letting the good guys in.

The basic concept behind firewall design principles

A firewall’s primary role is to be the gatekeeper of your network, deciding who gets in and who stays out. It’s like having a very selective doorman at an exclusive venue, only allowing those with the right credentials to enter.

The fundamental principle behind firewall design is simple: filter, filter, filter. The firewall looks at things like IP addresses, domain names, and protocols to decide if a data packet is worthy of entering your network.

Why understanding firewall design principles is essential for network security

In today’s digital age, where cyber threats are increasingly common, having a solid firewall is a must. 

Understanding firewall design principles is like having a secret weapon in your security arsenal. It’s like knowing all the tricks of the trade, so you can configure your firewall to be a fortress against cyber attacks. 

Staying ahead of malicious actors is possible if you understand their strategies and configure your firewall in a way that best protects against cyber threats.

No single approach will suffice when it comes to firewalls; you need to tailor yours to suit your individual needs. Take the time to understand the core firewall design principles and make your firewall the ultimate defender of your network.

Five Principles of Firewall Design

Firewall design principles are critical to protect your private network and to maximize your network security. Here are five principles you can use when establishing your firewall and implementing security policies.

1. Develop a Solid Security Policy

Having a proper security policy is an essential part of designing your firewall. Without it in place, it’s a headache to allow users to navigate the company network and restrict intruders. This proper security policy will also help you know the proper protocol if there is a security breach.

A properly developed security policy can protect you. A solid security policy includes guidance on proper internet protocol, preventing users from using devices on public networks, and recognizing external threats.

Don’t overlook a properly developed security policy! Also, remember that simply having a security policy is only the first step. In addition to establishing security policies, you should have frequent training and refreshers for all employees. Have policies in place for reporting security threats and hold everyone in the organization accountable. 

2. Use a Simple Design

Keep it simple. If you have a complex design, you’ll need to find complex solutions anytime a problem arises. A simple design helps alleviate some of the pain you may feel when a problem comes up (and it inevitably will at some point). Also, complex designs are more prone to configuration errors that can open paths for external attacks.

3. Choose the Right Device

You need to have the right tools to do the job. If you use the wrong device, you have the wrong tools and are at a disadvantage from the start. Using the right part that fits your design will help you create the best firewall for your network.

4. Build a Layered Defense

Firewalls should have layers to properly protect your network. A multi-layered defense creates a complicated protection system that hackers can’t easily break through. Creating layers builds an effective defense and will keep your network safe.

5. Build Protection Against Internal Threats

Don’t just focus on attacks from external sources. A large percentage of data breaches are the result of internal threats and carelessness. Mistakes made by those internally can open your network to attacks from outside sources. Implementing proper security solutions for your internal network can help prevent this from happening.

Something as simple as accessing a web server can expose your network if you aren’t protected internally as well as you are externally.

As you design your firewall, remember these firewall design principles: have a properly developed security policy, keep it simple, use the right tools, build a layered defense, and protect yourself from internal threats.

Types of Firewalls

Different firewalls have varying characteristics and applications, so it’s essential to understand them in order to select the most suitable firewall for your network. Knowing these differences is crucial for picking the right firewall for your network’s needs.

Packet-Filtering Firewalls: Basic but Effective

A packet-filtering or packet-filter firewall does what it says—filters data packets based on predetermined rules. It checks packet headers to see what’s allowed in. 

Simple, but not enough against fancy cyber threats.

Circuit-level Gateways

A circuit-level gateway can be a stand-alone system or it can be a function performed as a gateway for certain applications. A circuit-level gateway does not allow for end-to-end connection but rather sets up two connections with an inner host and a user with an outer host. 

Stateful Inspection Firewalls

Stateful inspection firewalls go beyond packet headers. They keep track of active connections and use that info to validate packets. It remembers who and what is allowed – efficient and effective.

Application-level Gateways (a.k.a. Proxy Firewalls)

Proxy firewalls (also known as application-level gateways) act as intermediaries between internal networks and the Internet. They hide internal IP addresses and offer content filtering. 

The choice among these types depends on your network’s needs relating to size, complexity, and sensitivity. Remember, they often work together in layers; just make sure they’re properly configured and regularly updated. 

Next-Gen Firewalls

Next-gen firewalls are the next step in firewall security. These can protect against advanced malware and application-layer attacks. They typically include:

  • Firewall capabilities like stateful inspection.
  • Integrated intrusion prevention.
  • Application awareness and control to see risky apps.
  • Threat intelligence sources.
  • Upgrade paths to include future information feeds.
  • Techniques to continue evolving.

Now, we’ll explore constructing an efficient firewall.

Key Components in Firewall Design

When it comes to designing a firewall, there are certain key components that should be taken into account. Let’s break it down:

Importance of Policies

Security policies are like the rulebook for your firewall. They decide what traffic gets in and what gets blocked. You want to make sure only the right traffic makes it through.

A proper security policy will help you in both the short term and long term. Make sure to enforce security policies to keep yourself protected.

Rulesets – Defining What Gets Through

Rulesets are like the enforcers of the policies. They make sure the regulations are met. Visualize a vigilant sentry, patrolling your network for any untoward activity and taking swift action when needed. Rulesets often include elements like source address, source port, destination address, and destination port.

Interfaces – Connecting Networks Securely

Interfaces are the gateways between networks. They’re like the bridges that connect different parts of your network. Make sure these bridges are secure, so no unwanted guests can sneak in.

To recap, when it comes to firewall design, policies, rulesets, and interfaces are the key players. They work together to keep your network safe and sound.

Advanced Features in Modern Firewall Designs

In the ever-evolving world of cybersecurity, firewalls have leveled up to tackle sophisticated threats. 

Let’s dive into two cool advancements: Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI).

Intrusion Prevention Systems (IPS): Proactive Defense Mechanism

An Intrusion Prevention System (IPS) is like a superhero embedded in modern firewalls. It doesn’t just detect and block known threats; it goes the extra mile.

IPS keeps a watchful eye on network traffic, sniffing out any suspicious activity or weird anomalies. When it spots trouble, it swiftly shuts it down.

Deep Packet Inspection (DPI): Detailed Threat Analysis

Deep Packet Inspection (DPI) adds an extra layer of security by giving data packets a thorough check-up.

  • DPI looks at both the header info and the payload content of each packet.
  • It’s like a detective, figuring out the nature of incoming traffic.
  • If it finds anything fishy, like malware or protocol non-compliance, it sounds the alarm so you can take action.

These advanced features make modern firewalls tougher than traditional ones. But remember, no single solution can guarantee complete security. 

They’re advanced elements of your security squad, but they need backup from a solid information security policy management strategy.

Four Types of Access Control

There are four techniques that firewalls generally use to control access and security policy. 

  • User Control: Control access to a service according to which user is attempting to access the service.
  • Service Control: Determines what services can be accessed to keep your network secure.
  • Direction Control: Determines in which direction a service can be accessed, both inbound and outbound.
  • Behavior Control: Controls how services are accessed and used.

Advantages of Firewalls

There are several advantages of implementing a firewall to protect your network. Here are some of the biggest benefits you’ll see:

Block Infected Files

You come across threats when you browse the internet, or you might even have them delivered to your mailbox. Firewalls help block those files from breaking through your system.

Stop Unwanted Visitors

You don’t want anyone snooping through your system. This can lead to long-term security problems. Your firewall will detect unwanted visitors and keep them out.

