------------------------------------------------------------------------------------- / _ \ \_\(_)/_/ _//"\\_ JOHLEM.net / \ https://johlem.net/V1/topics/cheatsheet.php ------------------------------------------------------------------------------------- --- CHEATSHEET CYBERARK ========================= 1- USER ACCOUNTS ========================= ---WHAT IS AN USER ACCOUNTS: User Accounts = (username + acount + privileges) used by employees that need to use a computer for their daily work an SSH key is an access credential in the SSH protocol its fonction is similar to that of user name and passwords. ---WHAT IS AN SUPER USER ACCOUNTS use for system adminstration / can install everything Super User Accounts = account administrator (ex: root, administrator, admin, supervisor, Sys (for oracle), Enable(for cisco_) linux id is 0 -- APPLICATION ACCOUNTS Special User Accounts for: A computer or group of application. more and more applications need to automatically connect to various systems, databases, networksm and others applications. password often stored within the application or an external configuration files. -- SERVICE ACCOUNTS A special user account that an application or service uses to interact with the operating system. Services use the Service Account to log on and make changes to the operating system of the configuration. example: the OS use Service Account to start services ####PRIVILEGED ACCOUNTS it4s any accounts who can access important or sensitive data (ex:protected health information, credit card numbers, social security numbers, intellectual property PRIVILEGED ACCOUNTS are: - Elevated personal user accounts It administrator / Executive Operational access Unrestricted access - Shared privileged accounts Windows administrator / UNIX root Business critical application sensitive data social media (can cause brand damage) - Application accounts Application Accounts / Service Accounts Communicate and share data Each of these Privilege account type should be garded and protected because powerfull. Bad use of theses account can cause discountinued business availability or compromise the compagny. Elevated personal user accounts TYPE: IT personnel accounts, executive accounts, SaaS administrators, local admin account. USED BY: IT staff, Executives, any employee. USED FOR: Privileged operations, access to sensitive data, managing web-based apps. Shared privileged accounts TYPE: Administrator, Root, Cisco Enable, Oracle SYS, Local Administrators USED BY: Application/scripts, windows services, scheduled tasks, batch jobs, scripts, other, developpers. USED FOR: privileged operationsm disaster recoverym emergency, administration, access to sensitive data. Application accounts TYPE: Service accounts, hard coded/embedded App IDs USED BY:Applications/scripts, Windows servicesm scheduled tasks, batch jobs, scripts, other, developers USED FOR: Online database access, batch processing, app-2-app communication. -- Privileged Accounts must be protected and monitored. 100% of breaches involved stolen credentials. APT intruders..prefer to leverage priviledged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts. ============================== 2- BUSINESS RISK - Insider Threat ============================== Unintentional Insiders: have no malicious intent but they can unintentionally put data and systems at risk. Malicious Insider: most difficult to detect, most costly, knowledge of, and access to sensitive information, can often legitimately bypass securoty measures. Exploited Insiders: mostly value compagny employee fishing. External Insiders: contractor, tier party vendor. user not managed by your organisation. process must be in place to regulate network access #Why Do insiders turn rogue ? - outside influence: their actions are coerced by crime ring or nation-state. - Anger: they feel as if their employer or manager has done something wrong. - Hacktivism: they are motivated by political or religious beliefs. - financial: they have a large debt. #How Malicious Insiders cause damage ? internal or external threat -> escalate priviledges -> perform reconnaissance -> move laterally -> disrupt business or exfitrate data. #How to Reducing Risk&Quickly Detecting insider threats. - Practice least privilege: reduce the attack surface to limit insider threat by restricting standard user privileges based on role. - Secure Privileged accounts: store privileged account credentials in a secure, central repository that supports strong access control, multi-factor authentication and full availability. Rotate credentials on a regular basis. - Appply Segregation of duties: segregate administrative duties based on privileged user specific roles. - Educate Users: train users to be aware of phishiing threats and how to identify fraudulent emails. - monitor and Audit Usage: monitor and analyze privileged user and account behavior to learn what's normal so you can more easily identify abnormalities that may indicate an attack or breach is in process. ============================== 3 - Business Risk – Targeted Attacks and the "attack life-cycle" ============================== What are targeted attacks: - specific target one compagny or one employee - persistence - considerable effort 1 - EXTERNAL RECONNAISSANCE: Collect enough intelligence to successfully attack an organization. Attack surface = total sum of vulnerabilities in a given computing network that are accessible to the hackers - unpatched systems - IP address ranges - open ports - target endpoints, list of servers.. 2 - BREACH Attacker tent to gain access by specific methods - spear-phishing attacks: electronic communications scam intended to steal data fro malicious purposes or to install malware on targeted user's computer. - zero-days exploits: a security hole that is exploited by hacker before the vendor becomes aware and hurries to fix it. - customized malware: Malicious software that avoids the detection capabilities of traditional security technologies. - drive-by-download: infect the computer simply by visiting a website that is running malicious code. - social engineering: the art of manipulating people so they give up confidential information. 