The document discusses the implementation of the CIS Top 20 cybersecurity controls with limited resources, outlining a step-by-step approach starting from device discovery to enforcement. It emphasizes the importance of risk management and investment in cybersecurity tools while providing practical examples and strategies for improving security posture. Key steps include discovering network devices, defining policies for privileged accounts, and enforcing security measures like firewalls and data encryption.

1. Scrapping for Pennies
Implementing CIS Top 20 with no budget
Ryan Wisniewski
Principle Security Consultant
Active Defense, LLC
March 1, 2019
©2018 Active Defense, LLC. All rights reserved

2. SECURITY IMPLEMENTATION TALKS: AN ACTIVE DEFENSE SERIES
©2018 Active Defense, LLC. All rights reserved 2
Starting from Scratch
0Day to HeroDay
Starting from Basic IT Implementations
Scrapping for Pennies
Maturing to a Scalable Operation
Scaling the Mountain

3. ©2018 Active Defense, LLC. All rights reserved 3

4. EXECUTIVE PERSPECTIVE
©2018 Active Defense, LLC. All rights reserved 4
SALES
R&D
FINANCE
IT
SECURITY
- Advertising
- Sales Growth
?
- New Products
- New Efficiencies
- New Investments
- New Efficiencies
- ???

5. ©2018 Active Defense, LLC. All rights reserved 5
MORE INVESTMENT = PREVENT ATTACKS!
Spending on cybersecurity in the United
States from 2010 to 2018 (in billion $)
Global number of cyber security
incidents from 2009 to 2015 (in millions)

6. ©2018 Active Defense, LLC. All rights reserved 6
MORE INVESTMENT = PREVENT ATTACKS!
Due to investments in infrastructure for growth and spending to
bolster security, Facebook CFO Dave Wehner said capital
expenditures in 2018 are forecast to double from $7 billion to
$14 billion
NOVEMBER 1, 2017
On the afternoon of Tuesday, September 25, our engineering
team discovered a security issue affecting almost 50 million
accounts
SEPTEMBER 28, 2018

7. ©2018 Active Defense, LLC. All rights reserved 7

8. ©2018 Active Defense, LLC. All rights reserved 8

9. ©2018 Active Defense, LLC. All rights reserved 9

10. SPEAK THEIR LANGUAGE!
©2018 Active Defense, LLC. All rights reserved 10
EXECUTIVES UNDERSTAND RISK! WE MITIGATE RISK!
EXAMPLE:
Incidents/week
650
We investigate
Incidents/week
950
We encounter To keep up with demand, we need to spend $15,000 on a new tool that
will allow for 300 Incidents/week
If we choose not to, we will allow 300 incidents per day, increasing our
probability for breach by 33%. We estimate an average breach would
cost $1.5mil. The increase of 33% risk is equal to $495k/year.

11. PROBLEM IS…
©2018 Active Defense, LLC. All rights reserved 11
Incidents/year
650
We investigate
Incidents/day
950
We encounter To keep up with demand, we need to spend $15,000 on a new tool that
will allow for 150 Incidents/day
If we choose not to, we will allow 300 incidents per day, increasing our
probability for breach by 33%. We estimate an average breach would
cost $1.5mil. The increase of 33% risk is equal to $495k/year.
THIS IS VERY HARD TO GET AT!!!

12. ©2018 Active Defense, LLC. All rights reserved 12

13. ©2018 Active Defense, LLC. All rights reserved 13

14. Implementation of the CIS Top 20
©2018 Active Defense, LLC. All rights reserved 14
Step 1:
Discover
Step 2:
Define
Step 3:
Enforce
Step 4:
Monitor

15. ©2018 Active Defense, LLC. All rights reserved 15

16. ©2018 Active Defense, LLC. All rights reserved 16
Functionality
Systems do things for us
Security
Systems protect us
Convenience
Systems make our life easier
It is Security’s job to ensure the ball
stays balanced, NOT JUST DRIFT
THE BALL TOWARDS SECURITY

17. Step 1: Discover
©2018 Active Defense, LLC. All rights reserved 17
What are my devices?
What is running on my devices?
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

18. ©2018 Active Defense, LLC. All rights reserved 18
Step 1: Discover
 List all devices on the network

19. ©2018 Active Defense, LLC. All rights reserved 19
Pingsweep: nmap –sP 10.10.10.0/24 –oA output
Scan Top 100 ports from list: nmap -F -iL list-of-ips.txt –oA output
Scan Specific Port (ie 22): nmap –p 22 -iL list-of-ips.txt –oA output
https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.0.pdf
Pingsweep: masscan 10.0.0.0/8 --ping –oL ips.txt
Scan Specific Port (ie 22): masscan 10.0.0.0/8 –p 22 –oX output.xml
https://github.com/robertdavidgraham/masscan
https://www.youtube.com/watch?v=nX9JXI4l3-E
Step 1: Discover

