Application Approved Lists

Antivirus, firewall, and endpoint security management systems generally have application approved lists, sometimes called application whitelists. If you are currently using a block list, you might consider also implementing an application approved list, one that is centrally managed, which gives you more granular control. Application approved lists are where you spend the time up front building the allow list of approved applications. Then with your central management or endpoint security solution, you roll out the allow list enterprisewide. After an incident, you should spend the time building or updating an application approved list and then enable and enforce it. It will keep users from installing unauthorized applications that could lead to breaches. Figure 29-1 shows a typical approved list in Windows. Each application that is loaded or installed shows up on the list, and you can also import applications. Selecting the box to the left of the application allows you to deny or approve the application.

Application Block List/Deny List

An application block list or deny list is a basic access control mechanism that denies specific applications or code on the list from being installed or run. After an incident, part of the mitigation strategies should be to review all rogue and unauthorized applications that were installed by the attacker. You can start with these reports to help build your block list/deny list; there are also public block lists you can use to add to your own list. The problem with block lists is the upkeep and maintenance. It’s a simple process for attackers to use renamed or rehashed applications to bypass these lists.

Quarantine

The quarantine function is to safely store reported objects such as malware, infected files, or potentially unwanted applications. If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, it quarantines suspicious files. By default, the Microsoft Defender Antivirus virus quarantine storage is located under the following path: C:ProgramDataMicrosoftWindows DefenderQuarantine. Defender creates a threat log during an investigation. This should be one of the places investigators check first for evidence and history of suspect files.

Reverse-engineering these quarantined files can provide insight into the attacker who created, modified, or used the files. After the investigation has wrapped up, the security team should review all files that were quarantined and all those that were missed but eventually were found; reviewing them provides an opportunity to increase the efficacy of the suspect files and increase quarantine. Each antivirus program quarantines its files in different locations. You need to research the antivirus application to locate the files but should be careful when interacting with files in this location.

Figure 29-2 shows the Microsoft Defender Antivirus interface for virus and threat protection, currently running a scan. With managed settings, you can configure multiple items and view logs.

Firewall Rules

The firewall was introduced back in 1988, and currently, there are many brands and types of firewalls on the market. These firewalls differ not only in cost but also their functionalities. The firewall at the perimeter of a network is the first line of defense against external attacks. To mitigate the attacks, the firewall divides the network into two zones:

• Trusted Zone: Authorized users are in a private network or access a private network.

• Least-Trusted Zone: Users from the Internet are trying to access the private network.

The job of the firewall is to either permit or deny the traffic based on the firewall rules. Firewalls filter packets and mitigate attacks; by utilizing best practices and consistent audits before and after attacks, you can reduce exposure and risk. First, you should utilize the National Institute of Standards and Technology (NIST) SP 800-41 guidelines on firewalls. Firewall policies are addressed in Chapter 4 of that document: Chapter 4.1 describes policies based on IP addresses and protocols; Chapter 4.2 addresses policies based on applications; and Chapter 4.3 addresses policies based on user identity. Adherence to the rule of zero trust and least privilege should always be the goal.

MDM

Mobile device management (MDM) provides functionality and control over enterprise devices by enabling the enrollment of enterprise devices for management functions, such as provisioning devices, tracking inventory, changing configurations, updating, managing applications, and enforcing policies. Unified endpoint management (UEM) expands on MDM by providing unified capabilities and also including content and threat management, identity and access management, and application containerization.

Many organizations administer devices and applications using MDM products/services. MDM primarily deals with segregating corporate data, securing emails, securing corporate documents on devices, enforcing corporate policies, and integrating and managing mobile devices, including laptops and handhelds of various categories. MDM implementations may be either on-premises or cloud-based.

Following are some of the core functions of MDM:

• Ensuring that diverse user equipment is configured to a consistent standard/supported set of applications, functions, or corporate policies

• Updating equipment, applications, functions, or policies in a scalable manner

• Ensuring that users use applications in a consistent and supportable manner

• Ensuring that equipment performs consistently

• Monitoring and tracking equipment (such as location, status, ownership, activity)

• Being able to efficiently diagnose and troubleshoot equipment remotely

MDM functionality can include over-the-air distribution of applications, data, and configuration settings for all types of mobile devices. Most recently, laptops and desktops have been added to the list of systems supported as mobile device management becomes more about basic device management and less about the mobile platform itself. MDM tools are leveraged for both company-owned and employee-owned devices across the enterprise or mobile devices owned by consumers. Consumer demand for bring your own device (BYOD) is now requiring a greater effort for MDM and increased security for both the devices and the enterprise they connect to, especially because employers and employees have different expectations concerning the types of restrictions that should be applied to mobile devices.

