The many layers of security
Like delicious cakes, or gearing up for cold weather, its all about layers. Each layer adds its own benefit for the user to enjoy, keeping the core (you) happy and safe. It goes the same for cybersecurity. However choosing which layers will keep you the most satisfied is always tricky, and in the world of cybersecurity often these different layers work as silos, non-related to one another. While we have these tools in place, ultimately breaches continue to happen and organizations are at high risk instead of having high resilience. This brings us to our topic of today of solving for root cause. How do we stop the attacks before they spread at the operating system (OS) level? How about we stop the ones that do get past all our security layers and reach the OS level? Security hardening for the operating system is not something new, but agentless OS-Level remediation is.
What is OS-Level Remediation
OS-Level Remediation refers to the process of identifying and mitigating vulnerabilities and security weaknesses at the OS-level of our IT infrastructure. It involves:
- Vulnerability Scanning: Regularly scanning all operating systems for known vulnerabilities, misconfigurations, and weaknesses that could be exploited by cyber threats.
- Patch Management: Swiftly applying security patches and updates provided by OS vendors to address identified vulnerabilities. This is essential to prevent attackers from exploiting known weaknesses.
- Configuration Management: Ensuring that the OS configurations adhere to security best practices and compliance requirements. Misconfigured systems can provide easy access to attackers.
- Hardening: Implementing security hardening measures to reduce the attack surface and make it more challenging for malicious actors to compromise the OS.
This has a huge significance for any organizations risk management strategy if they want to reduce the likelihood of security breaches and data leaks. Let’s take a look at some critical vulnerabilities affecting the operating system and how we can mitigate them at the OS-Level.
High impact vulnerabilities that can be stopped at the OS-Level
Follina Vulnerability (CVE-2022-30190)
The Follina vulnerability involves the exploitation of the MSDT (Microsoft Support Diagnostic Tool) protocol within Microsoft Office documents. Threat actors exploit this vulnerability through phishing campaigns, tricking users into opening malicious Office documents that contain a web link to an attacker-controlled online resource. The Office application automatically fetches the embedded link, invoking the MSDT protocol. This specially crafted link can then force the execution of attacker-supplied PowerShell commands without requiring additional user interaction.
Exploits may occur when users open Microsoft Office documents, such as Word .docx files, received via email or other communication channels. In some cases, even without directly opening the file, malicious code could run via the Preview Tab in Windows Explorer, particularly if the file is in .rtf format. The malware payload is activated through the MSDT protocol.
Follina OS-Level Fix:
- Validating that all software, including Microsoft Office, are up-to-date with the latest security patches.
- Disable the MSDT protocol if not required.
- Implement robust email filtering and security solutions.
- Provide user education on recognizing phishing attempts.
- Employ endpoint security solutions to block malicious activities.
WinRM Vulnerability (CVE-2021-31166)
The WinRM vulnerability involves the misuse of the Windows Remote Management service and protocol for malicious purposes. Adversaries can abuse WinRM for lateral movement and remote code execution within an organization. They can use valid accounts to remotely execute commands on multiple systems across the network, allowing them to move laterally. Attackers can also use WinRM to remotely execute arbitrary code, modify the registry, and perform various actions on compromised systems.
WinRM OS-Level Fix:
- Disable basic authentication for WinRM and use stronger authentication methods.
- Implement network segmentation to limit system access via WinRM.
- Enforce strong password policies.
- Enable auditing and monitoring of WinRM activities.
- Configure firewall rules to control WinRM connections.
- Regularly update the operating system and WinRM software for security patches.
Like the examples presented above, most common vulnerabilities can be mitigated directly at the OS-Level, bypassing the many security layers we have in place. This ultimately allows you to leverage your current security tools and get the most out of your investments.
Agentless OS-Level Remediation with Veriti
In the quest to address root causes and fortify cybersecurity, Veriti’s agentless OS-Level Remediation meticulously identifies vulnerabilities deeply embedded within the operating system, covering everything from configuration settings to registry values. This comprehensive approach ensures no stone is left unturned, providing the thoroughness needed to safeguard modern organizations:
Agentless Operating System Remediation – Reduce overhead, improve scalability, enhance resiliency without deployment or maintenance of an agent
Seamless and Non-disruptive Remediation – Avoid the need extensive downloads, system restarts, or downtime
Coordinated Responses Across Teams – Provide multiple remediation options across different defense layers