20. ©2018 Active Defense, LLC. All rights reserved 20
Step 1: Discover

21. ©2018 Active Defense, LLC. All rights reserved 21
Step 1: Discover
Get-ItemProperty HKLM:SoftwareWow6432NodeMicrosoftWindowsCurrentVersionUninstall* |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Format-Table –AutoSize
 List all software installed on a client machine

22. Step 2: Define
©2018 Active Defense, LLC. All rights reserved 22
Privledged Account Usage Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Hardened Image for Clients and Servers
Network Security Framework
Data Classification and Access Policy
Hardened Image for Network Devices

23. ©2018 Active Defense, LLC. All rights reserved 23
Privledged Account Usage Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
 No administration from non-admin accounts
 No administration from non-admin workstations
 No default admin passwords
 No Domain Admins
 Implement LAPS
Step 2: Define

24. ©2018 Active Defense, LLC. All rights reserved 24
Privledged Account Usage Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Step 2: Define
 No administration from
non-admin accounts
 No administration from
non-admin workstations
John.Smith@ecorp.com
RDP
ecorpJohn.Smith.Admin
Admin Interface
Database.Server
Firewalls MUST BE TIGHT!
JUMP

25. ©2018 Active Defense, LLC. All rights reserved 25
Privledged Account Usage Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Step 2: Define
Scan
 No default admin passwords
Change
nmap -p80 --script http-
default-accounts 10.0.0.0/8
https://nmap.org/nsedoc/scripts/http-default-accounts.html
Vault
Long and complex
Don't forget your printers!

26. ©2018 Active Defense, LLC. All rights reserved 26
Privledged Account Usage Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Step 2: Define
 No Domain Admins
• net group "Domain Admins" /domain
• dsget group "CN=Domain Admins,CN=Users,DC=ecorp,DC=com" -members

27. ©2018 Active Defense, LLC. All rights reserved 27
Privledged Account Usage Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Step 2: Define
https://github.com/BloodHoundAD

28. ©2018 Active Defense, LLC. All rights reserved 28
Privledged Account Usage Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
 Implement LAPS (Local Admin Password Solution)
Step 2: Define
https://www.microsoft.com/en-us/download/details.aspx?id=46899
1. Push install .msi to clients through GPO
2. Modify AD schema with .ps script from Microsoft
3. Enable LAPS GPO
4. Remove any custom local admins you have

29. ©2018 Active Defense, LLC. All rights reserved 29
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Hardened Image for Clients and Servers
Step 2: Define
Free SCAP Compliance Audit
Hardened Image for Network Devices

30. ©2018 Active Defense, LLC. All rights reserved 30
NIST Checklists - https://nvd.nist.gov/ncp/repository

31. ©2018 Active Defense, LLC. All rights reserved 31
NIST Checklists - https://nvd.nist.gov/ncp/repository
GPOs
Root
Reports
GPOs

32. ©2018 Active Defense, LLC. All rights reserved 32
NIST Checklists - https://nvd.nist.gov/ncp/repository
GPO Reports

33. ©2018 Active Defense, LLC. All rights reserved 33
OpenSCAP - https://www.open-scap.org/getting-started/
https://www.open-scap.org/tools/scap-workbench/download-win32
apt-get install scap-workbench
yum install scap-workbench
https://www.open-scap.org/tools/scap-workbench/download-osx
1. Download and install

34. ©2018 Active Defense, LLC. All rights reserved 34
OpenSCAP - https://www.open-scap.org/getting-started/
2. Load the STIG SCAP contents
3. Scan!
*Limited to only *nix machines…

35. ©2018 Active Defense, LLC. All rights reserved 35
Qualys FreeScan SCAP Audit - https://www.qualys.com/forms/freescan/scap/

36. ©2018 Active Defense, LLC. All rights reserved 36
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Network Security Framework
Step 2: Define
Servers
InternetUsers
System-Conentric View

37. ©2018 Active Defense, LLC. All rights reserved 37
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Network Security Framework
Step 2: Define
InternetFinance
HR
IT
Sales
User-Conentric View

38. ©2018 Active Defense, LLC. All rights reserved 38
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Network Security Framework
Step 2: Define
RBAC in Network Security
1. Categorize people, systems, applications, websites, etc. by functional role
2. Allow access to those systems, apps, sites to roles
3. Move people into those roles
4. Deny all other access
Role Department Internal Access External Access
Stock Market Analyst Finance US-SAP-FI-001:8505
US-APP-STOCK-001:900
…
Fidelity.com/stocks
Robinhood.com
IT SysAdmin IT ALL (Challenge this) Google.com
Reddit.com

39. ©2018 Active Defense, LLC. All rights reserved 39
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Network Security Framework
Step 2: Define
 Turn on client-side firewalls
 Don't allow peer connections

40. Step 2: Define
©2018 Active Defense, LLC. All rights reserved 40
Data Classification and Access Policy
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
IT Admin
Financial Records
System Configurations
John's Files

