Rapidly Hardening an IT Environment

This document provides high-level guidance for rapidly hardening an IT environmment (containing Windows and Linux devices). Other key points of reference should be the ACSC's Strategies to Mitigate Cyber Security Incidents and CIS's Top 20 Security Controls.

Identify and understand the environment

• Scan internal IP address ranges to identify devices (e.g., using nmap)
• Identify applications and services running on devices (e.g., using WMIC)
• Identify network connectivity and Internet egress points
• Identify privileged and service accounts (e.g., using the net localgroup or net group command, or a tool such as CyberArk DNA)

Protect the environment

Protect endpoints (i.e. workstations and servers)

• Patch operating systems (e.g., using WSUS) and applications to the latest available version
• Enable host firewalls (e.g., Windows Defender Firewall) to prevent workstation-workstation communication
• Deploy anti-virus (e.g., Windows Defender or Sophos Home on Windows, or Clam AV on Linux)
  • Ensure that anti-virus is up-to-date and has the latest signatures.
  • Remove any anti-virus exclusions.
  • Run on-demand anti-virus scan.
• Enable application whitelisting (e.g., using AppLocker or WDAC) and implement Microsoft recommended block rules
• Block potentially malicious extensions (e.g., .PS1, .HTA, .CHM) from executing
• Limit Microsoft Office macro execution
• Secure client applications (e.g., Chrome) using standards such as CIS Benchmarks
• Disable Powershell v2 and enable Constrained Language mode
• Block content downloaded from the Internet from executing

Protect network infrastructure and connectivity

• Secure the boundary by deploying and configuring firewalls, IDS, IPS, web proxies, and email scanning appliances
• Filter email and web content (e.g., block known malicious sites, block commonly abused TLDs, block commonly malicious file types, sandbox executables)
• Prevent endpoints from directly communicating with the Internet and enforce proxying
• Segregate/segment network into defined zones

Protect identities

• Set secure (i.e., long) password policies and ensure compliance
• Limit domain administrator membership and securely manage passwords
• Limit local administrator membership and securely manage passwords (e.g., using LAPS)
• Prevent local users from logging in over the network
• Prevent service accounts from logging in interactively
• Deny LM and NTLMv1
• Remove files with passwords from SYSVOL and GPP
• Add privileged users to the Protected Users Service Group

Detect and respond to attacks

• Generate logging on endpoints (e.g., generating Windows Event Logging using the NSA baseline or SwiftOnSecurity's Sysmon Config, including PowerShell logging)
• Generate network logging (e.g., DNS, DHCP, web/proxy, netflow)
• Deploy honeypots as tripwires to alert on attacker activity (e.g., using Honeyd)
• Forward endpoint and network logs and collate in a SIEM (e.g., OSSIM, Splunk Free, ELK)
• Perform analysis of collated logs to identify and triage potentially malicious events
• Deploy tooling to enable investigations and incident response (e.g., OSQuery, Google Rapid Response)
• Develop monitoring processes
• Develop response processes
• Deploy tooling to manage incident response (e.g., The Hive, FIR, Yeti, Cortex)