Notes from the Field • 10 MIN READ
Top 12 Tips to Enforce Firewall & Proxy Internal Controls
In most cases, attackers find ways inside your network via unknown IOCs. There are numerous methods to go about infiltrating a weak link. But one of the most used methods are Phishing Attacks or exposed unpatched service infiltration. Once inside, there are several default windows tools, features and services which help attackers, and their lateral movements, go undetected without the need for malicious tools.
Below is a list of actions to take to enhance your internal controls.
1. Restrict Misuse of Powerful MS Signed Utilities
Sophisticated attacks perform advanced payload drops and lateral movement using the default windows utilities, which were meant to provide additional features. Most of these utilities are only useful for IT admins and most general users will host these utilities for attackers.
It is recommended that restriction to the access of the following utilities is made:
2. Disable Cached Credentials
This feature is often leveraged by attackers to easily grab information. It must be disabled as per best practices as recommended by Microsoft. Most attackers may re-enable the WDigest credential by accessing registry. It must be ensured that this is disabled. Learn how to do this, here.
3. Patching / Updating Applications
Patching applications along with system security updates is equally important, as attackers rely on unpatched application on the systems to do a privilege escalation.
4. Block Remote Use of Local Accounts
This configuration can essentially pave way to use “pass the hash” technique and move laterally. This should be disabled as good security practice. View more on this, here.
5. Strictly No Default Accounts Across Entire Estate
Guessing and launching an attack on default accounts is easy for a bad actor and creates the least noise to detect an anomaly.
6. No Service Accounts Should be Allowed Interactive Logons
These accounts are targeted and noisy in general. Which means that they must not be used for general admin activities. This helps catch anomalies and early detection of attacks.
7. Prepare for the Worst – Backups are Extremely Important
Sophisticated attacks can launch an attack on backups and can even restore capabilities by targeting Volume Shadow Copy services. Offline backups for critical infrastructure and recovery plan should be updated regularly.
8. User Roles and Network Segregation
Both network and access segregation are equally important to make it difficult for an attacker to do a lateral movement. As well as to reduce the attack surface.
Some quick tips:
- Ensure no user has a flat network or application access. If needed, define a local application level or system level allow list.
- Segregate all traffic through VLAN management and ACLs based on user role/department.
9. Define Every Single Expected Traffic Flow (Inbound and Outbound)
Outbound traffic is often neglected, and no network can be marked as a trusted network by default. Ensure to follow standard path for most neglected protocols like DNS, NTP, HTTP.
All this noisy traffic should follow a defined central path by using an internal Forwarder/Proxy and firewall as a final gateway. No endpoint should directly bypass this unless there is legacy non-proxy aware application.
These simple sounding controls help curb some methods attackers may use to bypass the security controls and do that final escalation of attack by data exfiltration or establish control with the C2.
10. Disable Anonymous Logons
By default, this must be disabled, and no anonymous logons should be allowed. The only exception can be some printer services which still do not support authentication.
11. Disable SMBv1
Any obsolete protocol feature is bound to be leveraged by attackers, and SMBv1 is one of the most targeted features.
12. Disable all Unrequired Services, Especially on Servers
Most servers run with default services which are rarely or never used. All such non-essential services should be disabled to ensure that extra layer of security, especially on servers. For example, Bluetooth services on servers, Xbox game bar related services on endpoints, and so on.
Additionally, if there is no internal network firewall control, try to whitelist specific IP addresses which are allowed to access the server or application on a local level.
Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.
Or if you suspect a security incident, you can report an incident here.