Happy SysAdmin Day 2017

Having a background as a system administrator, I know first-hand many of the challenges you face. As every organization has a unique set of business requirements, system administrators work hard behind the scenes to keep operations running smoothly. From managing permission changes, recovering important files and monitoring user accounts, many system administrators utilize scripts to automate and manage routine tasks. Tenable.io includes over 450 pre-built audit policies and allows you to incorporate custom audit files. Custom audit files provide a great way for you to monitor routine events and changes, while making your work a little easier.

The Problem

On a daily basis, organizations can generate thousands of events, and keeping track of these events across multiple systems can be difficult to manage effectively. System administrators often access multiple web interfaces or consoles to manage systems within their environment. In addition, many are also responsible for maintaining compliance, managing access permissions, and ensuring corporate policies are followed.

Scripts are often used in combination with other security devices to help system administrators monitor critical events or issues that need to be addressed. Unfortunately, no matter what you use to monitor your network, many of these solutions won’t provide the complete visibility you need to sort through all of the events and activity within your network.

By leveraging custom audit files within Tenable.io, you can easily keep track of unique or critical events within one interface. You can customize scripts based on your organizational requirements that can help to ensure service availability and protect data integrity. Tenable.io provides you with the critical insight needed to stay one step ahead of activity that could impact network security or business operations.

Monitoring Account Changes

Many organizations today are required to ensure compliance with corporate policies, as well as industry regulations. Controls requiring password changes and monitoring inactive accounts are often included within many well-known frameworks such as NIST, HIPAA, and PCI DSS.

We have also recently had several questions from customers that wanted to monitor user account changes within Active Directory. I decided to use my lab environment and test out a solution. Within my lab environment, I created several PowerShell scripts to find inactive user accounts and password changes within the domain. These controls help to prevent account compromise and reduce the risk of critical systems or data from being accessed by attackers.

Using Powershell with Tenable.io

Tenable.io has the ability to run compliance checks using PowerShell cmdlets. The compliance checks use the arguments supplied within a custom audit file and run “powershell.exe” on the remote server. Results will include either the command output or compare results against the value data specified in the file. PowerShell is Microsoft’s built-in scripting language that’s designed for System Administration tasks. Using credentialed scans, Tenable.io leverages PowerShell scripts placed within custom audit files to collect information on event changes and activity within your network.

Monitor User Accounts

Since I’m going to be querying Active Directory, I start by importing the Active Directory Module for PowerShell. The Get-ADUser cmdlet I created a script to retrieve a list of user accounts and when the password was last set. Using this cmdlet, you modify the script to include either active and inactive accounts, and track changes across specific Organizational Units (OU) or other domains within your forest.

This information can also be used by executives to confirm if corporate security policies are being followed or need to be improved. If your organization has an internal policy to remove inactive accounts after a specific time period, using this data can help you ensure compliance requirements are being met.

Tenable.io also supports the ability to use PowerShell script files within your custom audit file. The Nessus User Guide includes a detailed section on how to setup and configure your custom audit file with Powershell.

Create Custom Audit File

In my custom audit file, I’m using if/then logic to first check whether the target system is a domain controller, then runs each audit check. Since I’m going to audit my domain controller, the WMI_POLICY is used to provide an initial check that target system is either a Primary or Backup domain controller.

<custom_item>
  type          : WMI_POLICY
  description   : "Target is a Domain Controller"
  wmi_namespace : "root/CIMV2"
  wmi_request   : "select DomainRole from Win32_ComputerSystem"
  wmi_attribute : "DomainRole"
  wmi_key       : "DomainRole"
  value_type    : POLICY_DWORD
  value_data    : 4 || 5
</custom_item>

Next, I used the AUDIT_POWERSHELL check and added the PowerShell commands I ran previously. The description value should include the appropriate plugin name and powershell_args value should contain the PowerShell command. This check also supports the ability to use PowerShell .ps1 files as well.

<custom_item>
  type                 : AUDIT_POWERSHELL
  description          : "<Plugin Name>"
  value_type           : POLICY_TEXT
  powershell_args      : "<PowerShell command>"
  value_data           : "MANUAL REVIEW REQUIRED"
  severity             : MEDIUM
  only_show_cmd_output : YES
</custom_item>

The Compliance check parser provides you with the ability to add multiple audit checks within your custom audit file. Once your custom audit file is completed, save the final output into an .audit format.

Results

Using the Policy Compliance Auditing scan template, I added my custom audit file and credentials for the domain controller. Completed results are located under the Compliance tab within the scan, and included the name of each check performed. Since we are auditing a Windows System, results are included within the Windows Compliance Checks plugin family.

Each result will look identical to the results posted earlier within PowerShell command line sessions. If you need to add more information, you can always modify your custom audit file to include the specific attributes you need based on your organizational requirements.

Summary

User accounts are one of the easiest ways for attackers to gain access to your network systems and data. Once an account is compromised, attackers can pivot and target critical systems, obtain confidential data, and remain in your network for days, weeks or even month.

These examples are just a small portion of what custom audit files can do for you. Whether you want to obtain additional information from Active Directory, monitor file and folder changes or track local account activity, using custom audit files provides you with countless ways to automate routine tasks and know what’s going on within your network.

