The various elements you have implemented from the previous chapters have allowed you to improve the overall security level of your information system. However, this security level is not frozen in time; it changes just as vulnerabilities do. It would be unrealistic to believe that you are protected from all attacks, which is why it’s crucial to understand how to monitor your information system in order to maintain the highest level of security while also identifying and containing potential attacks.
Monitor the Status of Your IT Infrastructure
You’ve updated your systems and applications, thus preventing an attacker from exploiting a vulnerability in an obsolete component. That’s a good start! But you also need to closely monitor your machines and the whole infrastructure.
To do this, you can use tools that continuously analyze the following elements in real time:
Operating system versions
List of applications installed on the systems and their version
Presence and status of the antivirus protection or EDR
The firewall configuration
This information will allow you to identify unusual actions if they occur. For example, if the antivirus protection on one of the workstations is suddenly disabled, this behavior is unusual and needs to be investigated. Similarly, if you see that port 4444 (the default port in many attacks) has been opened for outgoing traffic on one of your servers, this is most likely malicious behavior.
In addition to monitoring what is installed and configured on workstations, being able to detect activity is also a valuable tool for preempting attacks. A properly configured EDR can perform this role very efficiently. For example, if an attacker launches a ransomware attack, they will try to encrypt a large number of files on the workstation. The attacker will then demand that users pay a ransom to decrypt them. An EDR is capable of detecting this type of activity. It’s unusual for a process to edit hundreds of files in a short amount of time. Therefore, you can decide on a limit beyond which this behavior should be reported and potentially block the process responsible for these modifications.
Monitor the Control Paths
Now that your machines are being monitored, the same logic must be applied to your Active Directory environment. You’ve removed all redundant users, groups, machines, and privileges, and now you need to monitor your new environment to make sure it remains clean.
You’ll want to identify any changes you’ve made to Active Directory that could have security implications. Here are a few examples:
Adding a new domain administrator
Adding unconstrained delegation to a workstation
Adding privileges for a user
Changing the permissions on a GPO
Using an icebreaker account
etc.
You can regularly run a BloodHound data collection and compare the results, but this is not the best long-term solution. However, BloodHound Enterprise provides a real-time, continuous analysis of changes and identifies new compromise paths introduced by these changes.
There are other tools that can provide you with monitoring information. I’ve already mentioned PingCastle, which is an excellent tool to measure the health of your Active Directory environment. PingCastle will check a large number of items by following the assessment checklist published by ANSSI. It will then assign a score to the Active Directory security level. Running this tool on a regular basis will allow you to keep track of any checkpoints and irregularities that may occur so that you can address them as quickly as possible. A example report is available on PingCastle’s website.
You can also use ANSSI’s ORADAD tool to collect the necessary Active Directory information and to verify the items on the published checklist.
You can also use Tenable.AD, which provides real-time visibility over the security level of your Active Directory environment, as well as suggestions to continuously improve it.
Before we move on, Vincent would like to share what is most often seen in a cyberattack:
Identify Events of Interest
The Windows event log is a great source of information for anyone wanting to monitor one or more Windows workstations. Almost anything can be collected and analyzed to identify malicious behavior. This list of event logs has been compiled by Microsoft.
I’ve looked at the Windows event logs, and there are thousands of events! What do I do?
Yes, as with the reconnaissance phase, you could be overwhelmed by the number of events logged by the operating system and the various applications. What you need to do is to sort the data and start analyzing essential logs and event categories. This will enhance your detection skills.
The critical events to look for are listed by Microsoft in an appendix, which can be used to detect all the examples of changes I listed in the previous section. This is also useful for monitoring connection attempts in order to detect attacks, such as password spraying, or the creation or modification of scheduled services or tasks. Doing this will help you to identify lateral movement or persistence attempts.
If there are events that you don’t recognize, you can check the Ultimate Windows Security website, which describes them in detail. For example, this page describes event 4624, relating to an account that has successfully logged on. Sysmon can also be used to collect Windows events.
ANSSI has also produced a 100-page guide called Recommandations de sécurité pour la journalisation des systèmes Microsoft Windows en environnement Active Directory (Security Recommendations for Logging Microsoft Windows Systems in Active Directory Environments), which will help you to enhance and finetune your Windows event auditing strategy.
Windows is not the only system that can log events. The equipment and applications deployed in the IT infrastructure generally collect information on what’s happening. Whether you have firewalls, network probes, an EDR, or other security equipment, all of the generated events can be used to improve system intrusion detection.
How can I process and analyze all these events? Surely, I don’t need to log on to every machine and server to collect events and manually search for them?
Of course not, and this is a crucial aspect of any company’s defense strategy. It’s essential to identify the events that interest you, but that’s not enough. You must be able to assign value to them so you can act accordingly.
Identifying events is not an easy task. Let’s take a look at Clément’s best practices:
Assign Value to Events
All the events you have identified must now be centralized for analysis. This can be achieved by using SIEM (Security Information and Event Management). SIEM is a tool that allows defense teams to collect and aggregate event log data. In practice, you ensure that the SIEM collects all relevant logs. It then analyzes them, and through the correlation of these logs and the implementation of detection rules, the SIEM can generate security alerts that the detection teams will respond to.
There are lots of paid solutions on the market, but you can use the open-source solution ELK (Elasticsearch, Logstash, Kibana), which can act as a SIEM.
There are other available solutions for centralizing logs, such as Microsoft’s Windows Event Forwarder and Windows Event Collector, which centralize all Windows events. You can find more information in Microsoft’s documentation.
It’s helpful having all the events in one place, but this doesn’t change the fact that there are thousands of events. How can I detect an attacker?
This is where the detection rules come into play. These rules are written to detect potential threats. Now that you’re aware of the techniques an attacker uses to enumerate, exploit, and move through an information system, you can create rules that detect these techniques for identifying threat actors within your network.
For example, a password spraying detection rule may be triggered when you see more than 10 “An account failed to log on” (event 4625) events in less than 10 seconds, on multiple accounts.
Because many programs on the market offer SIEM functionality, an open-source, generic signature format has been developed for creating rules in a SIEM: SIGMA rules. These rules make it easy to share detection techniques because they follow a common syntax that is known and understood by anyone who implements rules. You can find sample rules in the SIGMA-Detection-Rules GitHub repository.
Occasionally, some elements needed to complete an investigation are missing. Vincent shares some tips and reveals the most sophisticated attack he has encountered:All of these tools, processes, and defense teams can be grouped together in what’s known as a SOC (Security Operation Center). Check out the video for more!
Let’s Recap!
In this last chapter, you learned how to monitor your environment from different perspectives.
Monitor the status of your IT infrastructure, including updates, security tool configurations, and firewall rules.
Continuously analyze existing control paths within Active Directory.
Identify and use Windows events and application logs by centralizing them in a SIEM in order to automatically draw some initial findings, in conjunction with the implementation of detection rules.
Understand the relevance of a SOC, how it works, and why it’s the foundation of information system defense.
This course has taught you how to detect and exploit vulnerabilities in an Active Directory environment by applying a method and using tools to help maintain an efficient approach.
Correcting these vulnerabilities and the security improvements you can implement on your servers, workstations, architecture, and administration methods enables you to increase the overall security level of your environment.
At last, you now have all you need to maintain control of your information system by monitoring it from every angle in order to anticipate risks.
All that’s left is to wish you the best of luck! I’ll see you soon in a future course!
