Recently, NSA and CISA published a report dubbed “NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." As the name implies, it contains the 10 most common misconfigurations they found in various red and blue team assessments, as well as through their incident response efforts. The paper is a call to action for various vendors, as well as network defenders, on how to better secure their environments.
In this post, we examine each misconfiguration and discuss how Zero Networks solutions and features mitigate such misconfigurations; let's summarize our findings:
| Misconfiguration Name | Zero Networks Mitigation |
| Default configuration of software and applications | MFA for any application or software protects against default credentials, while compromise against numerous RPC attacks |
| Improper separation of user/administrator privilege | Identity Segmentation ensures privileges accounts are protected and not misused |
| Insufficient internal network monitoring | Zero Networks Segment collects all internal and external network traffic |
| Lack of network segmentation | Zero Networks makes micro segmentation feasible at scale in weeks , not months or years |
| Poor patch management | By protecting privileged ports, even “un-patchable“ OSs can be protected |
| Bypass of system access controls | Even when access controls fail, you can still stop attacks using Just-in-Time MFA |
| Weak or Misconfigured MFA methods | MFA is used everywhere, not just for initial login, making it significantly harder to bypass |
| Insufficient ACLs on network shares and services | MFA can be applied to network shares, and stolen credentials are useless for attackers since they are protected via MFA |
| Poor credential hygiene | MFA anywhere along with identity segmentation means that even a text file containing all passwords can be rendered useless for attackers |
| Unrestricted code execution | Zero Networks won’t prevent code from executing, but it will prevent lateral movement to other network resources |
If It’s Not Practical, It’s Not a Good Mitigation
While the report is a valuable resource for understanding where the most common soft spots of organizations are, and how to mitigate them, there is often a disconnect between recommended mitigation and their practicality. If a mitigation requires significant work, cost, and/or maintenance, it is not very likely to be implemented. Quoting our CEO: “What is complex to secure is usually not secure.”
Let’s look at patching for example. One of the report’s recommendations for unsupported OS for patching is to “Evaluate the use of unsupported hardware and software and discontinue use as soon as possible.” Anyone who has worked in a large enterprise knows that simply “discontinuing” such software is often unimaginable. Some organizations may have dozens, if not hundreds, of legacy applications, written perhaps 15 years ago by a 3rd party, which are critical to their business, and they are not going anywhere anytime soon.
Another example of mitigation for system access control bypass is to “Limit credential overlap across systems to prevent credential compromise and reduce a malicious actor's ability to move laterally between systems.” Now, who is the poor sap who is going to go over potentially hundreds of systems, making sure that credentials on one system do not work on another?
These are just a couple of examples, but the reality is that 99% of teams can’t implement such mitigations: they are too complex, too costly and just not practical.
One by One: How Zero Networks Mitigates NSA and CISA Top 10 Cybersecurity Misconfigurations
Let’s dive into the details and go through each of the 10 misconfiguration, explaining it in short, and examining how Zero Networks helps mitigate it.
1. Default Configuration of Software and Applications
Explanation: This section is composed of 2 types of default configurations. The first is related to credentials, while the second talks about insecure default configuration of a service.
When it comes to credentials, many applications, after they are initially installed, operate with a set of default (and very well-known) credentials, predictable forgotten password questions, and even default VPN credentials. This happens for IT, applications and for OT devices. Once applications or devices are taken over, threat actors can dump domain credentials for lateral movement and spread across the network.
The other part relates to insecure default configuration of services. This usually boils down to certificate services, SMB configuration and legacy protocols. Misconfigured ADCS (Active Directory Certificate Services) could allow relay attacks, or simply enable low privileged users to request certificates with higher privileges. Legacy protocols across the network, such as LLMNR & NBT-NS are continuously used for spoofing. Finally, Insecure SMB protocol can be NTLM relay which allows MITM attacks.
Zero Networks Mitigation: Zero Networks makes it possible to enable MFA for any application or software. This added layer of protection ensures that any application that suffers from default credentials can instantly gain this added layer of security using domain credentials along with MFA provider of choice.
Regarding other misconfigured services that are mentioned by the report. These are normally used for MITM attacks and privileges escalation attacks in the domain. While microsegmentation still significantly helps against such attacks, other tools such as the RPC Firewall and LDAP Firewall can be used to stop many forms of NTLM relay attacks and protect against misconfigured DCs.
2. Improper Separation of User/Administrator Privilege
Explanation: Managing account access is a complicated job. This means that accounts are often configured with way too many privileges for ease of use. This also simplifies the attacker’s job, as compromising one account enables them to move laterally to a large number of other assets. Service accounts are also a prime target as they have privileged access in the domain. Such accounts are also widely misused by IT admins because of their high privileges, making them even more exposed across the network.
Zero Networks Mitigation: Zero Networks’ ensures privileged accounts are not used beyond a predefined scope. This has 2 benefits: first, it ensures that such accounts are not misused to login to assets that they are not supposed to. Second, even if such account are compromised via Kerberoasting or any other attack, they cannot be used to logon to other assets.
