Implementing and validating MITRE D3FEND Countermeasures using Wazuh EDR. Part I: HARDEN — PLATFORM HARDENING

D3FEND TACTIC: Harden.

Definition

Technique: Platform Hardening

Hardening components of a Platform with the intention of making them more difficult to exploit.

  • Hardware security devices such as Trusted Platform Modules
  • Boot process logic or code
  • Kernel software components
  • Wazuh Security Configuration Assessment using CIS Benchmarks (more info here).
  • Wazuh Agent and Sysinternals Autoruns (more info here).
  • Wazuh Rootcheck and Anomaly detection (more info here).
  • Wazuh File Integrity Monitoring (more info here).
  • Wazuh System and Software Vulnerability Detection (more info here).
  • Trusted Root Certificate Authorities have been compromised, yielding the ability to use the compromised keys to generate certificates with an arbitrary company name.
  • It may not be difficult for an attacker to start an organization which can obtain a signed certificate.
  • A root certificate authority (CA) whose certificate is trusted in the verification logic could generate incorrect certificates, if they are lax or have ulterior motives.
  • Secure transfer of private keys between multiple devices.
Files owned by root with open permissions to anyone.
NTFS alternate data detected.
Wazuh’s FIM for continuous file permissions monitoring.
Pending restarts after system upgrade
Pending restarts after system upgrade
Installed software, vendor and release.
Installed patches and Hotfixes.
System and Software Vulnerabilities.
Vulnerable packages status.
CIS BENCHMARKS — WINDOWS SERVER 2019
AUDIT RESULT — LEVEL 1 + LEVEL 2 CONTROLS
  • The current version of TPM is 2.0.; most existing implementations use TPM 1.2.

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).