Accessing public networks can put you at a higher risk of security breaches, but having a firewall can block access to your sensitive data.

Safeguards Your IP Address

This will protect your network as you browse the internet on a web server so you aren’t exposed to those who want to cause problems for your network. This can be set up with a virtual private network (or VPN) which acts as a network security device to keep your network secure.

Prevents Email Spamming

Security policies should help protect the employees on your network from malware or phishing attempts, but in case a mistake is made, a proper firewall can help prevent spam emails from getting through your system.

Stops Spyware

When using a web server, you can come across files that will install spyware on your system. A firewall will easily block access so you don’t have to worry about being exposed to outside threats.

Limitations of Firewalls

For as many advantages as you gain from having a firewall, there are still some limitations it will create on your server.

Internal Loose Ends

As a firewall can easily block access to external threats, it can struggle to prevent internal attacks. If you have an employee who accidentally cooperates with an attacker, you may still be exposed internally.

Infected Files

Because of the sheer number of files your network may come across, it’s impossible for every file to be reviewed by your network security device. 

Cost

It can be expensive to set up a firewall that protects your system, and the bigger your network gets, the more expensive it can become. That said, even a single large data breach could cost your company dearly, so having the proper protection in place is an investment worth making.

User Restriction

Sometimes firewalls can make it more difficult for users to access the systems they need to do their work. This can impact productivity when certain users need to access multiple applications.

System Performance

Implementing a firewall takes up a lot of bandwidth and using the RAM and power supply that may need to go to other devices can impact your system’s performance.

Firewall Delivery Methods

There are several different delivery methods for a firewall. Here are some of the most common delivery methods that are used:

  • Software firewalls: A software firewall is a type of software that runs on your computer. It is mainly used to protect your specific device.
  • Hardware firewalls: This is a device that is specifically used to implement a firewall. This can protect your entire network.
  • Cloud firewalls: These firewalls are hosted in the cloud and are also called firewall-as-a-service (FWaaS).

Boost Your Firewall Design with Perimeter 81

Understanding firewall design principles is crucial for network security. Different types of firewalls and their key components help create a strong defense against cyber threats. 

Packet filtering firewalls provide a basic yet effective approach, while stateful inspection firewalls consider the context of network traffic. Proxy firewalls bridge the gap between internal and external networks.

When implementing firewall designs, follow best practices like applying the least privilege principle and regularly updating configurations. Advanced features like intrusion prevention systems (IPS) and deep packet inspection (DPI) enhance your proactive defense mechanism. 

Incorporating these firewall design principles protects networks from unauthorized access and potential security breaches. Learn more about Perimeter 81’s Firewall as a Service.

FAQs

What are the four characteristics used by firewalls?

The four basic types of firewall rules include – allow all (permissive), block all (restrictive), specific permission-based access controls, and content filters

What are the 5 steps of firewall protection?

The five steps of firewall protection include – securing your firewall, building firewall zones & IP addresses, configuring access, configuring firewall services, testing the configuration.

What is the architecture of a firewall?

The four most commonly implemented architectures in firewall design principles include packet-filtering routers, application gateways, circuit-level gateways, and multilayer inspection firewalls. 

How do you design firewall architecture?

The principles of firewall design include clear policies, traffic control rulesets, secure network connections, and advanced features like Intrusion Prevention Systems (IPS) and Deep Packet Inspection (DPI). 

How many layers do firewalls have?

It’s common to see 3-layer or 7-layer firewalls. A 3-layer firewall is used for a network while a 7-layer firewall is used for applications.

Source :
https://www.perimeter81.com/blog/network/firewall-design-principles

What is a Cloud Firewall?

27.07.2023

In the past when fires were fought, people used traditional means like fire extinguishers and water hoses.

Translating this to the virtual world of computing — a cloud firewall is akin to the digital ‘fire extinguisher’ and ‘hose.’ It is a tool designed to stopslow, or prevent unauthorized access to or from a private network.

It inspects incoming and outgoing traffic, based on predetermined security rules. They can be a standalone system or incorporated into other network components.

In technical words, it acts as a barrier between on-premises networks and external networks.

Cloud firewalls are often deployed in a ‘perimeter’ security model — where they act as the first line of defense against cyber threats. This includes protection against DDoS attacks, SQL injections, and cross-site scripting.

The Benefits of Using a Cloud Firewall

In this section, we’ll discuss the benefits of using a cloud firewall over traditional ones.

Scalability

Traditional firewalls can’t keep pace as your network grows — their hardware limitations bound them.

On the other hand, a cloud firewall can easily adapt and expand in line with your business needs. Because it’s cloud-based, scaling does not require any additional hardware investment or complex configurations.

Be it on-site installation, maintenance, or upgrading, cloud firewalls wipe out all those physical processes, saving you time and resources.

Availability

Unlike traditional firewalls that rely on singular hardware systems and can fail, cloud firewalls are designed for high availability. Their decentralization means that even if one part fails, the rest continue to operate, ensuring constant protection.

Being cloud-based, they can also balance the load during peak traffic times to prevent slowdowns or outages.

For instance — during an attack like DDoS when the traffic dramatically increases, a cloud firewall can distribute the traffic across multiple servers. This ensures that your systems remain accessible and functional.

Extensibility

Cloud-based firewalls are not just scalable and highly available — they are also highly extensible.

This means that you can easily integrate them with other security features or services — such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Secure Web Gateways (SWG) — to create a solid security system.

Release updates and patches can be applied automatically, ensuring that the security is always up-to-date.

Identity Protection

When it comes to identity protection, cloud firewalls reign supreme.

They can identify and control application access on a per-user basis. This means that if unauthorized access is attempted, it can be immediately identified and blocked, providing extra security to your sensitive information.

Along with that, they can also provide an audit trail so that attempted breaches can be traced back to their origins. This info is beneficial for investigating cyber crimes and strengthening your cybersecurity strategy in the long run.

Performance Management

Sometimes, it’s not just about blocking harmful traffic, but also about prioritizing useful traffic.

Cloud firewalls enable performance management by prioritizing network traffic and providing quality of service (QoS) capabilities.

This can be handy during peak usage times or when certain services require higher bandwidth.

For instance, a cloud firewall can prioritize the traffic for certain high-demand resources, ensuring uninterrupted access and excellent performance. As a result, end users experience less lag and appreciate better service.

Moreover, the firewall can be programmed to give a higher priority to certain types of workloads or specific applications, like Voice over Internet Protocol (VoIP) or video streaming services.

Secure Access Parity

Remote work is another area where cloud firewalls shine.

Cloud firewalls enable a consistent security policy across all locations and users, no matter where they’re accessing from. This ensures that remote workers are just as protected as on-site ones.

Also, you get comprehensive visibility and control over all network traffic, and thanks to their cloud nature — updates can be pushed globally.

Migration Security

Migration — in particular to the cloud — can be a risky process in terms of security. The necessity to move data from one place to another can expose it to potential threats. Cloud firewalls eliminate these concerns.

Due to their inherent design, they provide end-to-end security during data migration. The data is protected at the source, during transit, and at the destination. This ensures a secure and seamless cloud migration process.

It’s like having a secure convoy for your data as it travels.