3 - INTERNAL RECONNAISSANCE Purpose: Identify accounts that can get the attackers closer to their goal. - what Privileges do i have ? - which assets I can access ? - who are the privileged users ? 4 - LATERAL MOVEMENT Goal is to take control of other clients, servers, and Active Directory Domain Controllers. user of host discovering scan / tentative to mount network shared. the hacker now look like a legitimate user. 5 - DOMAIN CONTROLLER As soon as aattacker gain controle of a domain controller, they will try to elevate priviledge. to look for valuable data, or install ransomeware, etc 6 - EXFILTRATION - get bank account, or personal info, all valuable data - disrupt business ACTION AN COMPAGNY CAN TAKE TO STOP AN ATTACK endpoint protection - remove local admin rights from standard users - user multifactor authentification - control application to minimize malware and infection risks. - change administrative passwords frequently - patch systems to remediate known vulnerablities. - encourage users to be suspicious of unexprected emails. - require unique local admin passwords on each system. - proactively secure and monitor the use of high-value accounts. monitor and detect privileged threat - examine privileged session activity to detect insider threats. - analyse user and account behavious to detect anomalous activity. - segment the network to limit access to sensitive IT systems. - isolate and restrict access to critical systems. ============================== 4 - Business Risk – Ransomware ============================== infection -> retreive encryption key -> build file inventory -> attempt to propagate -> spread through the network -> encrypt, notify, repeat. polymorphic malware helps attacker evade detection. privileges most of ransomware need only Read, Write and Modify right to access and encrypt files. Almost all standard user have theses permission because this is same permission to things like edit excel files. HOW TO PROTECT AGAINST RANSOMWARE ? - protect the perimeter, but du to polymorphic design its very hard to do. - block the key server call out (but damage still possible) 20% success to stop. - Protection at file level (which proved to be most effective in lab test. GREYLIST 99.97% effective Unknow applications - > restricted mode: - no internet access - no access to network shares, server, etc - restrict read, write and modify permissions. RECOMMENDATIONS - whitelist applications on servers (servers are typically static, you already know waht applications and application version is running. You can build a Whitelist using this information. Once its done, your trusted "Whitelisted" application will be able to run as normal, and everything else will be blocked. - restrict permissions for unknow "Greylisted" application: On your endpoint, which are often dynamic and need to run a wide variety of applications, consider taking a Greylisting approach to application control. - remove local administrator rights form standard users (by simply removing these rightsm organizations can block most malware from running, and cause 10% of ransomware to fail immediately. - follow general best practices for anti-virus( traditional AV typically won't catch ransomware or targeted malware, but it can help prevent against more basic opportunistic malware. - be sure to stay up to date with data backup. ============================== 5 - CyberArk Blueprint for PAM (Privileged Access Management) Success ============================== - Prevent Credential Theft. - Stop Lateral & Vertical Movement. - Limit Privilege Escalation & Abuse. The CyberArk Blueprint provides geenral security best practives as wall as recommendations for organizations undergoig digital transformation: - Migrating to the cloud - Adopting DevOps - Leveraging SaaS-based critical business applications. CyberArk Blueprint => 3 Guiding principles: - Prevent credential Theft (prevent theft of critical credentials surch as IaaS admin, domain admins, or API keys Via: - session isolation. - hard coded credential removal. - theft detection and blocking. - Stop lateral & vertical movement (stop the pivoting from non-trusted devices to high-values cloud consoles or domain controllers through enforcement of credential boundaries, non-persistent access, and credential randomization. - Limit Privilege Escalation & Abuse (limit the ability to gain and/or misuse administrator privileges through strong least privilege, behavioral analytics and adaptive response. Always ask yourself: Will this use case help prevent credential theftm stop lateral & vertical movement, or limit privileged escalation & abuse ?" If the answer is no, then it may not be worth your time. --- PRINCIPLE 1: PREVENT CREDENTIAL THEFT: To steal data or damage internal systems, attackers first need to gain access to that data and those systems. (source code git repo, config files tomcat, fishing, keystroke..) - To prevent credential theft for humain session: leverage session isolation to allow users fill control of the privileged account as they would normally expect, but without ever showing or transmitting the actual secret value back to the end-user or their device. - To prevent credential theft for non-humain session: remove hard coded credentials by implementing a dynamic application access management control, which allows for on-demand, authenticated retrieval of application secrets at runtime. - At the OS level it is recommended to implement credential theft blocking controls directly. monitor common credential repository (LSASS process, browser caches, WinSCP, VNC, Service accounts, SML key repositories). Block access to any unapproved processes. By cutting off adversaries from their traditional sources of credentials, it becomes much more difficult to make headway in their attack. PRINCIPLE 2: STOPPING LATERAL AND VERTICAL MOVEMENT: - Access should be split up so separate accounts used