CWN #13 2023 - Week 40

CISA and NSA red and blue teams identified the top 10 most common network misconfigurations in their engagements and are sharing their findings. While not new problems, legacy systems, lack of resources, and prioritizing features over security allow these weaknesses to persist.

The misconfiguration list won’t (unfortunately) highlight new findings, most of them still plaguing even mature organisations:

• Default configurations of software and applications
• Improper separation of user/administrator privilege
• Insufficient internal network monitoring
• Lack of network segmentation
• Poor patch management
• Bypass of system access controls
• Weak or misconfigured multifactor authentication (MFA) methods
• Insufficient access control lists (ACLs) on network shares and services
• Poor credential hygiene
• Unrestricted code execution

Many of these misconfigurations have been highlighted before by CISA itself:

• Default credentials/settings have long been warned against CISA aa22-137a.
• Insufficient logging/monitoring has been a common finding CISA aa23-129a & CISA aa23-059a.
• Lack of network segmentation and poor access controls enables lateral movement, a consistent red team finding CISA aa23-270a & CISA aa23-213a.
• The need to limit privileges and beware exposed services/ports is not new CISA aa23-278a & CISA aa23-074a.

The recommendations aren’t new either, with a focus on security basics like removing default accounts, implementing least privilege, automating patching, enforcing MFA, and training staff. Segmenting networks, disabling unnecessary services, and monitoring for anomalies are also critical and should be boilerplate for all organisations. The advisory also pokes at the fiasco of Microsoft pay walling specific logs behind licences with a “Providing high-quality audit logs to customers at no extra charge.”

A zero trust approach could also help mitigate these issues but it’s not a silver bullet and organisations still need comprehensive security programs and knowledge of what’s in their Information System. Some possible mitigations:

• Improper privilege separation is avoided by implementing least privilege access and just-in-time, temporary credentials.
• Insufficient monitoring is improved with continuous validation of device health, user identity, and network traffic.
• Lack of segmentation is not a risk as trust isn’t based on network location. Micro segmentation and software-defined perimeters help limit lateral movement.
• Bypassing access controls is harder with granular per-request access policies. Multifactor authentication also helps prevent stolen credential use.
• Weak system controls are avoided by verifying user identities and device health before granting access. Just-In-Time provisioning also reduces standing privileges.
• Exposed services are reduced by only allowing connectivity to validated users and devices.
• Vulnerable remote access is secured by verifying identities and device health before allowing any external connections.

This CISA advisory reinforces that organizations routinely overlook cybersecurity basics like proper access controls, network segmentation, and logging. Addressing these systemic weaknesses through measures like least privilege access, increased network monitoring, and regular red team exercises is a priority to stop preventable attacks.

Tables of TTPs are provided as well as mitigations and could be considered as a baseline in terms of detections and hardening.

📰 The full advisory https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a