3. Insufficient Internal Network Monitoring
Explanation: Network traffic is normally not logged, which makes detection of adversarial actions difficult to detect. Even when host-based detections are enabled, IR teams can’t identify which additional hosts were compromised.
Zero Networks Mitigation: Network traffic flows are continuously logged from each monitored and protected device. The Zero Network platform also adds a lot of insights into network traffic including: source and destination processes, user account performing the connection, and even a risk score for inbound/outbound external connections.
4. Lack of Network Segmentation.
Explanation: Network segmentation is the practice of dividing a network into smaller, isolated segments to enhance security and control traffic flow, preventing unauthorized access and limiting the potential impact of security breaches. The ideal segmentation method would be microsegmentation where every machine and device will be in their own private segment with a default inbound block. Unsegmented networks enable actors to move laterally across resources. Organizations struggle especially with segmenting IT and OT resources, leaving OT networks exposed to IT networks.
Zero Networks Mitigation: Zero Networks Segment is a product which, for the first time, makes network segmentation a reality for organizations of all sizes. The segmentation process is fully automated, which allows organizations to scale the solution easily, while privileged access can be allowed only after MFA. Additionally, Zero Network Segment can extend MFA to OT, making it possible to finally secure those assets from the IT environment.
5. Poor Patch Management
Explanation: Many organizations simply don’t have a regular patch management program, or they are using unsupported OSs, for which there are sometimes no patches at all. It is very common for externally facing assets to become compromised simply because they are not patched.
Zero Networks Mitigation: Zero Networks’ patented JIT MFA solution, ensures that even an unsupported OS can still be protected using MFA, while the rest of the ports are segmented from the network. This creates a radically smaller attack surface, as most potentially vulnerable ports are not accessible. This leaves patch managements teams focused only on patching the vulnerabilities that matter, instead of continuously chasing CVEs.
6. Bypass of System Access Controls
Explanation: Even when there are controls on system access, these can be bypassed. Several methods of bypassing such controls are through Pass-The-Hash (PTH) attacks or Kerberoasting, using the same credentials on multiple systems or simply misusing privileged accounts (making them more susceptible for exploitation).
Zero Networks Mitigation: Zero Networks’ capability to apply MFA anywhere ensures attackers can’t exploit credentials, even when it’s the same password used across multiple services. Even PTH attacks cannot work as they cannot pass the MFA challenge. Furthermore, Zero Networks’ identity segmentation ensures that privileged accounts are not misused, as they are segmented from non-privileged assets.
7. Weak or Misconfigured MFA Methods
Explanation: MFA configuration and setup can be complex. Not all MFA is phishing resistant. Furthermore, even if organizations enable MFA for initial authentication such as Windows Hello, and when connecting to VPN or cloud applications, most internal authentications remain MFA-less. This means for example that a compromised credential can be used for network logon without prompting for MFA.
Zero Networks Mitigation: Use of MFA can be applied to any port and protocol. This has several effects: first, it makes MFA deployment much simpler, so organizations can use a single identity provider for all of their access (cloud, VPN, interactive logon, remote access, network authentication etc.). Second, even if an MFA method can be bypassed, an attacker will have to bypass it many times – not just once – as the MFA is enforced whenever privileged access is required, making this type of behavior simpler to detect and mitigate.
8. Insufficient ACLs on Network Shares and Services.
Explanation: Network shares are often misconfigured, allowing threat actors to access sensitive information. Threat actors use various tools to enumerate and exfiltrate data on shared folders or use this data for ransomware and/or extorsion attacks.
Zero Networks Mitigation: Most devices don’t require to expose their network share to anyone. Zero Networks Segment ensures that rogue SMB shares are not open to any share enumeration program. Furthermore, MFA can be enabled to SMB, making access to network shared significantly more secure.
9. Poor Credential Hygiene
Explanation: Most organizations don’t enforce complex passwords, which makes their passwords easier to guess or crack using tools such as HashCat. Sometimes, passwords are even stored as cleartext in various locations, including file shares, logs, configuration files and code.
Zero Networks Mitigation: Enforcing complex passwords and clearing up configuration files are no easy tasks. The most effective way of tackling this misconfiguration is by ensuring that MFA is enforced whenever a credential is required. Even cracked credentials are then rendered useless.
10. Unrestricted Code Execution
Explanation: Attackers can run malicious code on users machines. This can be done by using an exploit, or by social engineering after convincing a user to install software on their workstation so they gain remote access. To hide their operation, attackers often use scripting language and macros to make them harder to detect. Implementing allow lists or blocking specific scripting engines is often complex in most environments, making it harder to thwart such attacks.
Zero Networks Mitigation: This is the one misconfiguration for which Zero Networks does not offer a direct solution. However, no matter which code is running on an asset, to advance an attack this asset will sooner or later need to communicate with other assets. At which point Zero Networks will thwart the attack.
--
In summary, the recommendations from CISA and NSA are only as good as the ability to practically implement them. Zero Networks is here to help as a partner in this effort to mitigate most of these in a click. Reach out to us with any questions and we’d be happy to chat about your goals for your organization’s security.