Types of Cloud Firewalls

There are four major types of cloud firewalls which can be broadly categorized as — SaaS Firewalls/Firewall as a service (FWaaS), Next-generation Firewall (NGFW), Public Cloud Firewall, and Web Application Firewall (WAF).

SaaS Firewalls/Firewall as a Service (FWaaS)

SaaS Firewalls, or Firewall as a Service, operate directly in the cloud. Offering security as a service — they are a scalable, flexible, and cost-effective solution.

  • Flexibility: Being cloud-based, these firewalls can rapidly adapt to changes in network traffic and configuration.
  • Scalability: FWaaS can comfortably scale up or down based on the needs without harming performance.
  • Cost-effective: As a subscription-based service, FWaaS can be adjusted to fit any budget and eliminates the need for expensive hardware and software maintenance.
  • Integrated approach: FWaaS offers a comprehensive, integrated approach to security, so you have complete visibility and control over network traffic and user activity.
  • Ease of deployment: Require less administrative effort and minimize human error.

Next-Generation Firewall (NGFW)

Next-Generation Firewalls represent the evolution in firewall technology, designed to go beyond traditional firewall functions.

  • Deep packet inspection: NGFWs are capable of examining the payload of a packet, crucial for detecting advanced threats within seemingly legitimate traffic.
  • Application awareness: NGFWs offer application-level control, significantly enhancing the granularity of security policies.
  • Threat detection: Their advanced threat detection capabilities protect organizations from a broad range of attacks, including zero-day vulnerabilities.
  • Integrated IPS: They feature an integrated Intrusion Prevention System that can identify and block potential security breaches, adding a layer of protection.
  • User identification: Unlike traditional firewalls, NGFWs can identify users and devices, not just IP addresses. This helps in creating more targeted, effective security policies.

Public Cloud Firewall

Public cloud firewalls are built within public cloud infrastructures like AWS, Google Cloud, and Azure to provide a layer of security control.

  • Seamless integration: These firewalls integrate seamlessly with other cloud services, infrastructure, and applications.
  • Autoscaling: Being cloud-native, they can scale dynamically with the workload, managing a substantial increase in network traffic without compromising performance.
  • Cloud-specific rulesets: These firewalls enable cloud-specific packet filtering, applying rules to cloud-native as well as hybrid and multi-cloud environments.
  • Compatibility: Public Cloud Firewalls are compatible with the automatic deployment mechanisms of their respective cloud platforms. This compatibility reduces the overhead of manual configurations.
  • Resilience: With a distributed, highly available architecture, they provide resilience — ensuring that the firewall is operational even if individual components fail.

Web Application Firewall (WAF)

A Web Application Firewall specifically protects web applications by filtering, monitoring, and blocking HTTP traffic that could exploit vulnerabilities in these applications.

  • Web app protection: WAFs stop attacks targeting web applications, including SQL injection, cross-site scripting (XSS), and others.
  • Custom policies: Customizable Policies in WAFs allow for tailored protection suited to the individual needs of every web application.
  • Inspection: They offer a thorough inspection of HTTP/S traffic, ensuring no harmful requests reach the web applications.
  • Bot control: WAFs can discern harmful bots from legitimate traffic, granting access only to authorized users and services.
  • API security: Security for APIs against attacks such as DDoS, improving overall protection.

Using Cloud Firewall vs Other Network Security Approaches

How do cloud firewalls compare to other network security approaches? See how they compare to virtual firewall appliances, IP-based network security policies, and security groups.

Virtual Firewall Appliances

Despite brands like Cisco, Juniper, and Fortinet making a strong push for them, virtual firewall appliances don’t fit in a work environment that is heavily cloud-based.

  • Not scalable: Virtual appliances have limitations in scaling. When traffic increases, they struggle to keep pace, affecting performance.
  • Operational inefficiency: They require manual configurations and adjustments, which can lead to operational inefficiencies and potential mistakes.
  • Limited visibility: They usually provide limited visibility into network traffic and, in some cases, can’t even offer granular control at the application level.
  • Architectural complexity: These appliances often introduce architectural complexity, as they need to intercept and secure network traffic at different points.
  • High cost: Acquiring, maintaining, and upgrading a virtual firewall appliance can be expensive, especially when compared to subscription-based cloud firewalls.
  • Limited extensibility: Be it AWS transit gateways, Gateway Load Balancers, or VPC/VNet peering — virtual appliances usually struggle to integrate with these advanced cloud-native services.

IP-Based Network Security Policy

IP-based network security policies have traditionally been used in many organizations. However, they also have shortcomings when compared to cloud firewalls.

  • Dynamic IP difficulties: These policies are primarily based on static IP addresses, triggering issues when dealing with dynamic IPs — such as those used in today’s highly scalable, distributed infrastructures.
  • Granularity problems: IP-based policies offer less granular control over access to applications and data, compared to cloud firewalls.
  • Security loopholes: Because they rely heavily on IP addresses for identification, they can be vulnerable to IP spoofing, creating potential security loopholes.
  • Inefficient management: IP-based policies can be tedious to manage, especially when dealing with larger, more complex network infrastructures.
  • Limited scalability: Like virtual appliances, IP-based policies struggle when it comes to handling a significant increase in network traffic.
  • Dependency on IP reputation: These policies depend on the reputation of IP addresses, which can be unreliable and manipulated. Also, legitimate IP addresses can be compromised, creating a potential avenue for attacks.

Security Groups

Lastly, security groups, while being a crucial part of network security in a cloud-based environment, fall short compared to cloud firewalls on several fronts.

  • Scope limitation: Security groups usually have a limited scope — often only applicable within a single instance or VPC. This might not be adequate for enterprises with large-scale or diverse cloud deployments.
  • Manual administration: This can lead to potential errors and security risks, more so in large and complex environments.
  • Lack of visibility: Security groups don’t provide comprehensive visibility into network traffic or robust logging and audit capabilities — both of which are fundamental for troubleshooting and regulatory compliance.
  • Limited flexibility: Security groups lack the flexibility to adapt quickly to changes in network configuration or traffic patterns. This can hinder performance and affect user experience.
  • Dependencies: Security groups are dependent on the underlying cloud service. This means that they can be impacted by any disruptions or changes to that service. So, the level of independence and control tends to be on the lower end.

It’s evident, compared to the other network security approaches, cloud firewalls provide superior flexibility, scalability, visibility, and control.

How does a Cloud-Based Firewall Fit into a SASE Framework?

SASE is a concept introduced by Gartner that stands for Secure Access Service Edge. It combines network security and wide area networking (WAN) capabilities in a single cloud-based service.

Cloud-based firewalls fit wonderfully into this framework as they provide network security enforcement. Below’s how.

  • Unified security and networking: By integrating with other SASE components, cloud-based firewalls facilitate unified security and networking. They ensure that security controls and networking capabilities are not siloed but work together seamlessly.
  • Location-agnostic: Being cloud-based, these firewalls offer location-agnostic security. This is important in a SASE framework which is designed to support securely connected, geographically-dispersed endpoints.
  • Dynamic scaling: The dynamism of cloud-based firewalls aligns with the scalable nature of SASE. So, the security scales with network requirements.
  • Policy enforcement: They provide efficient enforcement of security policies across a distributed network, aiding in consistent security compliance.
  • Visibility and control: In a SASE framework, cloud-based firewalls offer enriched visibility and control over network traffic and user activity. This aids in improved threat detection and response times.
  • Data protection: They provide encryption and decryption, protecting sensitive data transmitted across the network. This capability is pivotal for data protection in a SASE architecture.
  • Fast deployment: Enjoy operational simplicity as they can be seamlessly deployed across multiple locations.
  • Easier management: Management becomes easier as there is a single point of control allowing for unified threat management.
  • Lower costs: Reduced capital expenditure as the need for on-premise hardware decreases significantly.
  • Highly available: These firewalls offer high availability and resilience, adhering to the SASE principle of continual access and service regardless of location. Thus, enhancing the overall security posture in an ever-increasing remote work landscape.

