In an era where cyber threats have become increasingly pervasive and sophisticated, the need for a robust understanding of cybersecurity has never been more critical.
At GBB, we believe that sharing knowledge and experience is key to building a safer digital world. In this blog, we’ll be sharing our real-world experiences and learnings from the trenches of cybersecurity incidents & implementations.
Our goal is to provide valuable insights and practical tips that can help you enhance your cybersecurity posture and stay ahead of potential threats. One of the key learnings we aim to emphasize is the fact that in most cases, adversaries were present within the client’s network for extended periods, sometimes months, before launching the actual attack. Understanding this dwell time is crucial for developing proactive security measures and threat detection capabilities.
Here is the list of crucial learning/s along with “must implement” steps or solutions to safeguard from incidents.
- Configuring User VLANs at Perimeter Firewalls (instead of Network Switches) for Enhanced Security:-Configuring VLAN gateways at the perimeter firewall (NGFW) rather than on the core switch provides stronger security, more efficient traffic management, and greater control over inter-VLAN communications, let’s understand this in simple steps….
-
-
- Enhanced Security:- The perimeter firewall provides a more robust security layer compared to the core switch. It is specifically designed to inspect and filter traffic, offering advanced security features like intrusion prevention and threat detection. Traffic between VLANs passes through the firewall, ensuring thorough scrutiny and filtering, which is not as comprehensive when handled by a core switch.
- Centralized Traffic Management:-By placing the gateway at the perimeter firewall, all inter-VLAN traffic is routed through a single, secure point. This centralization simplifies traffic management and monitoring, making it easier to enforce security policies and detect anomalies.
- Isolated Network Segments:- With VLANs managed at the perimeter firewall, network segments remain isolated at Layer 2 within the core, distribution, and access layers. This isolation reduces the risk of internal threats and lateral movement of potential attackers within the network.
- Device-Specific Access Control:- Segregating devices like printers, biometric devices, and CCTV into separate VLANs and managing their access through the perimeter firewall enhances security. For instance, while the printers can be accessed by end-users, other way round firewall should not allow a printer to initiate communication with an end-user machine.
- Embracing Micro-Segmentation for Server Security:- Micro-segmentation is crucial in contemporary network security for several compelling reasons:
-
-
- Enhanced Security Within the Network: Unlike traditional security methods that focus on defending the network perimeter, micro-segmentation secures traffic moving internally between servers, addressing the lateral movement of threats within the network.
- Granular Control and Policy Enforcement: Micro-segmentation allows for the precise application of security policies. Each segment or server can have its own set of rules, ensuring that security measures are tailored and more effective.
- Reduced Attack Surface: By isolating servers and network segments, micro-segmentation significantly reduces the overall attack surface. An intruder breaching one segment faces additional barriers to accessing other parts of the network.
- Compliance and Data Protection: For businesses handling sensitive data, micro-segmentation helps in maintaining compliance with data protection regulations. It effectively segregates and secures data, preventing unauthorized access.
- Agility and Scalability: In dynamic network environments, micro-segmentation offers flexibility. It adapts to changes in the network topology without disrupting the underlying security infrastructure.
- Limiting Damage from Breaches: In case of a breach, micro-segmentation confines the impact to a small segment, preventing the spread of the threat across the entire network.
- Fine-Tuning Perimeter Firewalls for Impeccable Network Security:- Here are the key steps to significantly enhance your network’s security through effective firewall and NGFW configuration
-
-
- Perimeter Firewall Configuration:-Implement a perimeter firewall to block non-work-related URLs and enable security features like Antivirus (AV), Intrusion Prevention System (IPS), Anti-spam, and file analysis. We must do SSL interception with a custom CA deployed at the firewall, distributing this CA via Active Directory to all endpoint devices.
- Internet Access Control:-Restrict LAN-to-WAN rules to essential ports and applications only, for example:- most remote access applications should not work. We should not have option to query public DNS such as 4.2.2.2, 8.8.8.8 from all end stations, ideally consider using 1.0.0.3, 1.1.1.3 etc. cloud flare family DNS wherever possible.
- LAN to DMZ Access Management:-Enforce stringent rules for server access, grant access only to specific users for necessary server ports or applications. We should even avoid open ports for any server accessible by all users, or having specific ports open for all users.
- DMZ-to-LAN Restrictions:-Prohibit server access from the DMZ to the LAN to maintain network segmentation and security.
