10 cybersecurity misconfigurations your SOC team must be wary about

1.Default configurations of software and applications

Networking devices and software applications come with factory-set default credentials. It is important to change such default credentials while installing these devices or applications. When the default usernames and passwords remain unchanged, these devices and applications can open backdoors for threat actors to access your network.

Similarly, some of the default settings in network services also invite potential threats like:

• In Active Directory Certificate Services (AD CS), granting web enrollment permissions enables threat actors to generate fraudulent certificates. In the same way, AD CS templates, when misconfigured, grant low-privileged users enrollment rights to generate unauthorized code signing requests (CSRs).
• The Server Message Block (SMB) service, while running without enforcing SMB signing for authentication, can lead to manipulator-in-the-middle (MITM) attacks like NTLM relay.
• As mentioned in the joint CSA, other legacy protocols and services like Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), when enabled, can facilitate attackers to compromise the entire Windows environment by spoofing, poisoning, and relay attacks.

2.Improper separation of user/administrator privilege

It is important that you segregate your cluster of admin and user accounts and assess the purpose of an account before granting account privileges. Generally, multiple roles are assigned to a single admin account or service account to permit domain control. But such excessive privileges to a single account can create a ruckus in the network when such accounts are compromised.

Highly permissive privileges help attackers move laterally. and access sensitive information when they enter your network. Keeping track of the activities of such privileged accounts can help you prevent compromises. A SIEM solution with user and entity behavior analytics (UEBA ) can help you monitor privileged user activities as well as manage the overwhelming workload on your SOC team effectively.

3.Insufficient internal network monitoring

Effective network monitoring is achievable only through proper network configuration. Most organizations end up configuring only their hosts, enabling host-based logging for host-based monitoring. This allows you to detect the compromised hosts in the network but not the source of compromise. For this, you should securely configure all devices and applications including routers, switches, IoT devices and endpoint security solutions like firewalls and anti-malware solutions that monitor inbound and outbound connections.

Once configured, you can easily enable real-time logging of these devices through which you can effectively monitor the security posture of your network in real time. A SIEM solution with predefined network audit reports, alert generation, and log forensic capabilities enables your SOC to not only attain sufficient internal network visibility but also probe into the root cause of any compromise.

4.Lack of network segmentation

A one-size-fits-all approach doesn't fit an extensive network. Privileges and permissions are not the same throughout a network, and so large networks are divided into smaller sub networks. By dividing your larger network into smaller manageable units, you can easily set up security boundaries within the network and configure unique security controls to each sub network. Network segmentation is crucial because without these segments, the network exists as single entity through which attackers can move laterally and execute attacks on, like supply chain attacks and ransomware attacks.

5.Poor patch management

Outdated software and firmware are hotspots for attackers to gain access to your networks. Adding to this, software and firmware are transient in nature and may turn incompatible with your environment over time. Such incompatibilities are like needles in a haystack that can prick you hard if identified first by attackers.

For instance, Log4Shell, a vulnerability in Apache's Log4j logging library was subject to zero-day exploitation in 2021. The zero-day. vulnerability enabled remote code executions by attackers leading to crypto mining, ransomware attacks, and DDoS attacks on the victim systems. So it is important that your SOC stays proactive in identifying missing patches in your environment and updating your systems to upgrade your network security.

6.Bypass of system access controls

Storing user credentials enables adversaries to overthrow actual system access controls. Because attackers are now capable of breaking through your authentication systems without actual passwords or security codes. Attacks like brute-force and password spray attacks are carried out using stolen credentials and provide initial access to adversaries to carry out other sophisticated cyberattacks.

Identity attacks like pass the hash explain the consequences of storing passwords even in the form of hashes. In a pass-the-hash attack, attackers steal the password hashes of users to pose as legitimate users and move laterally across the network. It is mandatory to enable strong password protection policies and multi-factor authentication (MFA) in your network to prevent cybercriminals from compromising your network.

7.Weak or misconfigured multifactor authentication (MFA) methods

The conventional password login process is now being replaced by MFA methods like smart cards and smart tokens. As we switch to new methods of authentication, we tend to forget about adhering to previous password policies. But the hashes for passwords no longer in use still exist and can still be compromised by threat actors to enter your network.

Enabling MFA alone does not safeguard your network. It is crucial that you configure the various MFA methods correctly to stay protected against attacks like phishing, push bombing, and SIM swapping.

• Phishing is the most common method of social engineering used by adversaries to gain MFA information.
• In push bombing, the attacker tries to log in to a user's account using stolen credentials, which in turn prompts the user to authenticate via MFA. By attempting to log in continuously, attackers bombard the user with multiple MFA requests and at some point, the user might be tricked to approving one.
• In a SIM swapping attack, the hacker posing as a legitimate service provider might lure the user with fake assurances and compromise their phone numbers to access their MFA codes to access their account.

8.Insufficient access control lists (ACLs) on network shares and services

A network access control list encompasses all permissions associated with a network resource. When you do not configure the ACLs properly for shared network resources, unauthorized personnel might gain access to sensitive data shares, repositories, and administrative data on shared drives.

Threat actors can access your sensitive data shares by using commands, open source tools, or custom malware. These data shares might contain personally identifiable information (PII); service account and web application credentials; service tickets; and other information relating to your network like network topology, vulnerability scan reports, and threat modelling data. All this information can be exfiltrated to execute a ransomware attack, DDoS attack, or social engineering attack. It is vital that you closely inspect all permissions associated with your network resources.

9.Poor credential hygiene

Poor credential hygiene refers to the use of poor passwords that can be easily cracked, improperly configured MFA, and unprotected storage of clear-text passwords. A credential compromise takes place when a clear-text password or a password hash is stolen by adversaries. It is vital to implement eminent password policies that comply with the National Institute of Standards and Technologies (NIST ) guidelines by properly configuring MFA, like phishing-resistant MFA, to secure the entry points to your network.

10.Unrestricted code execution

It is important to keep track of all executable files in your network. Attackers are never tired of luring users to click on phishing emails to auto-execute malicious scripts and codes in the background. According to the joint advisory from the CISA and NSA, adversaries execute unverified codes in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) to exploit a network after initial access. You can prevent such code executions by enabling system settings that prevent downloads from unverified sources and also restrict program executions by analyzing digital signatures, certificates and key attributes.