Warning: Use of undefined constant add_shortcode - assumed 'add_shortcode' (this will throw an Error in a future version of PHP) in /nfs/c03/h02/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/stray-quotes/stray_quotes.php on line 615

Warning: Use of undefined constant MSW_WPFM_FILE - assumed 'MSW_WPFM_FILE' (this will throw an Error in a future version of PHP) in /nfs/c03/h02/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/wordpress-file-monitor/wordpress-file-monitor.php on line 39
Security Control Matrix

Security Control Matrix

This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL

  • Recon
    • General/Google
      • RA-3 RISK ASSESSMENT – you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out
    • Network scanning
      • CM-7 LEAST FUNCTIONALITY – show the attacker the smallest profile you can by turning off every service and port you don’t absolutely need
    • Sniffing
      • PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS – know where physical entry points might allow access to your network or equipment
      • IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION – don’t allow unauthorized devices on your network
      • AC-18 WIRELESS ACCESS – know what information is on your wireless network and make sure it is configured securely
  • Penetration
    • Perimeter
      • SC-7 BOUNDARY PROTECTION – use firewalls, routers, proxies, gateways, etc. to limit access and protect the perimeter
      • SI-2 FLAW REMEDIATION – patch known flaws
      • SI-4 INFORMATION SYSTEM MONITORING – use IDS/IPS to monitor traffic going across the perimeter
    • Wireless
      • AC-18 WIRELESS ACCESS – secure wireless configuration is essential
      • IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION – “port control” is needed to prevent against rogue devices on your network
      • SI-4 INFORMATION SYSTEM MONITORING – monitor wireless activity, keeping an eye out for spoofing and rogue devices
    • Client side
      • SI-2 FLAW REMEDIATION – most conventional patching is aimed at operating systems – make sure your client-side tools are up to date also
      • SI-3 MALICIOUS CODE PROTECTION – anti-virus signatures won’t stop everything, but they help, keep them up to date
      • AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – check system event logs on a regular basis, looking for evidence of abnormal activity
      • SI-4 INFORMATION SYSTEM MONITORING – keep an eye on your network at all times
    • Application
      • SI-2 FLAW REMEDIATION – in addition to operating systems and client tools, applications may need to be patched also
      • AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – check system event logs on a regular basis, looking for evidence of abnormal activity
      • SI-4 INFORMATION SYSTEM MONITORING – keep an eye on your network at all times
    • Physical
      • PE-3 PHYSICAL ACCESS CONTROL – if an attacker gets physical access to systems, you must assume they own them
      • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY – it is imperative to know what is on your network
      • IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION – this protects against rogue devices being added to the network
      • AC-11 SESSION LOCK – don’t make it easy for an attacker who is inside your building to sit down at a workstation that is logged in and start taking over your network
      • PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS – know where the key stuff is so you can add extra protection
  • Entrench
    • Whoami
      • AC-6 LEAST PRIVILEGE – this control forces the attacker to procede to an attempt to escalate privileges
    • Escalate privileges
      • SI-2 FLAW REMEDIATION – most privilege escalation techniques (but not all) are exploits that can be prevented by patching
    • Pull password hashes and crack them
      • IA-5 AUTHENTICATOR MANAGEMENT – password strength requirements increase the amount of time it takes to crack hashes
      • CM-6 CONFIGURATION SETTINGS – make sure weak hash formats are not being used (LM hashes are not safe)
    • Add an admin user
      • AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – keep watching those event logs and make sure you can identify events that should send up a red flag
    • Ensure future access
      • CM-7 LEAST FUNCTIONALITY – don’t grant local admin rights unless they are really needed and think carefully about how to best do it when you must
    • Exfiltrate data
      • CM-7 LEAST FUNCTIONALITY – make it as difficult as possible for the successful attacker to do anything at all, don’t just hand over access rights easily
      • AU-13 MONITORING FOR INFORMATION DISCLOSURE – in addition to internal monitoring, watch external sources for any indication of information leakage
      • SI-4 INFORMATION SYSTEM MONITORING – keep an eye on your network at all times
  • Pivot: recon, relay, agents, meterpreter
    • CA-7 CONTINUOUS MONITORING – this takes many forms:
      • SI-4 INFORMATION SYSTEM MONITORING
      • RA-5 VULNERABILITY SCANNING
      • SI-7 SOFTWARE AND INFORMATION INTEGRITY
      • AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
  • Disrupt
    • Alter data
      • SI-7 SOFTWARE AND INFORMATION INTEGRITY – use integrity checking to ensure files have not been altered without authorization
    • Alter configurations
      • CM-5 ACCESS RESTRICTIONS FOR CHANGE – define special restrictions to limit the ability to make configuration changes to system components
    • Denial of service
      • SC-5 DENIAL OF SERVICE PROTECTION – employ techniques to limit or prevent the effects of these attacks
    • Extortion
      • AT-2 SECURITY AWARENESS – make sure your users are aware of social engineering and have some clue about how to handle it, who to report incidents to
      • IR-4 INCIDENT HANDLING – does your incident response plan need to cover extortion or blackmail?
  • Counter Defense
    • Stealth
      • SC-31 COVERT CHANNEL ANALYSIS – analyze your system communications to identify potential for covert timing and storage channels
    • Situational awareness
      • CM-7 LEAST FUNCTIONALITY – don’t make it easy for the attacker to know what’s going on inside your network – shut down everything you don’t need, make it hard, slow them down
    • OODA loops
      • IR-3 INCIDENT RESPONSE TESTING AND EXERCISES – OODA loop tactics involve getting “inside” the response time of an opponent – practice of Incident Response operations can shorten response times
      • RA-3 RISK ASSESSMENT – you must know what you are defending BEFORE the attacker does or you have lost the battle of OODA tactics

NOTE – all NIST 800-53 controls are designed to be “general guidance” so that they can be applied to a wide range of systems and situations and may need to have tailoring and supplementing processes applied to them to make them most effective in a particular environment.

SEE ALSO:
Security Control Implementation
Attack Methodology

Comments are closed.