Secure your network with firewall-as-a-service today!

Organizations across the globe are transitioning to a cloud-first strategy. Perimeter 81 can assist you in this journey. Our Firewall-as-a-Service model provides security, scalability, and simplicity that is unmatched in the industry. Learn more here!

FAQs

What is the disadvantage of cloud firewall?

Reliance on the availability of the FaaS provider is a potential disadvantage of cloud firewalls.

Why do you need a cloud firewall?

Just like you need a security gate to prevent unauthorized entry into your house, a cloud firewall acts as a barrier to block malicious traffic from entering your network. It provides real-time protection and security monitoring — making it crucial in today’s world where cyber threats are rampant.

What is the main reason to operate a public cloud firewall?

Application visibility and control is the primary reason to operate a public cloud firewall. And unlike traditional firewalls, cloud firewalls allow for extensive network traffic logging and reporting, providing a thorough overview of your application’s security status.

What is cloud vs hardware firewall?

A cloud firewall, also known as a Firewall-as-a-Service (FaaS), is a firewall hosted in the cloud, providing scalability, cost efficiency, and real-time updates. Hardware firewalls, on the other hand, are physical devices installed in the infrastructure of a network. While cloud firewall is software-based, traditional ones can be both software and hardware-based.

Is a cloud-based firewall more secure?

Cloud-based firewall comes with the same level of security as a traditional or on-premises firewall but with advanced access policy, encryption, connection management, and filtering between servers.

What is the difference between a next-generation firewall and a cloud firewall?

While next-generation firewalls (NGFWs) offer advanced security capabilities such as intrusion prevention systems (IPS), deep packet inspection, and application awareness— they can be limiting when it comes to scalability and flexibility, especially in a dynamic, cloud-based environment. That’s where cloud firewalls excel.

Source :
https://www.perimeter81.com/blog/network/cloud-based-firewall

The five-day job: A BlackByte ransomware intrusion case study

July 6, 2023

As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.

Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:

  • Exploitation of unpatched internet-exposed Microsoft Exchange Servers
  • Web shell deployment facilitating remote access
  • Use of living-off-the-land tools for persistence and reconnaissance
  • Deployment of Cobalt Strike beacons for command and control (C2)
  • Process hollowing and the use of vulnerable drivers for defense evasion
  • Deployment of custom-developed backdoors to facilitate persistence
  • Deployment of a custom-developed data collection and exfiltration tool
BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact.
Figure 1. BlackByte 2.0 ransomware attack chain

In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.  

Forensic analysis

Initial access and privilege escalation

To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:

  • Attain system-level privileges on the compromised Exchange host
  • Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
  • Construct a valid authentication token and use it against the Exchange PowerShell backend
  • Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
  • Create web shells to obtain remote control on affected servers

The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:

  • 185.225.73[.]244

Persistence

Backdoor

After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:

Registry keyValue nameValue data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\Users\user\Downloads\api-msvc.dll,Default  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\temp\api-msvc.dll,Default  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\systemtest\api-system.png,Default

The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:

  • hxxps://myvisit[.]alteksecurity[.]org/t

The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.

An additional file, api-system.png, was identified to have similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.

Cobalt Strike Beacon

The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh:

  • hxxps://temp[.]sh/szAyn/sys.exe

This beacon was configured to communicate with the following C2 channel:

  • 109.206.243[.]59:443

AnyDesk

Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:

  • C:\systemtest\anydesk\AnyDesk.exe
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  • C:\Scripts\AnyDesk.exe

Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.

Reconnaissance

We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:

  • netscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)
  • netapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)

Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.

Credential access

Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.

Lateral movement

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.

Data staging and exfiltration

In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:

explorer.exe P@$$w0rd

After reverse engineering explorer.exe, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:

  • C:\Exchange\MSExchLog.log

Analysis of the binary revealed a list of file extensions that are targeted for enumeration.

Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_
Figure 2. Binary analysis showing file extensions enumerated by explorer.exe

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:

  • hxxps://g.api.mega.co[.]nz
Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ

We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.

ExByte execution flow

Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0:

  • If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs, which runs explorer.exe with elevated privileges.

After this access check, explorer.exe attempts to read the data.txt file in the current location:

  • If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:
C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q
  • If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:
{    “a”:”us0”,    “user”:”<CONTENT FROM data.txt>”}

Finally, it forms a URL for sign-in to the API of the service MEGA NZ:

  • hxxps://g.api.mega.co[.]nz/cs?id=1674017543

Data encryption and destruction

On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:

  • wEFT.exe
  • schillerized.exe

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.

Two modes of execution were identified:

  • When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
  • When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.

Depending on the switch (-s or -a), execution may create the following files:

  • C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
  • C:\SystemData\wEFT.exe (Additional BlackByte binary)
  • C:\SystemData\MsExchangeLog1.log (Log file)
  • C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
  • C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
  • C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe file)
  • C:\SystemData\skip_bypass.txt (Unknown)

BlackByte 2.0 ransomware capabilities

Some capabilities identified for the BlackByte 2.0 ransomware were:

  • Antivirus bypass
    • The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
    • The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed antivirus software
  • Process hollowing
    • Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command:
      • cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q
  • Modification / disabling of Windows Firewall
    • The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:
      • cmd /c netsh advfirewall set allprofiles state off
      • cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
      • cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
  • Modification of volume shadow copies
    • The following commands are executed to destroy volume shadow copies on the machine:
      • cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB
      • cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED
  • Modification of registry keys/values
    • The following commands are executed to modify the registry, facilitating elevated execution on the device:
      • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
      • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      • cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
  • Additional functionality
    • Ability to terminate running services and processes
    • Ability to enumerate and mount volumes and network shares for encryption
    • Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
    • Ability to perform anti-debugging techniques

Recommendations

To guard against BlackByte ransomware attacks, Microsoft recommends the following:

  • Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
  • Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
  • Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
  • Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
  • Block inbound traffic from IPs specified in the indicators of compromise section of this report
  • Block inbound traffic from TOR exit nodes
  • Block inbound access from unauthorized public VPN services
  • Restrict administrative privileges to prevent authorized system changes

Conclusion

BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities.  As outlined in the Microsoft Digital Defense Report, common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.

