4.4 Mitigation Techniques or Controls Flashcards
Endpoint Security Configuration -
a remote computing device that communicates back and forth with a network to which it is connected.
• The end user device
– Desktop PC, laptop, tablet, phone, etc.
• Many ways to exploit a system
– OS vulnerability, malware,
user intervention
• Security team has to cover all of the bases
– Recognize and react to any
malicious activity
The endpoint
Endpoint Security Configuration -
• Any application can be dangerous
– Vulnerabilities, trojan horses, malware
– Security policy can control app execution
• Approved list
– Nothing runs unless it’s approved
– Very restrictive
• Blocklist / deny list
– Nothing on the “bad list” can be executed
– Anti-virus, anti-malware
• Quarantine
– Anything suspicious can be moved to a safe area
Application approved/deny lists
Endpoint Security Configuration -
• Decisions are made in the operating system
– Often built-in to the operating
system management
– Application hash
• Only allows applications with this unique identifier • Certificate – Allow digitally signed apps from certain publishers • Path – Only run applications in these folders • Network zone – The apps can only run from this network zone
Examples of application approval lists
Security Configuration -
• Firewall rules
– Manage application flows
– Block dangerous applications
• Mobile Device Manager (MDM)
– Enable or disable phone and tablet functionality
– Regardless of physical location
• Data Loss Prevention (DLP)
– Block transfer of personally identifiable information
(PII) or sensitive data
– Credit card numbers, social security numbers, etc.
• Content filter/URL filter
– Limit access to untrusted websites
– Block known malicious sites
– Large blocklists are used to share suspicious site URLs
• Updating or revoking certificates
– Manage device certificates to verify trust
– Revoking a certificate effectively removes access
Configuration changes
Security Configuration -
• Administratively isolate a compromised device from
everything else
– Prevent the spread of malicious software
– Prevent remote access or C2 (Command and Control)
• Network isolation - the segmenting of a computer network into separate zones with distinct trust levels, for the purpose of containing hazards or reducing damage caused by a threat actor, is a hallmark of nearly every security-minded network design.
– Isolate to a remediation VLAN
– No communication to other devices
• Process isolation - a set of different hardware and software technologies designed to protect each process from other processes on the operating system. It does so by preventing process A from writing to process B.
– Limit application execution
– Prevent malicious activity but allow device
management
Isolation
Security Configuration -
• Application containment
– Run each application in its own sandbox
– Limit interaction with the host operating system
and other applications
– Ransomware would have no method of infection
• Contain the spread of a multi-device security
event, i.e., ransomware
– Disable administrative shares
– Disable remote management
– Disable local account access and change local
administrator password
Containment
Security Configuration - a virtual process that creates variable-sized address spaces in computer storage for related data, called segments. • Separate the network – Prevent unauthorized movement – Limit the scope of a breach
Segmentation
Security Configuration -
a stack of compatible software programs that enables an organization to collect data about security threats and respond to security events without human assistance.
• [this]
– Integrate third-party tools and data sources
– Make security teams more effective
• Runbooks - set of standardized written procedures for completing repetitive information technology (IT) processes within a company. a series of conditional steps required to automatically perform actions, such as data enrichment, threat containment, and more as part of incident response or security operations processes.
– Linear checklist of steps to perform
– Step-by-step approach to automation
– Reset a password, create a website certificate,
back up application data
• Playbooks - a list of required steps and actions needed to successfully respond to any incident or threat. they provide a step-by-step approach to orchestration, helping security teams to establish standardized incident response processes and ensuring the steps are followed in compliance with regulatory frameworks. allow security teams to leverage the power of automation to detect, analyze, enrich, and respond to threats at machine speed. SOAR playbooks can also be used to block threat indicators (IOCs) on Firewall, EDR, SIEM, and other tools….can identify and automate responses to frequent threats, including phishing, malware, and so on.
– Conditional steps to follow; a broad process
– Investigate a data breach, recover
from ransomware
SOAR (Security Orchestration, Automation, and Response)