Mobile devices are essentially general-purpose computing platforms. They are not restricted to performing one operation and can instead be used in many different fields including medical, industrial, and entertainment. Commercially available mobile devices lack a unified set of features. Each new feature or capability has the potential to introduce new threats to security and privacy. It is important to establish a baseline understanding of the changes that are common to mobile devices. Mobile platforms have several attack vectors that need to be considered: hardware, firmware, mobile OS, applications, and the device combination. Figure 29-3 highlights the various attack vectors on a mobile device.

Data Loss Prevention

Data loss prevention (DLP) is an end-to-end goal to make sure that users do not send sensitive or critical information outside the corporate network. The term routinely describes software products that help a network administrator control the data that users can view or transfer. Intellectual property, corporate data, and customer data are some of the types of data you would use a DLP system or software to help protect against exfiltration. These systems, if configured correctly, can also alert you to an unauthorized person (attacker) attempting to transfer data that is classified as sensitive. After an incident, if it is determined that the DLP system not only missed the removal of sensitive documents but did not alert you, you will need to review the policies, restrictions, and alerts that are currently configured and review the attack account to determine what was removed and then document, reconfigure, and test. Your data is not only in your data center but also likely in one or more cloud services. Therefore, you must make sure your DLP system extends to your cloud assets and is enforced. All cloud systems should be considered base components of your data repositories. Because most DLP systems are centrally managed and contain central policies, a routine process should include reviewing and testing each rule. DLP policies can reach down into the endpoint to ensure unauthorized USB thumb drives and other types of unapproved media are disallowed and alerted on. If your DLP solution has these or other capabilities, you should review each item and enforce where corporate policy allows.

Content Filter/URL Filter

Web content filtering is the practice of blocking access to web content that may be deemed offensive or inappropriate, or even contain dangerous items. Often after an investigation you will find that the attacker used a URL or keyword that was not properly blocked, sanitized, or removed from the email or web page; that may have led to the exposure or compromise. Numerous no-cost external third-party lists can help start your base list. Most modern content filter systems should have a subscribe to list that consistently updates the system automatically for questionable URLs and content. On top of that you should add/update the lists to ensure you are blocking sites involved in the compromise. Figure 29-4 shows how a content filter works.

Update or Revoke Certificates

Certificates are among the most important methods for authorizing device access to your network. When one of these systems or hosts has been compromised, lost, stolen, or taken over, it is important to act quickly to remove or revoke the certificate authorizing access. Certificate revocation is the act of invalidating TLS/SSL certificate access before its scheduled expiration date. A certificate should be revoked immediately when its private key shows signs of being compromised. To revoke a certificate from a certificate authority (CA), each system has specific tasks/requirements; in Microsoft, the MMC snap-in allows you to right-click on it in the Issued list, go to All Tasks, and then choose Revoke Certificate. The interface then asks you for a reason code and a timestamp. You enter the data as required and then select OK.

Figure 29-5 shows how a client’s web browser checks the status of the certificate by checking a certificate revocation list (CRL) of the CA.

Runbooks

A runbook consists of a series of conditional steps to perform actions such as enriching data, containing threats, and sending notifications automatically as part of the incident response or security operations process. This automation helps accelerate the assessment, investigation, and containment of threats to speed up the overall incident response process. Runbooks can also include human decision-making elements as required, depending on the particular steps needed within the process and the amount of automation the organization is comfortable using. Like playbooks (described in the next section), runbooks can also be used to automatically assign tasks that will be carried out by a human analyst; however, most runbooks are primarily action-based. Figure 29-7 shows a typical automated runbook process flow. When building runbooks, you select components and tie them together to create the desired process flow. Here you can assume a file will be checked as a virus, so you start with the “Start” process. Next, the DNS service does a reverse lookup, potentially obtaining the validity of the file. After that, two processes run: a hash is taken and compared, and the file is submitted to Virus Total to see whether it has previously been reported as a virus. Runbooks can also provide step-by-step processes that a person should follow.

Playbooks

A SOAR playbook is a linear-style electronic checklist of required steps and actions needed to successfully respond to specific incident types or threats. Incident response playbooks provide a simple top-down step-by-step approach to orchestration. They help establish formalized incident response processes and procedures within investigations by identifying required steps systematically followed, which can help meet and comply with regulatory requirements. Playbooks support both human and automated actions. An effective use of SOAR playbooks is to document processes and procedures that rely heavily on tasks that humans carry out manually, such as breach notification or highly technical processes such as adding IP addresses to firewalls.

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.