for administering data center as opposed to servers. - randomize credentials and enforce Just-in-Time access. PRINCIPLE 3: LIMIT PRIVILEGE ESCALATION & ABUSE: (80%+ of breaches involve privileged accounts, escalating privileges is key). PROBLEM: - every sytem, application database, or cloud platform having its own built-in administrative credentials. - organization tend to over-privilege end-users and application processes by granting them full admin rights on a systems, without taking time to assess what specific privileges they truly need. TO SOLVE IT: its recommended to enforce least privilege to reduce the attack surface and control elevation. idea is Users are deployed as standard users and elevate access for specific, approved tasks on demand. its recommenced to analyses and monitoring credential session. apply adaptive response controls based on user activity to stop threats early. CYBERARK BLUEPRINT STAGES OVERVIEW Stage 1 - Rapid risk mitigation Secure privileged Ids that have the potential to control an entire environment. /// prevent credential theft Stage 2 - Core security Focus on locking down the most universal technology platforms. /// prevent credential theft Stage 3 - Enterprise Program Build PAS into the fabric of enterprise security strategy and paplication pipelines. ///stop lateral and vertical movement. Stage 4 - Mature the Program Mature existing controls and expand into advanced privileged access security. Stage 5 - advanced security look for new opportunities to shore up privileged access across the enterprise. SUMMARY The CyberArk Blueprint was designed to help organizations create strategic PAM Progran roadmaps to maximize success. for more details look for the CyberArk Blueprint for PAM Succuess whitepaper: www.cyberark.com/blueprint ============================== 6 - Introduction to DevOps and Secrets Management ============================== CI/CD Continuous Integration/ Continuous Delivery CI Server - Continuous Integration Server (ex: Jenkins, circleci, bamboo) these tools automate testing before new code is pushed into the source repository. CI server also alert the developper team if issue with code tests. |developper| -> | CI Server| -> |Production Server| Configuration Management - Enable the configuration fo infrastructure to be done "as code". The reason why we want everything "as code" is because: - code is exportable - code can have version - code is reproducible - code is scalable This is done using tool like: Ansible, Chef, puppet. this can configure any number of infrastructure items by using code. with same configuration on almost unlimited infra. this assure also predicability. SCM - Source Code Management (ex: bitbucket, github) - Store projects and to keep track of any and all changes - design new featues without the need to destroy working code They use Banche who take copy of your master branche, this enable developper to made change and to add it on the master branche. revision control, this keep old version and can contains credential if developper didn't removed it. => Best practise is to avoid putting hardcoded secrets in source code. PaaS - Platform as a Service (ex: Pivotal CF, OpenShift) Paas enables enterprises to easily move apps to different computer environments. CONTAINERS: make application development more efficient and faster compared to using VMs. container are throwaway - nothing should be stored in a container. A container is only the service or the application it runs. All data is stored somewhere else. DOCKER - The Docker image or file you've created will run on every Cloud provider or PaaS platform that supports a Docker engine. (can be on AWS, Azure, cloud foundry,etc) It's highly portable. If you need to make change it just update the docker file , delete the container, and spin up CONTAINER ORCHESTRATION PLATFORMS (ex:Mesos, docker swarm, rancher, nomad, kubernetes) Orchestration platforms start and stop containers and coordinate the process that compose an application. PaaS solution often include both a container and container orchestration platform. EPHEMERAL ENVIRONMENTS: Dynamic environment: rapidly changing / short lived Immutable infrastructure consists of immutable components that are replaced for every deployment. MICROSERVICES: are a suite of small service that are independently deployable Secret allows one entity to authenticate to another. secret can be anything ssh key, api keys, etc SUMMARY Devops is great but can take also serious security issues. to mitigate it: THis Solution should take secrets out fo source code, change secrets based on policy, rotates them, encrypt secret in transit and when stored, and provides tamper-proof audit records,. Organization should get a fully automated privileged access security and secrets management solution. ============================== 7 - [OPTIONAL] - CyberArk and the CyberArk solution ============================== ======================================================================================================================== PERSONAL NOTES: (source wikipedia: https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service) Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.[1] It also writes to the Windows Security Log. Forcible termination of lsass.exe will result in the system losing access to any account, including NT AUTHORITY, prompting a restart of the machine. Because lsass.exe is a crucial system file, its name is often faked by malware. The lsass.exe file used by Windows is located in the directory %WINDIR%\System32. If it is running from any other location, that lsass.exe is most likely a virus, spyware, trojan or worm. Due to the way some systems display fonts, malicious developers may name the file something like Isass.exe (capital "i" instead of a lowercase "L") in efforts to trick users into installing or executing a malicious file instead of the trusted system file.[2] Sasser (computer worm) spreads by exploiting a buffer overflow in the LSASS on Windows XP and Windows 2000 operating systems.