I hope these tips help. And Happy SysAdmin Day to my fellow fearless colleagues!

Have More Questions?

• Try out a free 60-day trial of Tenable.io Vulnerability Management.
• For a detailed example of how to create custom audit files, check out this post in the Tenable Community.

from Happy SysAdmin Day 2017

Staying Ahead of the Curve

Tenable.io Malicious Code Prevention Report

As malware attacks continue to make headlines, many organizations struggle to stay ahead of the complex, evolving threat landscape. Attackers use both old and new ways to deliver malware through exploiting existing vulnerabilities, evading security solutions, and using social engineering to deliver malicious payloads. Millions of unique pieces of malware are discovered every year, and even with the best security controls in place, monitoring the thousands of endpoints within your network for malware can be nearly impossible.

Use Tenable.io to quickly address systems that are at risk

Once inside your network, malware can disable security controls, gain access to privileged accounts, replicate to other systems, or maintain persistence for long periods of time. If these risks are not addressed quickly, they can result in long term, devastating consequences for any organization. Using the Malicious Code Prevention Report from Tenable.io™ provides you with the visibility needed to quickly address systems that are at risk.

Malware scanning

Tenable.io includes a customizable malware scan template where you can incorporate both good and bad known MD5 hashes, along with a hosts file whitelist. On Windows systems, hosts files contain commented lines of text that consist of two localhost address entries. Most systems will query local DNS servers to resolve domain names to IP addresses. Some organizations will add entries into hosts files for dedicated systems within their environment or to block unauthorized websites. Once a hosts file is modified, the local system will use the entries within the hosts file first and bypass records within your DNS server.

Malware also targets the hosts file to insert redirects to malicious sites or block security solutions from obtaining patches and security updates. For organizations utilizing the hosts file, the Malware Scan template provides you with the ability to add whitelist entries that would otherwise be flagged as abnormal by existing security solutions within your environment.

Enabling the File System Scanning option enables you to scan specific directories within your Windows environment such as the C:\Windows, C:\Program Files, and User Profile directories that are frequently used to install malware. You can also scan malware within directories such as C:\ProgramData that are hidden by default on Windows systems.

Organizations can have any number of mapped drives and devices connected to a system. Most anti-virus solutions only scan default directories such as the C:\ drive, and without additional rules in place, malware could easily bypass this security control via flash drive or external USB drive.

The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution

The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution. Using the Custom File Directories option, you can include a list of directories within your scan to target mapped drives and attached devices.

Yara rules can also be incorporated into your Tenable.io malware scan. Using a combination of regular expressions, text strings, and other values, Yara will examine systems for specific files that match values within the rules file.

Vulnerabilities

The Malicious Code Prevention report provides a comprehensive overview of systems infected with malicious backdoors, hosts communicating with botnets, and vulnerabilities that can be exploited by malware just to name a few.

Along with malware and malicious processes, this report also highlights systems with vulnerabilities that are exploitable by malware. Exploitable vulnerabilities can provide attackers with a backdoor into your network to enable privilege escalation or launch malicious code.

Tenable.io uses both active and passive methods to detect malicious content

Tenable.io uses both active and passive methods to detect malicious content, including web traffic analysis, md5sum matching, public malware databases, and links pointing to known malware operators. Web servers hosting malicious content are also included within this report. Malicious code can be injected into website due to a cross-site scripting (XSS) or SQL injection vulnerability.

Attackers often target websites to deliver malicious payloads to a larger audience through message boards or blog posts. Malicious code often remains hidden within iframes, JavaScript code, and other embedded tags that link to third-party websites. This data can help you target and remediate issues on web servers before critical assets or services are impacted.

Botnets often use the HTTP protocol as well as encryption to evade detection by modern security solutions. Information reported by Nessus® and Nessus Network Monitor highlights active inbound and outbound communications with command and control (C&C) servers.

Keeping your anti-virus clients updated helps to ensure your systems remain protected from malware. This report provides valuable information on the status of your anti-virus and anti-malware solutions, ensuring that they are installed and up to date. The Malware Protection chapter provides a summary of hosts running up-to-date anti-virus clients per operating system.

Tenable.io will analyze hosts with outdated anti-virus clients and provide targeted information you can use to remediate issues with anti-virus clients. Data is collected from Nessus that checks the status of various anti-virus clients across Windows, Linux, and Unix-based platforms. Using this information can also help you determine if your anti-virus client has been disabled.

No organization is immune from vulnerabilities and attacks

No organization is immune from vulnerabilities and attacks. Knowing how systems are compromised can help target response efforts and minimize future damage. Tenable.io provides you with critical insight needed to measure the effectiveness of your security program, and to gain insight into your current risk posture. Using the Malicious Code Prevention report by Tenable.io provides you with targeted information to prioritize remediation efforts, close malicious entry points, and stay one step ahead of attackers and other persistent threats.

Start with Tenable.io

To learn more about Tenable.io, visit the Tenable.io area of our website. You can also sign up for a free trial of Tenable.io Vulnerability Management.

from Staying Ahead of the Curve