41. Step 2: Define
©2018 Active Defense, LLC. All rights reserved 41
Data Classification and Access Policy
RBAC in Data
1. Categorize people, systems, applications, websites, etc. By functional role
2. Allow access to those systems, apps, sites to roles
3. Move people into those roles
4. Deny all other access
Role Department Data Location
Stock Market Analyst Finance Historic Purchases
Current Bank Accounts
US-STOCKhist001.xls
US-BANKaccttoday.xls
IT SysAdmin IT Configuration database
Documentation Archive
US-ITconfigs
US-ITdocs
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

42. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 42
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Implement firewalls on trust boundaries
Encrypt drives and disable writeable USBs
Ensure Secure Wireless Deployments
Ensure Backups
Ensure your AV
Implement DNS Filtering

43. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 43
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Implement firewalls on trust boundaries
1. Define your boundaries from your RBAC policy
2. Build a PFSense VM
3. Build the PFSense policy based on your RBAC policy
A firewall is simply a technical implementation
of your written policy. No more, no less

44. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 44
Implement firewalls on trust boundaries
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
InternetFinance
HR
IT
Sales

45. PFSENSE - https://www.pfsense.org/
©2018 Active Defense, LLC. All rights reserved 45
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
1. Download ISO https://www.pfsense.org/download/

46. PFSENSE - https://www.pfsense.org/
©2018 Active Defense, LLC. All rights reserved 46
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
2. Install
ESX Guide
https://docs.netgate.com/pfsense/en/late
st/virtualization/virtualizing-pfsense-with-
vmware-vsphere-esxi.html
Hyper-V Guide
https://docs.netgate.com/pfsense/en/late
st/virtualization/virtualizing-pfsense-with-
hyper-v.html
Bare Metal Guide
https://docs.netgate.com/pfsense/en/late
st/install/installing-pfsense.html

47. PFSENSE - https://www.pfsense.org/
©2018 Active Defense, LLC. All rights reserved 47
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
3. Configure - https://docs.netgate.com/pfsense/en/latest/config/

48. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 48
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Encrypt drives and disable writeable USBs
 Encrypt client hard drives
 No writing to external drives

49. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 49
 Encrypt client hard drives
GPO:
Computer Configuration >
Policies >
Administrative Templates >
Windows Components >
BitLocker Drive Encryption
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

50. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 50
 No writing to external drives
GPO:
Computer Configuration >
Policies >
Administrative Templates >
System >
Removable Storage Access
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

51. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 51
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Implement DNS Filtering
Pi-hole

52. Pi-Hole - https://pi-hole.net/
©2018 Active Defense, LLC. All rights reserved 52
1. Install with this command
curl -sSL https://install.pi-hole.net | bash
2. Configure blocklists
https://raw.githubusercontent.com/setoptz/sysadmin/master/blocklist.txt
3. Update your DHCP to point users to your DNS server
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

53. Step 3: Enforcement
©2018 Active Defense, LLC. All rights reserved 53
Ensure Secure Wireless Deployments*Ensure Backups*
Ensure your AV*
 No WEP, Use WPA2
 Segment Guest Network from Corporate LAN
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

54. Step 4: Monitor
©2018 Active Defense, LLC. All rights reserved 54
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

55. Step 4: Monitor
©2018 Active Defense, LLC. All rights reserved 55
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

56. Step 4: Monitor
©2018 Active Defense, LLC. All rights reserved 56
http://www.openvas.org/
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

57. Step 4: Monitor
©2018 Active Defense, LLC. All rights reserved 57
https://www.tenable.com/products/
nessus/nessus-professional
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

58. Step 4: Monitor
©2018 Active Defense, LLC. All rights reserved 58
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

59. ©2018 Active Defense, LLC. All rights reserved 59
Full PCAP NIDS/HIDS Analysis/Presentation
Step 4: Monitor
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

60. ©2018 Active Defense, LLC. All rights reserved 60
1. Download ISO
https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
Step 4: Monitor
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

61. ©2018 Active Defense, LLC. All rights reserved 61
2. Install
Full Deployment Guide
https://securityonion.readthedocs.i
o/en/latest/ProductionDeployment
Quick Install
https://securityonion.readthedocs.io
/en/latest/QuickISOImage
Step 4: Monitor
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

62. ©2018 Active Defense, LLC. All rights reserved 62
3. HAVE FUN!
Step 4: Monitor
Kibana
Sguil
ELSA Snorby
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20

63. ©2018 Active Defense, LLC. All rights reserved 63
3. HAVE FUN!
Step 4: Monitor
…and many more
(+60 tools)
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
https://onlinetraining.securityonionso
lutions.com/p/security-onion-101

64. ©2018 Active Defense, LLC. All rights reserved 64
1
3
5
7
2
4
6
8
9
10
11
12
13
14
15
16
17
18
19
20
Step 5: Homework

65. 65
©2018 Active Defense, LLC. All rights reserved 65
QUESTIONS?
@RY_WIZ
RYAN@ACTIVEDEFENSE.US
THANK YOU!