Full Report
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_AttackTactics6ReturnofBlueTeam.pdf In this webcast we walk through the step-by-step defenses to stop the attackers in every step of the way we showed […] The post Webcast: Attack Tactics 6! Return of the Blue Team appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Defending Against Common Attack Tactics (Blue Team Perspective)
## Overview
These practices focus on implementing specific, actionable defenses against common post-initial access and lateral movement techniques often employed by adversaries, drawing from webcasts that detail attack methodologies. The goal is to establish robust Blue Team defenses across authentication, network reconnaissance, and endpoint security.
## Key Recommendations
### Immediate Actions
1. **Implement Strong Multi-Factor Authentication (MFA):** Enforce Two-Factor Authorization (2FA) widely, especially for remote access vectors (VPN, OWA) and highly privileged accounts.
2. **Deploy Account Lockout Policies:** Configure strict account lockout policies to mitigate password spray attacks.
3. **Deploy Canary Tokens:** Place high-value, strategically visible files (Canary Tokens) containing unique identifiers across file shares and critical systems to gain early warning of unauthorized access or enumeration attempts.
4. **Disable LLMNR:** Immediately disable Link-Local Multicast Name Resolution (LLMNR) where possible to block common poisoning and credential harvesting techniques.
### Short-term Improvements (1-3 months)
1. **Establish Honey Accounts:** Create and monitor non-production or highly privileged "honey accounts" whose credentials should never be used. Monitor authentication logs against these accounts as a high-fidelity alert source.
2. **Audit and Secure Remote Access Gates:** Review and secure configurations for OWA, VPN endpoints, and SSH access points, ensuring robust logging and monitoring are in place for all logins.
3. **Integrate Detection Tools:** Begin deployment and tuning of network traffic analysis tools like RITA (Real Intelligence Traffic Analysis) to baseline and detect anomalies related to internal scanning and beaconing.
4. **Harden SSH:** Remove default or simple SSH configurations and enforce key-based or strong multi-factor authentication for all SSH access points.
### Long-term Strategy (3+ months)
1. **Automated Remediation for LLMNR:** Implement Group Policy or configuration management to continuously monitor and automatically re-enable the disabling of LLMNR, preventing adversaries from re-enabling it post-initial access.
2. **Develop Cobalt Strike C2 Detection Signatures:** Develop specific detection logic (e.g., YARA rules, network signatures) tailored to the organization's environment to detect the artifacts, network patterns, or indicators associated with advanced implant/C2 frameworks like Cobalt Strike.
3. **Comprehensive Credential Hunting and Dumping Defense:** Implement controls to monitor for and alert on activities related to credential dumping (e.g., memory scraping attempts) and ensure Least Privilege across all user roles to limit the impact of dumped credentials.
4. **Comprehensive Global Address List (GAL) Protection:** Review the ability of attackers to dump the GAL via accessible services (like OWA) and restrict this access, or actively monitor outbound communication that appears to be mass mail/phishing preparation (MailSniper adjacent activity).
## Implementation Guidance
### For Small Organizations
* **Focus on Foundations:** Prioritize immediate MFA deployment and strong password policies/account lockouts.
* **Low-Cost/Free Monitoring:** Leverage built-in Windows security logging and basic network monitoring. Deploy Canary Tokens manually on critical shared documents.
* **LLMNR:** Test turning off LLMNR via local configuration or GPO as feasible.
### For Medium Organizations
* **Centralized Policy Enforcement:** Use Group Policy Objects (GPO) to centrally enforce the disabling of LLMNR across the domain environment.
* **Tool Evaluation:** Begin piloting detection tools like RITA or equivalent capabilities within existing tooling (e.g., SIEM/NDR).
* **Credential Hygiene:** Implement a formal process for creating and monitoring Honey Accounts.
### For Large Enterprises
* **Automated Defense Loops:** Implement automated, high-fidelity response playbooks triggered by Canary Token alerts or Honey Account logins (e.g., immediately isolating the source machine).
* **Defense in Depth for Lateral Movement:** Focus on mitigating techniques like `crackmapexec` usage by rigorously applying firewall rules between network segments and enforcing security configurations on administrative workstations.
* **Endpoint Detection and Response (EDR) Tuning:** Configure EDR solutions to specifically detect the behavioral indicators of credential access tools and lateral movement attempts (e.g., WMI execution, SMB connections initiated by unusual parent processes).
## Configuration Examples
*Note: Specific command-line tools are noted based on the context, but configuration guidance here is conceptual.*
| Technique/Tool | Best Practice Configuration Focus |
| :--- | :--- |
| **LLMNR/NBT-NS** | Disable via GPO: Path: `Computer Configuration\Administrative Templates\Network\DNS Client` (Consider settings related to DNS and LLMNR interaction). |
| **SSH Brute Force** | Enforce authentication via public key pairs; Rate-limit connection attempts at the firewall or host level. |
| **Honey Accounts** | Create the account with necessary permissions (if testing privilege escalation) but never join it to any regular users group, and monitor its Activity/Logon events religiously. |
| **Internal Recon** | Monitor outbound traffic for high volumes of standard port scans (Nmap-like behavior) indicative of internal network discovery. |
## Compliance Alignment
* **NIST CSF:** Identify (ID.RA - Risk Assessment), Protect (PR.AC - Access Control), Detect (DE.AE - Anomalies and Events).
* **CIS Controls:** Control 4 (Secure Configuration of Enterprise Assets), Control 5 (Account Management), Control 18 (SANS Monitoring and Detection).
* **PCI DSS (§/Ref):** Requirements around multi-factor authentication for remote access and restricting the use of administrative/privileged accounts (if applicable to the environment).
## Common Pitfalls to Avoid
* **Assuming LLMNR is disabled permanently:** Attackers often re-enable network protocols if the remediation is not actively monitored or enforced via continuous configuration management.
* **Placing Canary Tokens improperly:** Placing tokens where only automated backups or obvious service accounts would access them—place them where a human attacker *thinks* valuable data resides.
* **Ignoring Lateral Movement Vectors:** Focusing only on initial access; LLMNR poisoning and WMI/SMB abuse are primary persistence and escalation vectors requiring dedicated detection.
* **Over-relying on one defense:** A layered approach is critical; MFA protects the perimeter, while Canary Tokens and RITA monitor the internal network space.
## Resources
* **Canary Token Deployment:** Consult the official site for documentation on generating and deploying various token types (e.g., DNS, HTTP, File). (Search term: "Canary Tokens")
* **Network Traffic Analysis:** Investigate capabilities for network security monitoring tools that can detect anomalies in name resolution traffic (like LLMNR/NBT-NS broadcasts) (Tool reference: RITA).
* **Configuration Hardening Documentation:** Refer directly to Microsoft documentation for securely disabling protocols like LLMNR via Group Policy.