(part one - Preserving Forensic Data - here) (part two - Detection and Mitigation Recommendations- here) (part three - Credential Management - here) (part four - Increasing Logging Capabilities - here)
Cyber Intrusion Mitigation Strategies Part Five: Longer Term Security Recommendations
ICS-CERT developed this guidance to provide basic recommendations for owners and operators of critical infrastructure to enhance their network security posture.
It is not intended to be a detailed examination of all actions involved in incident response but is an attempt to provide high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.
This guidance applies to both enterprise and control system networks, particularly where interconnectivity could allow movement between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to ensure there is no impact to normal operations.
The guidance is organized into topical areas within the major phases of incident response—detection, mitigation, and eradication/recovery—and closes with recommendations for long term security posture improvements.
The implementation of concepts discussed in this document is the responsibility of each organization and is dependent on the organization’s needs, network topology, and operational requirements.
After executing the essential mitigation and eradication steps, organizations should then focus on processes and procedures that will improve security over the long term.
STRICT ROLE-BASED ACCESS CONTROL:
Role-based user access control grants or denies access to resources based on job function. Active Directory (AD) implements role-based user access control via group policies. Groups provide logical network segmentation and prevent users from accessing machines that are not necessary for job performance.
Organizations should define the roles and permissions needed for each group to perform its duties. Using strict role-based access control allows for better auditing and reduces risk by minimizing the privileges associated with each group. In addition, this logical network segmentation makes it harder for adversaries to move laterally through the network after an initial intrusion.
Network segmentation involves separating one large network into smaller functional networks using firewalls, switches, and other similar devices. Effective segmentation restricts communication between networks and can lessen the extent to which a threat can move laterally through a network.
Organizations must decide which departments, applications, services, and assets should reside on each segment. Implementation of network segmentation can be a long-term project and should include careful planning, implementation, and regular maintenance.
In an ideal world, the business and control systems networks would be physically separated; however, this is not practical in most situations. In practice, firewalls and data diodes are good options for segmenting networks.
Data diodes allow only one-way communication between network segments and could be used to ensure that network data only flows out of the control systems network. Firewalls allow two-way communication between networks but risks exposure if the firewall is not well configured.
The network should also include one or more demilitarized zone (DMZ) segments. They should be grouped by function such that the attack surface at each segment is minimized. DMZs should include an organization’s external services that are exposed to the Internet or critical systems that are accessed from multiple internal network segments. Firewalls should control communication between DMZs and internal/external hosts.
Application whitelisting permits the execution of explicitly allowed (whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown executables, including malware.
One challenge in using application whitelisting in business networks is managing the constantly changing list of allowed applications. This burden is significantly reduced in control systems environments because the set of applications that run in these systems is very static.
ICS-CERT recommends deploying application whitelisting on the control systems and business networks wherever applicable. In particular, this may be appropriate for business servers such as mail servers and domain controllers.