- Securing Firewall Public Access:- Firewall public access should be very secure, ideally we should change the default admin username or create a admin user with non-obvious username and disable default admin. Having a strong password is a must and enabling Multi-Factor Authentication (MFA) for firewall admin access will further enhance the overall security.
- VPN Access Control:-Limit VPN access on a per-user basis. Ensure each VPN user has access only to the specific resources they need, such as a particular server and port.
- Inter-Branch Connectivity:-Strictly regulate access between branches, locations, or units via IPSec severely limited as per requirements. Avoid having open IPSec tunnels that allow entire subnets at one location to access subnets at another without firewall protection.
- Strategies for a Secure Wireless Setup:-To achieve a secure wireless network environment that complements the established security protocols of our wired networks, consider the following essential steps:
-
-
- Unified Wired and Wireless Network Policy:-Instead of a single wireless network for all users, establish multiple SSIDs (wireless networks) mirroring the segmentation of your wired networks. This ensures a 1:1 correspondence, maintaining VLAN separation and consistent security policies across both wired and wireless connections.
- Go for a Wireless Controller (Cloud/On-Prem):- Implementing a Controller-based Wi-Fi system (Cloud/On-Prem) will be worth the investment since this setup allows for the creation of multiple SSIDs, centralized management of WPA2 passwords, and efficient monitoring of potential security threats like rogue access points (APs) and unauthorized devices. The system should also offer channel allocation to enhance network efficiency and security.
- Fortifying your Backup Infra & Comprehensive Strategies for Resilient Data Protection:- Securing backup infrastructure demands a meticulous approach. Explore these comprehensive strategies to bolster the security of your backups:
-
-
- Backup as separate zone in firewall:-Designate a separate zone for backups in the firewall, avoid combining the backup server/s (including the BMC-iDRAC, iLO, etc. of backup server) with other servers in the DMZ. Only backup servers should be able to initiate communication with a few servers (ESXi/vCenter for VM level backup, Agent port and machine IP where there is backup agent installed for agent based backup, etc.) & not the other way round, this safeguards backups even if other Server/s are compromised, restricting servers’ ability to initiate communication with the backup infrastructure.
- Eliminate Remote Access for Backup Servers:-Enforce a strict no-remote-access policy for backup servers, compelling IT teams to physically relocate to a protected data center for any backup-related tasks. This ensures an additional layer of security, preventing remote access to critical backup systems.
- Embrace immutable backups:- All backups should be immutable. It should be impossible (Compliance) even for administrators with all usernames, passwords, OTP, tokens, etc. to delete existing backups before they expire & should not even be remotely modifiable by anyone, at the most an administrator should only be able to change future backup goals and retention period. Existing backups. If immutable backup is not possible then at least backup should be on a separate storage, ideally in near-DR / far-DR and not in the same DC.Avoid opting for backup solutions that involve multiple OEMs else you will end up managing multiple components(Server, storage, software, etc.) instead consider investing in “Purpose built backup appliance” that support MFA(Multi factor authentication), Possibly tape drive/Library & cloud sync to OEM specific cloud storage (with immutable support function), etc.
- Diversify Backup Locations:- Adhere to the 3-2-1 backup strategy, encompassing on-disk, offline (tape), and offsite (Cloud) backups ) Immutable / air-gapped if possible.
- Extended Backup Durations:- Extend backup durations to avoid dependence on recent backups only(8 days of backup with 1 full and rest incremental for example). Aim for at least one full backup spanning 3-4 weeks and another full monthly backup over 2-3 months, tailoring durations based on organizational needs, budget, compliance / security requirements, etc. Having only a few days backup may not be enough typically as by the time we realize something has gone wrong 6-7 days might have already been passed & also, just one full backup and rest incremental may not be enough in case there is some corruption issue with that single full backup
- Backup tool internal database backup:- We should do backup of backup tool internal database or configuration at all the backup sites (3–2–1). Each site should be independently enough for any kind of restoration & the configuration backup should also be automated, this automated configuration backup must be immutable as well.
- Backup restoration steps and validation:- Establish clear, tested procedures for validating backup restoration. Conduct manual restoration tests every six months for all applications and automated validations monthly for all the backups. Test restorations using only offline/offsite resources, ensuring independence from on-premises infrastructure.
For example, if backups are going to cloud then only using cloud data should be restored on some external site and validated, so that cloud backup alone should be sufficient for restoration without requiring even a single file from the organization DC & not even current backup server in case if a disaster or a data loss situation, similarly if backups are happening to tape, then restoration only using tapes must be done.
