Earlier this month Kyle Flaherty wrote a post on the Rapid7 Community Blog about how Rapid7 came out on top for coverage of the Center for Internet Security (CIS) Top 20 Security Controls. In light of recent DDoS events I'd like to take a little time to discuss at a high level what the controls are, how they would help, and what organizations can do to improve their posture in these areas.
What are the Critical Security Controls?
Here is how the CIS describes the Top 20 Critical Security Controls:
The CIS Critical Security Controls (CIS Controls) are a concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber attacks. The CIS Controls are developed, refined, and validated by a community of leading experts from around the world. Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.
Each CIS control is made up of a high level concept and contains multiple sub-controls that support this concept. The controls are prioritized and efforts to implement a given control will support and enable the implementation of lower priority controls. Progression through the controls also serves as a measure of security program maturity.
Why do they matter?
You don't have to be tech-savvy to be aware of the impact that inadequately secured devices can have on organizations and the general Internet. In the last few weeks record breaking DDoS attacks have originated from Internet of Things (IoT) devices. News of these events made the general non-tech press when Brian Krebs was targeted. They gained an all new level of public awareness when they were used to DDoS Dyn's DNS services last week and impacted Twitter, Spotify, Reddit, GitHub, and others. While the public sees the impacts to Twitter, organizations feel the impact when services like GitHub and Okta aren't available.
These attacks have been tied to the Mirai malware which spreads by logging into Internet accessible Telnet services using a list of factory default credentials. Reports of the botnet's size vary widely depending on the source and their access to data. Level3 blogged that they have found over 490,000 members of Mirai family botnets. Dyn stated that they saw "10s of millions of IP addresses" during the attack on them. One would hope that a protocol as insecure as Telnet would not continue to be prevalent but recent scans of the Internet by Censys.io reveal over 5.3 million devices that returned a Telnet banner on port 23/TCP. Since Mirai kills the Telnet, SSH, and HTTP services, any devices that were infected at the time of the scan would not be represented.
A device doesn't have to be compromised to be used in a DDoS. Jon Hart, a fellow researcher on the Rapid7 Labs team, recently wrote a blog post describing how public access to certain UDP services can enable Distributed Reflected Denial of Service (DRDoS) attacks. These attacks can allow the attacker to hide the source of the attack often while amplifying the size of the attack. He provided some great data about services that could be used by attackers and provided pointers to the datasets that Rapid7 makes publicly available via Project Sonar. These datasets are the results of Internet IPv4 scanning and provide insight into the prevalence of certain services and potential amplification metrics.
I'd like to expand on Jon's post a bit by talking about two services in particular. As Jon pointed out 1,768,634 hosts responded to a NetBIOS name service probe on port 137/UDP. If you dig into data that he linked you will find that 1,657,431 (93.7%) responded with a NetBIOS hostname and in many cases a domain name. There is another UDP study that Project Sonar performs that I think is relevant as well. We scan on 1434/UDP for the Microsoft SQL Browser Service. This service provides information about the Microsoft SQL Server, which databases it hosts, and on what ports or endpoints they can be found. If you look at the dataset from 10/03/2016 and process it using Rapid7's open source DAP and Recog tools you will find that there were 149,344 responses that provided instance and/or server names as well as server version information. Both of these services not only lend themselves to being used in DRDoS attacks, they also leak potentially sensitive data. It's unlikely that services exposed by these hosts were intended to be Internet accessible. Their presence on the Internet present a risk not only to the Internet in general but to the device owners as well.
How do the Critical Security Controls help?
Adoption of the CIS Controls can significantly reduce risk and greatly improve an organization's ability to respond to security incidents. For example, here are 5 of the 20 CIS Controls that, if followed, would reduce an organizations likelihood of being a source of traffic in a DDoS:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
4. Continuous Vulnerability Assessment and Remediation
9. Limitations and Control of Network Ports, Protocols, and Services
11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Yes, those are all obvious security measures. The value here is that the CIS controls provide prioritization of efforts. For example, implementing #9 or #11 above without #1 or #2 is doomed to failure in any complex environment. Additionally, each high level control has between 4 and 14 more tactical sub-controls that support it. Here extracts from a couple of selected example controls:
1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization's public and private network(s)…
1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems.
4.1 Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator
9.1 Ensure that only ports, protocols, and services with validated business needs are running on each system.
9.4 Verify any server that is visible from the Internet or an untrusted network, and if it is not required for business purposes, move it to an internal VLAN and give it a private address.
Each of the sub-controls helps build capability and awareness as well as enables the implementation of later controls. When these controls are baked into an organization's operational processes security becomes an intrinsic attribute of the environment, not an on demand effort that interrupts business processes when an event occurs. An organization that had implemented these controls would be aware of the services that were exposed to the Internet and the risks that they present. In the case of a previously unknown vulnerability it would have the information required to quickly respond and mitigate the risk.
Here are some steps that you can take to learn about the CIS Controls as well as reduce the likelihood that devices in your environment are used in DDoS attacks.
Go to the CIS website and learn about the CIS Controls. They provide high level overviews, FAQs, and the ability to download the CIS Controls for free.
If your organization is a service provider or a company with assigned ASNs you can sign up for free Shadowserver reports. The Shadowserver Foundation scans the Internet for certain services of concern, such as those that could be used in DDoS, and will provide regular reports on these to network owners.
Use an external service, such as the Rapid7 Perimeter Scanning Service, or an externally hosted scan engine to perform scans of your Internet accessible IP space. This will provide a more accurate picture of what your organization is exposing to the Internet than that provided by an internally hosted scanner.