As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

  • Trojan:Win32/Kovter!MSR
  • Trojan:Win64/WinGoObfusc.LK!MT
  • Trojan:Win64/BlackByte!MSR
  • HackTool:Win32/AdFind!MSR
  • Trojan:Win64/CobaltStrike!MSR

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • ‘CVE-2021-31207’ exploit malware was detected
  • An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
  • Suspicious registry modification.
  • ‘Rtcore64’ hacktool was detected
  • Possible ongoing hands-on-keyboard activity (Cobalt Strike)
  • A file or network connection related to a ransomware-linked emerging threat activity group detected
  • Suspicious sequence of exploration activities
  • A process was injected with potentially malicious code
  • Suspicious behavior by cmd.exe was observed
  • ‘Blackbyte’ ransomware was detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
  • CVE-2019-16098

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ProxyShell web shell creation events

DeviceProcessEvents| where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any ("-RequestFile","-FilePath")

Suspicious vssadmin events

DeviceProcessEvents| where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED")

Detection for persistence creation using Registry Run keys

DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnce" and RegistryValueName == "MsEdgeMsE")      or (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnceEx" and RegistryValueName == "MsEdgeMsE")    or (RegistryKey has @"Microsoft\Windows\CurrentVersion\Run" and RegistryValueName == "MsEdgeMsE")| where RegistryValueData startswith @"rundll32"| where RegistryValueData endswith @".dll,Default"| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

Indicators of compromise

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

IndicatorTypeDescription
4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3eSHA-256api-msvc.dll (Backdoor installed through RunKeys)
5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103SHA-256sys.exe (Cobalt Strike Beacon)
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fdSHA-256rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary)
ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098fSHA-256[RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary)
1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738eSHA-256“netscan.exe”, “netapp.exe (Netscan network discovery tool)
f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455eSHA-256AdFind.exe (Active Directory information gathering tool)
hxxps://myvisit[.]alteksecurity[.]org/tURLC2 for backdoor api-msvc.dll
hxxps://temp[.]sh/szAyn/sys.exeURLDownload URL for sys.exe
109.206.243[.]59IP AddressC2 for Cobalt Strike Beacon sys.exe
185.225.73[.]244IP AddressOriginating IP address for ProxyShell exploitation and web shell interaction

NOTE: These indicators should not be considered exhaustive for this observed activity.

Appendix

File extensions targeted by BlackByte binary for encryption:

.4dd.4dl.accdb.accdc.accde.accdr.accdt.accft
.adb.ade.adf.adp.arc.ora.alf.ask
.btr.bdf.cat.cdb.ckp.cma.cpd.dacpac
.dad.dadiagrams.daschema.db.db-shm.db-wal.db3.dbc
.dbf.dbs.dbt.dbv. dbx. dcb. dct. dcx
. ddl. dlis. dp1. dqy. dsk. dsn. dtsx. dxl
. eco. ecx. edb. epim. exb. fcd. fdb. fic
. fmp. fmp12. fmpsl. fol.fp3. fp4. fp5. fp7
. fpt. frm. gdb. grdb. gwi. hdb. his. ib
. idb. ihx. itdb. itw. jet. jtx. kdb. kexi
. kexic. kexis. lgc. lwx. maf. maq. mar. masmav
. mdb. mpd. mrg. mud. mwb. myd. ndf. nnt
. nrmlib. ns2. ns3. ns4. nsf. nv. nv2. nwdb
. nyf. odb. ogy. orx. owc. p96. p97. pan
. pdb. pdm. pnz. qry. qvd. rbf. rctd. rod
. rodx. rpd. rsd. sas7bdat. sbf. scx. sdb. sdc
. sdf. sis. spg. sql. sqlite. sqlite3. sqlitedb. te
. temx. tmd. tps. trc. trm. udb. udl. usr
. v12. vis. vpd. vvv. wdb. wmdb. wrk. xdb
. xld. xmlff. abcddb. abs. abx. accdw. and. db2
. fm5. hjt. icg. icr. kdb. lut. maw. mdn
. mdt       

Shared folders targeted for encryption (Example: \\[IP address]\Downloads):

UsersBackupVeeamhomeshome
mediacommonStorage ServerPublicWeb
ImagesDownloadsBackupDataActiveBackupForBusinessBackups
NAS-DCDCBACKUPDirectorFilesshare 

File extensions ignored:

.ini.url.msilog.log.ldf.lock.theme.msi
.sys.wpx.cpl.adv.msc.scr.key.ico
.dll.hta.deskthemepack.nomedia.msu.rtp.msp.idx
.ani.386.diagcfg.bin.mod.ics.com.hlp
 .spl.nls.cab.exe.diagpkg.icl.ocx.rom
.prf.thempack.msstyles.icns.mpa.drv.cur.diagcab
.cmd.shs      

Folders ignored:

windowsbootprogram files (x86)windows.oldprogramdata
intelbitdefendertrend microwindowsappsappdata
application datasystem volume informationperflogsmsocache 

Files ignored:

bootnxtntldrbootmgrthumbs.db
ntuser.datbootsect.bakautoexec.baticoncache.db
bootfont.bin   

Processes terminated:

teracopyteamviewernsservicensctrluranium
processhackerprocmonpestudioprocmon64x32dbg
x64dbgcff explorerprocexppslisttcpview
tcpvcondbgviewrammaprammap64vmmap
ollydbgautorunsautorunsscfilemonregmon
idaqidaq64immunitydebuggerwiresharkdumpcap
hookexplorerimportrecpetoolslordpesysinspector
proc_analyzersysanalyzersniff_hitwindbgjoeboxcontrol
joeboxserverresourcehackerfiddlerhttpdebuggerdumpit
rammaprammap64vmmapagntsvccntaosmgr
dbeng50dbsnmpencsvcinfopathisqlplussvc
mbamtraymsaccessmsftesqlmspubmydesktopqos
mydesktopservicemysqldmysqld-ntmysqld-optNtrtscan
ocautoupdsocommocssdonenoteoracle
outlookPccNTMonpowerpntsqbcoreservicesql
sqlagentsqlbrowsersqlservrsqlwritersteam
synctimetbirdconfigthebatthebat64thunderbird
tmlistenvisiowinwordwordpadxfssvccon
zoolz    

Services terminated:

CybereasonRansomFreevnetdbpcdSamSsTeraCopyService
msftesqlnsServiceklvssbridge64vapiendpointShMonitor
SmcinstSmcServiceSntpServicesvcGenericHostSwi_
TmCCSFtmlistenTrueKeyTrueKeySchedulerTrueKeyServiceHelper
WRSVCMcTaskManagerOracleClientCache80mfefirewbengine
mfemmsRESvcmfevtpsacsvrSAVAdminService
SepMasterServicePDVFSServiceESHASRVSDRSVCFA_Scheduler
KAVFSKAVFS_KAVFSGTkavfsslpklnagentmacmnsvc
masvcMBAMServiceMBEndpointAgentMcShieldaudioendpointbuilder
AntivirusAVPDCAgentbedbgEhttpSrv
MMSekrnEPSecurityServiceEPUpdateServicentrtscan
EsgShKernelmsexchangeadtopologyAcrSch2SvcMSOLAP$TPSAMAIntel(R) PROSet Monitoring
msexchangeimap4ARSMunistoresvc_1af40aReportServer$TPSMSOLAP$SYSTEM_BGC
W3SvcMSExchangeSRSReportServer$TPSAMAZoolz 2 ServiceMSOLAP$TPS
aphidmonitorserviceSstpSvcMSExchangeMTAReportServer$SYSTEM_BGCSymantec System Recovery
UI0DetectMSExchangeSAMSExchangeISReportServerMsDtsServer110
POP3SvcMSExchangeMGMTSMTPSvcMsDtsServerIisAdmin
MSExchangeESEraserSvc11710Enterprise Client ServiceMsDtsServer100NetMsmqActivator
stc_raw_agentVSNAPVSSPDVFSServiceAcrSch2SvcAcronis
CASAD2DWebSvcCAARCUpdateSvcMcAfeeavpsusDLPAgentService
mfewcBMR Boot ServiceDefWatchccEvtMgrccSetMgr
SavRoamRTVsc screenconnectransomsqltelemetrymsexch
vncteamviewermsolapveeambackup
sqlmemtasvsssophossvc$
mepocswuauserv   