- Enhancing Data Resilience: Leveraging Replication to DR Site:- When evaluating High Availability (HA) or replication to a Disaster Recovery (DR) site, assess the backup tool’s capability to maintain multiple point-in-time snapshots at the DR site alongside the latest production copy. While this setup can offer an additional layer of data protection through replication, it’s crucial to acknowledge that it lacks immutability. Consequently, it doesn’t provide robust protection against targeted attacks.
- Empowering Cyber Defense with Dynamic XDR Strategies
-
-
- In the realm of malware protection, embracing XDR (Extended Detection and Response) emerges as a proactive shift from traditional, signature-based antivirus solutions. Unlike static databases, XDR employs behavioural analysis during application execution, providing a more adaptive and effective defense against evolving cyber threats.
- For optimal protection, consider leveraging additional features within XDR, such as firewall and USB blocking capabilities. This ensures a granular control over USB access, preventing unauthorized connections to devices like printers. By restricting access, organizations can fortify their defenses and mitigate potential security risks.
- Furthermore, harness the power of XDR’s insights into vulnerable applications. Take proactive measures by updating or uninstalling these applications, or exploring alternative solutions. This not only strengthens the overall security posture but also safeguards against potential vulnerabilities that could be exploited by malicious entities.
- In summary, the adoption of XDR, coupled with strategic utilization of its supplementary features, marks a robust defense strategy against malware, providing adaptive protection and reducing the attack surface for a more resilient cybersecurity framework.
- Access Control Reinforced with OS Hardening:-
-
-
- In the realm of access security, the practice of OS hardening, as advocated by CIS Benchmarks, is pivotal. This approach entails fortifying not only physical servers but also virtual machines, golden images, and templates. The objective is to establish a default environment where end-user privileges are inherently limited, strictly aligned with business purposes.
- Adhering to these principles means users should only possess necessary privileges, avoiding any superfluous access rights. Actions such as creating scheduled tasks, administrative access, or PowerShell capabilities should be restricted unless explicitly required for designated business functions. This stringent control over privileges ensures a robust defense against unauthorized actions, reducing the risk of potential security breaches.
- In essence, OS hardening serves as the frontline defense, creating a fortified digital environment where access is a carefully regulated mechanism, aligning precisely with business needs while minimizing vulnerabilities.
- Strengthening Security Across your Infrastructure with Multi-Factor Authentication (MFA)
-
-
- In the age of evolving cyber threats, adopting a comprehensive Multi-Factor Authentication (MFA) strategy is paramount. This proactive approach extends beyond conventional boundaries, encompassing critical components like immutable storage appliances, firewalls, Windows/Linux OS servers, backup applications, public cloud accounts, and email systems.
- The mandate is clear: MFA should be ingrained into the fabric of each crucial element that supports it. From fortifying server operating systems to safeguarding public cloud accounts, MFA acts as a unified shield, adding an extra layer of defense against unauthorized access.
- This holistic implementation of MFA not only aligns with best security practices but also creates a robust, interwoven security posture that stands resilient against diverse cyber threats. It’s not just about securing individual components; it’s about fortifying the entire digital ecosystem against potential breaches.
- Improve your awareness about email security with the use of a simple Email Banner
-
-
- In the ongoing battle against phishing attacks, implementing a simple “Email Banner” in a way that every external email that comes from external servers should be marked with a prominent banner clearly indicating its origin. It’s not just a static warning; it’s an ongoing campaign of user education.
- Users are to be continually educated/trained to recognize the absence of banners in internal emails(legitimate) & presence of a banner for emails from external servers (not legitimate) , thereby reinforcing the distinction. This proactive approach ensures that when critical requests, like financial transactions from high-profile individuals (MD or CFO to finance asking for some bank transfer) created by the malicious/threat actors could be flagged off by the employees to the designated IT Team thereby avoiding potential phishing attempts on a daily basis.
- Safeguarding Intellectual Assets with DLP and VDI:-In the digital age, where safeguarding intellectual property is paramount, organizations must explore advanced measures like Data Leak Prevention (DLP) and Virtual Desktop Infrastructure (VDI).
-
-
- DLP, when meticulously implemented, becomes a guardian of sensitive assets, requiring a thorough categorization of each element—devices, users, files, and applications—assigning security levels like Low, Medium, High. This precision ensures that only authorized users with the appropriate security clearance can access, modify, or interact with sensitive information, providing an unparalleled defense against data leaks.
