Let’s Break the Cyber Kill Chain: Break to Pieces! |EN
Endpoint Shield
Let’s review Endpoint protection as Exploitation, Installation, C2, and Actions. And let’s try to block the strategies of the attackers, which we learned in our previous article, at every step.
From the 4th to the 7th chain, we can think of the processes as slices that form from the base of a triangle to the endpoint.
We can think of the processes as slices from the base of a triangle to the apex until we reach the 7th ring from the 4th ring.
4) Exploitation
Let’s examine Exploitation first. We can monitor and prevent four controls during the exploitation phase: Patching, Network Scanning, Anti-Exploitation, Inventory. Let’s see what we will do at these checkpoints;
a. Patching and Inventory
We must constantly check the versions of all inventories in our institution and the vulnerabilities in existing versions. We can evaluate this flow within the framework of Continuous Vulnerability Management. We must check the security vulnerabilities published in the system, Service, Operating System, and Program versions of the inventories in our institution.
b. Network Scanning
One of the critical points is to know what is happening in our endpoints instantly. It’s important to know what services are running on the endpoint and what open ports are. It is also critical that we know what will happen when someone from the outside enumeration or banner grabbing. In this way, we can improve the points that attract our attention.
c. Anti-Exploitation
Whatever we do, if the attacker finds a way and makes the malicious file run, we should not ignore the ways to prevent it. The first thing that comes to mind will be to edit the USB policy in Clients. We can’t miss this. With programs such as Microsoft’s EMET and Exploit Guard, we can immediately interfere with the installation or execution of malicious files.
We can collect specific Event Codes of system logs on clients with WEF (Windows Event Forwarding). And we can move it to a central system like siem. Then, we can correlate the logs, develop alarms and stop the exploitation phase.
The four components of Windows Defender Exploit Guard are:
- Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
- Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
- Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
- Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications
5) Installation
Here are the steps we can prevent from installing malicious data in Installation: We will review EDR, EPP Tools, Hardening, and Whitelisting.
a. EDR, EPP Tools
Antiviruses are the first tools that come to mind when blocking malicious files. They can catch malicious files before they work. This is because they have signature-based working skills. They are highly ineffective when encountering unidentified or Polymorphic pests in the Signature Lists. Also, AV may not analyze programs unless the malicious file is written to disk. Therefore, it will directly target attacks that will direct the attacker’s target to RAM. Here, tools such as EDR come into play.
b. Hardening
First, we have to determine the Users’ work portfolio. Then we have to harden the user endpoints for each profile. For example, Powershell usage rights of an employee working in the fashion department should not be open. Or people working in critical roles and critical data should have DLP agents installed and USB usage rights disabled. Correctly applied hardening techniques will protect us against harmful operating methods.
c. Whitelisting
There are Audit modes and blocking modes here. Audit mode is a preferable method. Since auditability will provide logging, the relevant SOC units will have direct control and examine and monitor the event. Some of the tools that provide this job are Linux AppArmor, Windows AppLocker, and macOS Gatekeeper.
6) C&C
“Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.” — MITRE ATT&CK (https://attack.mitre.org/tactics/TA0011/)
We will use our three most important weapons to prevent C&C activity; HIDS, NIDS and Host firewalls
a. HIDS
The most critical aspect of Host-Based IDS is to collect more detailed logs. This is the basis of systems such as Wazuh.
Rootcheck: This process performs multiple tasks to detect rootkits, malware, and system anomalies. It also performs certain basic security checks against system configuration files.
Log Collector: The component of this tool is used to read operating system and application log messages, including log files, standard Windows event logs, and even Windows Event Channels. It can also be configured to run and capture specific commands’ output periodically.
Syscheck: This process performs file integrity monitoring (FIM) and can also monitor registers on Windows systems. It can note the creation and deletion of files and detect changes in a file’s content, ownership, and other attributes. While it performs periodic FIM scans by default, it can also be configured to communicate with the operating system kernel to detect file changes in real-time and produce a detailed change report(s) of text files.
OpenSCAP: This module uses the published OVAL (Open Vulnerability Assessment Language) and XCCDF (Extensible Configuration Checklist Description Format) core security profiles. By periodically scanning a system, it can find vulnerable applications or configurations that do not follow well-known standards, such as those identified in CIS (Center for Internet Security) benchmarks.
Agent Daemon: This process receives data created or collected by all other agent components. It compresses, encrypts, and transmits data through an authenticated channel to the server. This process runs in an isolated “chroot” environment, which has limited access to the monitored system. This improves the overall security of the broker as it is the only process connecting to the network.
b. Host firewalls
It will be very effective to log the most commonly used ports (HTTP / HTTPS, SMB, SSH) and control special tools’ private ports. In addition, it will be very effective to whitelist various tools and provide control when new ports are opened.
c. NIDS
It will be beneficial to follow the network traffic with Network-based IDS. Zeek, Suricata, and Snort excel at this.
7. Action
In the case of action, a definition is like a handbrake to be applied at the last moment. In this case, central logging and detection will be our most important points. For this, logging policies and the correlation of logs should be the target.
We have come to the end of this article. Thank you for reading. I hope you like it.