Drivers that Blackbyte can bypass:

360avflt.sys360box.sys360fsflt.sys360qpesv.sys5nine.cbt.sys
a2acc.sysa2acc64.sysa2ertpx64.sysa2ertpx86.sysa2gffi64.sys
a2gffx64.sysa2gffx86.sysaaf.sysaalprotect.sysabrpmon.sys
accessvalidator.sysacdriver.sysacdrv.sysadaptivaclientcache32.sysadaptivaclientcache64.sys
adcvcsnt.sysadspiderdoc.sysaefilter.sysagentrtm64.sysagfsmon.sys
agseclock.sysagsyslock.sysahkamflt.sysahksvpro.sysahkusbfw.sys
ahnrghlh.sysaictracedrv_am.sysairship-filter.sysajfsprot.sysalcapture.sys
alfaff.sysaltcbt.sysamfd.sysamfsm.sysamm6460.sys
amm8660.sysamsfilter.sysamznmon.sysantileakfilter.sysantispyfilter.sys
anvfsm.sysapexsqlfilterdriver.sysappcheckd.sysappguard.sysappvmon.sys
arfmonnt.sysarta.sysarwflt.sysasgard.sysashavscan.sys
asiofms.sysaswfsblk.sysaswmonflt.sysaswsnx.sysaswsp.sys
aszfltnt.sysatamptnt.sysatc.sysatdragent.sysatdragent64.sys
aternityregistryhook.sysatflt.sysatrsdfw.sysauditflt.sysaupdrv.sys
avapsfd.sysavc3.sysavckf.sysavfsmn.sysavgmfi64.sys
avgmfrs.sysavgmfx64.sysavgmfx86.sysavgntflt.sysavgtpx64.sys
avgtpx86.sysavipbb.sysavkmgr.sysavmf.sysawarecore.sys
axfltdrv.sysaxfsysmon.sysayfilter.sysb9kernel.sysbackupreader.sys
bamfltr.sysbapfecpt.sysbbfilter.sysbd0003.sysbddevflt.sys
bdfiledefend.sysbdfilespy.sysbdfm.sysbdfsfltr.sysbdprivmon.sys
bdrdfolder.sysbdsdkit.sysbdsfilter.sysbdsflt.sysbdsvm.sys
bdsysmon.sysbedaisy.sysbemk.sysbfaccess.sysbfilter.sys
bfmon.sysbhdrvx64.sysbhdrvx86.sysbhkavka.sysbhkavki.sys
bkavautoflt.sysbkavsdflt.sysblackbirdfsa.sysblackcat.sysbmfsdrv.sys
bmregdrv.sysboscmflt.sysbosfsfltr.sysbouncer.sysboxifier.sys
brcow_x_x_x_x.sysbrfilter.sysbrnfilelock.sysbrnseclock.sysbrowsermon.sys
bsrfsflt.sysbssaudit.sysbsyaed.sysbsyar.sysbsydf.sys
bsyirmf.sysbsyrtm.sysbsysp.sysbsywl.sysbwfsdrv.sys
bzsenspdrv.sysbzsenth.sysbzsenyaradrv.syscaadflt.syscaavfltr.sys
cancelsafe.syscarbonblackk.syscatflt.syscatmf.syscbelam.sys
cbfilter20.syscbfltfs4.syscbfsfilter2017.syscbfsfilter2020.syscbsampledrv.sys
cdo.syscdrrsflt.syscdsgfsfilter.syscentrifyfsf.syscfrmd.sys
cfsfdrvcgwmf.syschange.syschangelog.syschemometecfilter.sys
ciscoampcefwdriver.sysciscoampheurdriver.sysciscosam.sysclumiochangeblockmf.syscmdccav.sys
cmdcwagt.syscmdguard.syscmdmnefs.syscmflt.syscode42filter.sys
codex.sysconduantfsfltr.syscontainermonitor.syscpavfilter.syscpavkernel.sys
cpepmon.syscrexecprev.syscrncache32.syscrncache64.syscrnsysm.sys
cruncopy.syscsaam.syscsaav.syscsacentr.syscsaenh.sys
csagent.syscsareg.syscsascr.syscsbfilter.syscsdevicecontrol.sys
csfirmwareanalysis.syscsflt.syscsmon.syscssdlp.sysctamflt.sys
ctifile.sysctinet.sysctrpamon.sysctx.syscvcbt.sys
cvofflineflt32.syscvofflineflt64.syscvsflt.syscwdriver.syscwmem2k64.sys
cybkerneltracker.syscylancedrv64.syscyoptics.syscyprotectdrv32.syscyprotectdrv64.sys
cytmon.syscyverak.syscyvrfsfd.syscyvrlpc.syscyvrmtgn.sys
datanow_driver.sysdattofsf.sysda_ctl.sysdcfafilter.sysdcfsgrd.sys
dcsnaprestore.sysdeepinsfs.sysdelete_flt.sysdevmonminifilter.sysdfmfilter.sys
dgedriver.sysdgfilter.sysdgsafe.sysdhwatchdog.sysdiflt.sys
diskactmon.sysdkdrv.sysdkrtwrt.sysdktlfsmf.sysdnafsmonitor.sys
docvmonk.sysdocvmonk64.sysdpmfilter.sysdrbdlock.sysdrivesentryfilterdriver2lite.sys
drsfile.sysdrvhookcsmf.sysdrvhookcsmf_amd64.sysdrwebfwflt.sysdrwebfwft.sys
dsark.sysdsdriver.sysdsfemon.sysdsflt.sysdsfltfs.sys
dskmn.sysdtdsel.sysdtpl.sysdwprot.sysdwshield.sys
dwshield64.syseamonm.syseaseflt.syseasyanticheat.syseaw.sys
ecatdriver.sysedevmon.sysednemfsfilter.sysedrdrv.sysedrsensor.sys
edsigk.syseectrl.syseetd32.syseetd64.syseeyehv.sys
eeyehv64.sysegambit.sysegfilterk.sysegminflt.sysegnfsflt.sys
ehdrv.syselock2fsctldriver.sysemxdrv2.sysenigmafilemondriver.sysenmon.sys
epdrv.sysepfw.sysepfwwfp.sysepicfilter.sysepklib.sys
epp64.sysepregflt.syseps.sysepsmn.sysequ8_helper.sys
eraser.sysesensor.sysesprobe.sysestprmon.sysestprp.sys
estregmon.sysestregp.sysestrkmon.sysestrkr.syseventmon.sys
evmf.sysevscase.sysexcfs.sysexprevdriver.sysfailattach.sys
failmount.sysfam.sysfangcloud_autolock_driver.sysfapmonitor.sysfarflt.sys
farwflt.sysfasdriverfcnotify.sysfcontrol.sysfdrtrace.sys
fekern.sysfencry.sysffcfilt.sysffdriver.sysfildds.sys
filefilter.sysfileflt.sysfileguard.sysfilehubagent.sysfilemon.sys
filemonitor.sysfilenamevalidator.sysfilescan.sysfilesharemon.sysfilesightmf.sys
filesystemcbt.sysfiletrace.sysfile_monitor.sysfile_protector.sysfile_tracker.sys
filrdriver.sysfim.sysfiometer.sysfiopolicyfilter.sysfjgsdis2.sys