- Simultaneously, VDI stands as a sentinel in the realm of remote work. By configuring VDI settings to restrict functionalities like copy/paste and file migration, organizations fortify their intellectual assets from potential leaks. Users can seamlessly work on remote VDI desktops without compromising data integrity, establishing a secure environment that shields against unauthorized data transfer.
- Elevating Security with MDM and Disk Encryption:- In the dynamic landscape of digital security, instituting robust measures is imperative. Mobilizing the defense, all office assets should fall under the protective umbrella of Mobile Device Management (MDM). Specifically, office laptops must be fortified with disk encryption, offering the added capabilities of remote-wipe and remote disabling. This proactive approach ensures that even in the event of a device being lost or compromised, sensitive data remains shielded.
- Revolutionizing Security with Advanced Password and Privilege Management :- In the realm of access security, the paradigm has shifted towards sophisticated Password and Privilege Management tools. It’s not just about securing passwords; it’s about redefining how access is managed and safeguarded.
-
-
- Embrace the transition from shared files to the secure enclave of Password Management tools. Say goodbye to the vulnerability of shared text files or password-protected Excel sheets. Modern tools go beyond simple password storage; they can perform logins on behalf of users without exposing the actual password, adding an extra layer of security.
- The era of static passwords is giving way to dynamic security measures. Some tools rotate passwords daily, rendering even stored passwords in files or physical notepads obsolete the next day. This proactive rotation minimizes the risk of unauthorized access and ensures a constantly changing defense against potential threats.
- Privilege Management tools further elevate the access control game. With dual-approval mechanisms, authorized individuals must obtain approval from another before accessing specific resources. This additional layer of authorization ensures that access to critical resources is not only restricted to authorized personnel but also scrutinized for added security.
- Network design becomes a strategic component in this security architecture. Privilege Management tools may be configured to allow administrators access only from specific desks or networks. Authentication and Multi-Factor Authentication (MFA) become gatekeepers, ensuring that privileged access is granted only to authorized personnel through the secure conduit of the management tool.
- Elevating Security with Automated Monitoring and Asset Tracking:- In the realm of cybersecurity, vigilance is paramount, and Automated Monitoring and Asset Tracking emerge as the silent sentinels. These tools are not just about oversight; they are the guardians of operational health and security.
-
-
- Imagine a landscape where the health of servers, switches, applications, and every digital asset is under constant surveillance. It’s not just about knowing when a service is up/down; it’s about proactive identification and resolution before it impacts operations. Asset tracking transcends the mere record-keeping of hardware and software; it’s about understanding precisely which assets are assigned to individuals, creating an indispensable map for security and accountability.
- Automated patch management, especially for operating systems, is the unsung hero in this narrative. It ensures that critical security updates are applied promptly, safeguarding official assets from potential vulnerabilities. In the digital realm, a missed patch could be the chink in the armor that threat actors exploit.
- Simple yet crucial metrics like free disk space, CPU usage, and RAM usage are not overlooked in this comprehensive monitoring approach. While these metrics might not lead directly to security issues, the absence of monitoring, especially for backup storage or backup servers, can pose serious security concerns. In the absence of such oversight, downtime becomes more than an inconvenience; it becomes a potential vulnerability waiting to be exploited.
- Unleashing the Power of SIEM for Proactive Security:- Security Information and Event Management (SIEM) is more than just a log repository; it’s a proactive guardian that deciphers the language of logs, turning them into actionable insights. SIEM is also critical for doing BAS (Breach Attack and Simulation) and also for forensic analysis post-incident.
- Elevating Security with Comprehensive Hardware Health Monitoring:-
-
-
- In the intricate dance of cybersecurity, where every component plays a vital role, don’t overlook “Hardware Monitoring”. Imagine a scenario where hardware failures are not just events but triggers for proactive response. Having a mechanism that not only detects these failures but also orchestrates emails or calls back to the OEM for swift part replacement can defend you against potential disruptions caused by hardware malfunctions.
- Periodic manual validation of the hardware health either by visiting the data center or accessing Baseboard Management Controllers (BMC) like iDRAC or iLO, is a must to ensure that the hardware is healthy.
- Proactive Health checks and security validation measures for Robust Cybersecurity Posture:- In the ever-evolving landscape of cybersecurity, fortifying defenses requires proactive measures that validate and enhance the organization’s security posture.
