I have recently started taking SEC566 with James Tarala via SANS on the CSC 20 Critical Controls and decided it would be a great blog series to do a quick overview of each of the controls, and how you could start implementing them on your network. This is by no means an in depth breakdown of each control, but more of a quick read to get you thinking about what you are currently doing, or what you can start doing to shore up your defences.
CSC #1 Inventory and Control of Hardware Assets
Even though it seems a simple enough question, many organizations struggle with knowing what devices are on their network. But, if you think about it, how can you possibly begin to think about defending your network if you don’t know what to defend in the first place? This should probably be where a security team starts if they want to begin down the path of defending their network. Even if you are a highly mature security team but aren’t doing this, START NOW. Because it can be hard. Let’s break down some great ways to do this.
A good place to start is by setting up an active discovery tool. Don’t feel bad about using a vulnerability scanner here like Nessus, Qualys, or Nexpose to help create an inventory. They do the job quite well, and if you are already using one you don’t have to worry about forking out the extra money to buy an active discovery tool that does this exclusively. Although there are some great tools like Tanium that can do this very well… at a cost. Even Nmap with Ndiff can do this for you, and they are completely free. In conjunction with an active discovery tool you also want to implement a passive discovery tool. IPAM is a great place to start and there are several to look into. With these two you now have:
1) A way to go around your network intentionally looking for devices connecting to your network.
2) Another monitoring broadcast traffic on your network. Think Bro with user agent strings.
Bro capturing IP address and Services
Bro capturing User Agent Strings
The above two screenshots highlight how Bro can passively capture information about systems on your network.
Next, you may want to enable DHCP logging on your network. The average bad guy generally sits on a network several months (around 270 days according to Madiant) before they get discovered. Without DHCP logging, it can be incredibly difficult to go back and look at the information on a particular IP address from a potential incident several months ago. So what are you supposed to do with this inventory and logging?
Simply just having this information sitting on a log or file somewhere isn’t going to be much help. Information about what devices are on your network are cool and all, but information ABOUT the devices on your network is much much cooler, and can save a ton of time.
Each device on your network should also have accompanying information linked to it like:
- The name of the device
- Data asset owner (who commissioned that machine)
- Hardware address
- Network address
- If that device has even been approved to be on the network in the first place
- Any other information you and your team find valuable
It should go without saying, but when information like this is put together and a device accesses your network that isn’t authorized, make sure there is a plan in place to remove that device in a time frame that is agreed upon by your team or to authorize it. It also can help answer the question.. What is this?
Now that we have captured this information, let’s look at a more preventative approach to devices trying to get on your network, and how to secure that. Two great practices for your organization should be to require 802.1x and NAC, and client-side certificates to authenticate connecting to your network. This doesn’t just mean endpoint laptops and desktops, but servers and phones as well.
You most likely will be looking into a commercial solution like Cisco ISC or ForeScout for this. But, remember implementing the controls is about finding the quick easy wins and working your way up to more complicated solutions. Just consider a commercial NAC solution a future point on your security roadmap.
Now, at this point I know some readers might feel a little overwhelmed with where to even begin with this, or feel like this just isn’t possible.
I have had several conversations with individuals who are the only security personnel for their company. Tackling this first step alone can be daunting, and it might seem like you will have to break the budget to get started. Or, you might also be thinking that you got this locked down and completely figured out. Either way, I wanted to provide some free or open source tools that are available for you to get a better handle on this task. Automation is optimal here, but if money is an issue, then check out these free tools below:
On a final note, there is no need to rush this. Don’t give up nights, weekends, or holidays with family, just because you can’t convince management to throw down some money to help automate this or get a tool to help you. This shouldn’t be something you worry about getting perfect by next week. Security isn’t a destination, it’s a process, and this is just the first step for what you can do to get a handle on it.