fjseparettifilterredirect.sysflashaccelfs.sysflightrecorder.sysfltrs329.sysflyfs.sys
fmdrive.sysfmkkc.sysfmm.sysfortiaptfilter.sysfortimon2.sys
fortirmon.sysfortishield.sysfpav_rtp.sysfpepflt.sysfsafilter.sys
fsatp.sysfsfilter.sysfsgk.sysfshs.sysfsmon.sys
fsmonitor.sysfsnk.sysfsrfilter.sysfstrace.sysfsulgk.sys
fsw31rj1.sysgagsecurity.sysgbpkm.sysgcffilter.sysgddcv.sys
gefcmp.sysgemma.sysgeprotection.sysggc.sysgibepcore.sys
gkff.sysgkff64.sysgkpfcb.sysgkpfcb64.sysgofsmf.sys
gpminifilter.sysgroundling32.sysgroundling64.sysgtkdrv.sysgumhfilter.sys
gzflt.syshafsnk.syshbflt.syshbfsfltr.syshcp_kernel_acq.sys
hdcorrelatefdrv.syshdfilemon.syshdransomoffdrv.syshdrfs.sysheimdall.sys
hexisfsmonitor.syshfileflt.syshiofs.syshmpalert.syshookcentre.sys
hooksys.syshpreg.syshsmltmon.syshsmltwhl.syshssfwhl.sys
hvlminifilter.sysibr2fsk.sysiccfileioad.sysiccfilteraudit.sysiccfiltersc.sys
icfclientflt.sysicrlmonitor.sysiderafilterdriver.sysielcp.sysieslp.sys
ifs64.sysignis.sysiguard.sysiiscache.sysikfilesec.sys
im.sysimffilter.sysimfilter.sysimgguard.sysimmflex.sys
immunetprotect.sysimmunetselfprotect.sysinisbdrv64.sysino_fltr.sysintelcas.sys
intmfs.sysinuse.sysinvprotectdrv.sysinvprotectdrv64.sysionmonwdrv.sys
iothorfs.sysipcomfltr.sysipfilter.sysiprotect.sysiridiumswitch.sys
irongatefd.sysisafekrnl.sysisafekrnlmon.sysisafermonisecureflt.sys
isedrv.sysisfpdrv.sysisirmfmon.sysisregflt.sysisregflt64.sys
issfltr.sysissregistry.sysit2drv.sysit2reg.sysivappmon.sys
iwdmfs.sysiwhlp.sysiwhlp2.sysiwhlpxp.sysjdppsf.sys
jdppwf.sysjkppob.sysjkppok.sysjkpppf.sysjkppxk.sys
k7sentry.syskavnsi.syskawachfsminifilter.syskc3.syskconv.sys
kernelagent32.syskewf.syskfac.syskfileflt.syskisknl.sys
klam.sysklbg.sysklboot.syskldback.syskldlinf.sys
kldtool.sysklfdefsf.sysklflt.sysklgse.sysklhk.sys
klif.sysklifaa.sysklifks.sysklifsm.sysklrsps.sys
klsnsr.sysklupd_klif_arkmon.syskmkuflt.syskmnwch.syskmxagent.sys
kmxfile.syskmxsbx.sysksfsflt.sysktfsfilter.sysktsyncfsflt.sys
kubwksp.syslafs.syslbd.syslbprotect.syslcgadmon.sys
lcgfile.syslcgfilemon.syslcmadmon.syslcmfile.syslcmfilemon.sys
lcmprintmon.sysldsecdrv.syslibwamf.syslivedrivefilter.sysllfilter.sys
lmdriver.syslnvscenter.syslocksmith.syslragentmf.syslrtp.sys
magicbackupmonitor.sysmagicprotect.sysmajoradvapi.sysmarspy.sysmaxcryptmon.sys
maxproc64.sysmaxprotector.sysmbae64.sysmbam.sysmbamchameleon.sys
mbamshuriken.sysmbamswissarmy.sysmbamwatchdog.sysmblmon.sysmcfilemon32.sys
mcfilemon64.sysmcstrg.sysmearwfltdriver.sysmessage.sysmfdriver.sys
mfeaack.sysmfeaskm.sysmfeavfk.sysmfeclnrk.sysmfeelamk.sys
mfefirek.sysmfehidk.sysmfencbdc.sysmfencfilter.sysmfencoas.sys
mfencrk.sysmfeplk.sysmfewfpk.sysminiicpt.sysminispy.sys
minitrc.sysmlsaff.sysmmpsy32.sysmmpsy64.sysmonsterk.sys
mozycorpfilter.sysmozyenterprisefilter.sysmozyentfilter.sysmozyhomefilter.sysmozynextfilter.sys
mozyoemfilter.sysmozyprofilter.sysmpfilter.sysmpkernel.sysmpksldrv.sys
mpxmon.sysmracdrv.sysmrxgoogle.sysmscan-rt.sysmsiodrv4.sys
msixpackagingtoolmonitor.sysmsnfsflt.sysmspy.sysmssecflt.sysmtsvcdf.sys
mumdi.sysmwac.sysmwatcher.sysmwfsmfltr.sysmydlpmf.sys
namechanger.sysnanoavmf.sysnaswsp.sysndgdmk.sysneokerbyfilter
netaccctrl.sysnetaccctrl64.sysnetguard.sysnetpeeker.sysngscan.sys
nlcbhelpi64.sysnlcbhelpx64.sysnlcbhelpx86.sysnlxff.sysnmlhssrv01.sys
nmpfilter.sysnntinfo.sysnovashield.sysnowonmf.sysnpetw.sys
nprosec.sysnpxgd.sysnpxgd64.sysnravwka.sysnrcomgrdka.sys
nrcomgrdki.sysnregsec.sysnrpmonka.sysnrpmonki.sysnsminflt.sys
nsminflt64.sysntest.sysntfsf.sysntguard.sysntps_fa.sys
nullfilter.sysnvcmflt.sysnvmon.sysnwedriver.sysnxfsmon.sys
nxrmflt.sysoadevice.sysoavfm.sysoczminifilter.sysodfsfilter.sys
odfsfimfilter.sysodfstokenfilter.sysoffsm.sysomfltlh.sysosiris.sys
ospfile_mini.sysospmon.sysparity.syspassthrough.syspath8flt.sys
pavdrv.syspcpifd.syspctcore.syspctcore64.syspdgenfam.sys
pecfilter.sysperfectworldanticheatsys.syspervac.syspfkrnl.syspfracdrv.sys
pgpfs.syspgpwdefs.sysphantomd.sysphdcbtdrv.syspkgfilter.sys
pkticpt.sysplgfltr.sysplpoffdrv.syspointguardvista64f.syspointguardvistaf.sys
pointguardvistar32.syspointguardvistar64.sysprocmon11.sysproggerdriver.syspsacfileaccessfilter.sys
pscff.syspsgdflt.syspsgfoctrl.syspsinfile.syspsinproc.sys
psisolator.syspwipf6.syspwprotect.syspzdrvxp.sysqdocumentref.sys
qfapflt.sysqfilter.sysqfimdvr.sysqfmon.sysqminspec.sys
qmon.sysqqprotect.sysqqprotectx64.sysqqsysmon.sysqqsysmonx64.sys
qutmdrv.sysranpodfs.sysransomdefensexxx.sysransomdetect.sysreaqtor.sys