-
-
- Vulnerability Assessment and Penetration Testing (VA-PT):- Will help in uncovering known vulnerabilities in services, applications, or servers, organizations gain insights to patch and fortify their digital fortresses.
- Breach Attack and Simulation (BAS):- As the organization invests in cutting-edge technologies like XDR, SIEM, and 24×7 monitoring, BAS becomes the litmus test for cybersecurity readiness. It’s not just about having the tools; it’s about validating their efficacy during an actual attack. These periodic exercises (both VA/PT & BAS) are crucial, demanding validation at least once every quarter or more frequently for automated setups.
- Auditing:- All critical infrastructure such as backups, firewall policies, administrative accounts for firewall / AD / Email / OS etc. should get periodically audited. We should also look for potential back doors (Public keys, Sudo access for example) that might have been left by an application, past employee, attacker, etc.
Creation of administrative users, firewall security policies, etc. should be tracked via ticketing and change management system, all the actions done on critical infrastructure during audit should be traceable back to a change request / related approval.
- Empowering Vigilance through Security Awareness Programs & Initiatives:- In the digital age, where threats are ever-evolving, security awareness isn’t just a training—it’s a dynamic initiative that empowers employees to become vigilant guardians of organizational integrity.
-
-
- Official Security Awareness Training: It’s not just about imparting knowledge; it’s about ingraining a security mind-set. Formal training sessions, conducted by reputed external trainers, covering the essentials like resisting phishing emails, refraining from downloading unlicensed software, avoiding clicks on suspicious links, and steering clear of enticing promises. This is not a routine; it’s a call to action for every employee to be a proactive defender.
- Two-Factor Validation Channel: Beyond awareness, validation becomes the second line of defense. Establishing an alternate channel for authenticating critical messages adds a layer of assurance. Whether it’s a bank transfer request or a sensitive directive, employees are empowered to verify authenticity via a secure second channel—be it a landline call or an in-person confirmation.
- Beyond Surface Trust: Understanding the nuances of email security is imperative. The training emphasizes that appearances can be deceiving; anyone can manipulate email parameters. A holistic approach teaches employees not to trust emails solely based on a few visible parameters.
- Adapting to Emerging Threats: The training doesn’t just stop at conventional threats. It evolves with the times, addressing the latest threats posed by technologies like GPT and Deep fake. The landscape has changed, and so should the awareness. The training prepares employees for threats that didn’t exist a decade ago, ensuring they stay ahead of the curve.
- Fortifying Collaboration with Secured file sharing Practices:- In the collaborative landscape of digital workflows, secure file sharing is not just a convenience—it’s a strategic practice that demands a meticulous approach to fortify against potential threats.
-
-
- Restructuring Access: The era of world-writable shared folders is a vulnerability waiting to be exploited. The strategic move is to restructure access, with Password-protected shares & ensuring that only authorized individuals with specific business requirements have read/write(limited) access.
- Empowering Control: Secure file system should support have the versioning capabilities, ensuring that the evolution of documents is tracked seamlessly. The synchronization to the cloud becomes the conduit for seamless collaboration across diverse environments. An audit trail must be embraced to record every interaction with shared files, providing transparency and accountability.
- Safeguarding Digital Frontiers with 24×7 Cyber Sentinel Teams:-In the realm of cybersecurity, tools like XDR, monitoring, SIEM, and backup are the sentinels, but their efficacy hinges on continuous vigilance. Dedicated teams, operating around the clock, transform these tools from passive observers to active guardians.
-
-
- Continuous Vigilance: The strategic move isn’t just deploying state-of-the-art tools; it’s about ensuring that the alerts and dashboards they generate are under constant scrutiny. The 24×7 monitoring teams become the unsleeping guardians, intercepting potential threats and critical information during or even before a severe attack.
- Beyond Alerts and Dashboards: It’s not just about responding to alerts; it’s about interpreting the subtle nuances that dashboards reveal. Continuous monitoring isn’t just a task; it’s a dynamic strategy that ensures the organization stays ahead of potential threats. The teams become the linchpin in turning data into actionable insights, making the cybersecurity landscape not just monitored but actively defended.
It’s time to take proactive steps to safeguard your digital assets, join us in our mission to strengthen your cybersecurity and stay ahead of potential threats. Reach out to us to explore tailored solutions and expert guidance.
Together, we can build a more secure digital future….