Via NSA and CISA Red and Blue team assessments and through the activities of NSA and CISA Hunt and Incident Response teams, the agencies specified the following ten most typical network misconfigurations:
1.Default configurations of software and applications.
Those default configurations include:
•Default credentials (for example, built-in administrative accounts of COTS network devices providers),
•Default service permissions and configurations settings (like ADCS servers running with web enrollment enabled, or where low-privileged users have enrollment rights).
Suppose the Customer's infrastructure does not have systems with default passwords. In that case, they can be easily emulated by creating network decoys with well-known passwords or login-password pairs using a cybersecurity deception approach.
2.Improper separation of user/administrator privilege (for example, for users with multiple roles assigned).
3.Lacking internal network monitoring (host-based monitoring not combined with network monitoring): The cyber deception system is often the only tool that can detect the activity of attackers who have infiltrated the perimeter. At the same time, such systems do not generate a large number of false-positives.
4.Lack of network segmentation: check if products are compatible with segmented network environments. In such situations, attackers often try to use MiTM attacks. The emulation of user actions, such as web surfing or internal network folder usage created by the ClientOS-point decoy type, quickly attracts the attacker's attention. Labyrinth will detect an attempt to interfere with the decoy's network communication and issue an Alert to the system operators.
5.Poor patch management:
•Lack of regular patching, like skipping the most recent patches. On systems that, for some reason, cannot be "patched" you can distribute file decoys so that if attackers get on these hosts, the client's SOC specialists can misdirect them (transfer their attention to network decoys),
•Use of unsupported operating systems (OSs) and outdated firmware, where new and existing vulnerabilities are no longer patched.
6.Bypass of system access controls like using the hashes to authenticate using non-standard means, such as pass-the-hash (PtH) or Kerberoasting. Pass-the-hash attacks can also be easily detected by Labyrinth. It is enough to create only one network decoy of a certain type in the desired network segment.
7.Weak or misconfigured multifactor authentication (MFA) methods: smart cards or tokens where password hashes rarely change.
8.Insufficient access control lists (ACLs) on network shares and services.
9.Poor credential hygiene: easily crackable passwords and cleartext password disclosure. Additionally, it is possible to lure an attacker to network traps by setting weak passwords on them OR by distributing file baits on real hosts that look like: config backups, INI or YAML files, etc. File lures can either contain credentials in plaintext, or an attacker can guess them from the contents of the files.
10.Unrestricted code execution, therefore you need to enable system settings that prevent the ability to run applications downloaded from untrusted sources.
CISA and NSA also advise continuously testing security agendas at scale in a production background to ensure optimal performance against the MITRE ATT&CK techniques.