redlight.sysregguard.sysreghook.sysregmonex.sysrepdrv.sys
repmon.sysrevefltmgr.sysreveprocprotection.sysrevonetdriver.sysrflog.sys
rgnt.sysrmdiskmon.sysrmphvmonitor.sysrpwatcher.sysrrmon32.sys
rrmon64.sysrsfdrv.sysrsflt.sysrspcrtw.sysrsrtw.sys
rswctrl.sysrswmon.sysrtologon.sysrtw.sysruaff.sys
rubrikfileaudit.sysruidiskfs.sysruieye.sysruifileaccess.sysruimachine.sys
ruiminispy.sysrvsavd.sysrvsmon.sysrw7fsflt.sysrwchangedrv.sys
ryfilter.sysryguard.syssafe-agent.syssafsfilter.syssagntflt.sys
sahara.syssakfile.syssakmfile.syssamflt.syssamsungrapidfsfltr.sys
sanddriver.syssanta.syssascan.syssavant.syssavonaccess.sys
scaegis.sysscauthfsflt.sysscauthiodrv.sysscensemon.sysscfltr.sys
scifsflt.syssciptflt.syssconnect.sysscred.syssdactmon.sys
sddrvldr.syssdvfilter.sysse46filter.syssecdodriver.syssecone_filemon10.sys
secone_proc10.syssecone_reg10.syssecone_usb.syssecrmm.syssecufile.sys
secure_os.syssecure_os_mf.syssecurofsd_x64.syssefo.syssegf.sys
segiraflt.syssegmd.syssegmp.syssentinelmonitor.sysserdr.sys
serfs.syssfac.syssfavflt.syssfdfilter.syssfpmonitor.sys
sgresflt.sysshdlpmedia.sysshdlpsf.syssheedantivirusfilterdriver.syssheedselfprotection.sys
shldflt.syssi32_file.syssi64_file.syssieflt.syssimrep.sys
sisipsfilefiltersk.sysskyamdrv.sysskyrgdrv.sysskywpdrv.sys
slb_guard.syssld.syssmbresilfilter.syssmdrvnt.syssndacs.sys
snexequota.syssnilog.syssnimg.syssnscore.syssnsrflt.sys
sodatpfl.syssoftfilterxxx.syssoidriver.syssolitkm.syssonar.sys
sophosdt2.syssophosed.syssophosntplwf.syssophossupport.sysspbbcdrv.sys
spellmon.sysspider3g.sysspiderg3.sysspiminifilter.sysspotlight.sys
sprtdrv.syssqlsafefilterdriver.syssrminifilterdrv.syssrtsp.syssrtsp64.sys
srtspit.sysssfmonm.sysssrfsf.sysssvhook.sysstcvsm.sys
stegoprotect.sysstest.sysstflt.sysstkrnl64.sysstoragedrv.sys
strapvista.sysstrapvista64.syssvcbt.sysswcommfltr.sysswfsfltr.sys
swfsfltrv2.sysswin.syssymafr.syssymefa.syssymefa64.sys
symefasi.syssymevent.syssymevent64x86.syssymevnt.syssymevnt32.sys
symhsm.syssymrg.syssysdiag.syssysmon.syssysmondrv.sys
sysplant.sysszardrv.sysszdfmdrv.sysszdfmdrv_usb.sysszedrdrv.sys
szpcmdrv.systaniumrecorderdrv.systaobserveflt.systbfsfilt.systbmninifilter.sys
tbrdrv.systdevflt.systedrdrv.systenrsafe2.systesmon.sys
tesxnginx.systesxporter.systffregnt.systfsflt.systgfsmf.sys
thetta.systhfilter.systhreatstackfim.systkdac2k.systkdacxp.sys
tkdacxp64.systkfsavxp.systkfsavxp64.systkfsft.systkfsft64.sys
tkpcftcb.systkpcftcb64.systkpl2k.systkpl2k64.systksp2k.sys
tkspxp.systkspxp64.systmactmon.systmcomm.systmesflt.sys
tmevtmgr.systmeyes.systmfsdrv2.systmkmsnsr.systmnciesc.sys
tmpreflt.systmumh.systmums.systmusa.systmxpflt.sys
topdogfsfilt.systrace.systrfsfilter.systritiumfltr.systrpmnflt.sys
trufos.systrustededgeffd.systsifilemon.systss.syststfilter.sys
tstfsredir.syststregredir.systsyscare.systvdriver.systvfiltr.sys
tvmfltr.systvptfile.systvspfltr.systwbdcfilter.systxfilefilter.sys
txregmon.sysuamflt.sysucafltdriver.sysufdfilter.sysuncheater.sys
upguardrealtime.sysusbl_ifsfltr.sysusbpdh.sysusbtest.sysuvmcifsf.sys
uwfreg.sysuwfs.sysv3flt2k.sysv3flu2k.sysv3ift2k.sys
v3iftmnt.sysv3mifint.sysvarpffmon.sysvast.sysvcdriv.sys
vchle.sysvcmfilter.sysvcreg.sysveeamfct.sysvfdrv.sys
vfilefilter.sysvfpd.sysvfsenc.sysvhddelta.sysvhdtrack.sys
vidderfs.sysvintmfs.sysvirtfile.sysvirtualagent.sysvk_fsf.sys
vlflt.sysvmwvvpfsd.sysvollock.sysvpdrvnt.sysvradfil2.sys
vraptdef.sysvraptflt.sysvrarnflt.sysvrbbdflt.sysvrexpdrv.sys
vrfsftm.sysvrfsftmx.sysvrnsfilter.sysvrsdam.sysvrsdcore.sys
vrsdetri.sysvrsdetrix.sysvrsdfmx.sysvrvbrfsfilter.sysvsepflt.sys
vsscanner.sysvtsysflt.sysvxfsrep.syswats_se.syswbfilter.sys
wcsdriver.syswdcfilter.syswdfilter.syswdocsafe.syswfp_mrt.sys
wgfile.syswhiteshield.syswindbdrv.syswindd.syswinfladrv.sys
winflahdrv.syswinfldrv.syswinfpdrv.syswinload.syswinteonminifilter.sys
wiper.syswlminisecmod.syswntgpdrv.syswraekernel.syswrcore.sys
wrcore.x64.syswrdwizfileprot.syswrdwizregprot.syswrdwizscanner.syswrdwizsecure64.sys
wrkrn.syswrpfv.syswsafefilter.syswscm.sysxcpl.sys
xendowflt.sysxfsgk.sysxhunter1.sysxhunter64.sysxiaobaifs.sys
xiaobaifsr.sysxkfsfd.sysxoiv8x64.sysxomfcbt8x64.sysyahoostorage.sys
yfsd.sysyfsd2.sysyfsdr.sysyfsrd.syszampit_ml.sys
zesfsmf.syszqfilter.syszsfprt.syszwasatom.syszwpxesvr.sys
zxfsfilt.syszyfm.syszzpensys.sys  

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

Source :
https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/