Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Контрмера Update Software
Риски
Каталоги
MITRE ATT&CK
Контрмеры
Update Software
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Update Software

Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures: Regular Operating System Updates - Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows. - Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution. Application Patching - Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance. - Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches. Firmware Updates - Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption. - Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic. Emergency Patch Deployment - Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours. - Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities. Centralized Patch Management - Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated. - Use Case: Streamlines patching processes and ensures no critical systems are missed. *Tools for Implementation* Patch Management Tools: - WSUS: Manage and deploy Microsoft updates across the organization. - ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps. - Ansible: Automate updates across multiple platforms, including Linux and Windows. Vulnerability Scanning Tools: - OpenVAS: Open-source vulnerability scanning to identify missing patches.
ID: M1051
Version: 1.1
Created: 11 Jun 2019
Last Modified: 24 Dec 2024

Techniques Addressed by Mitigation
Domain ID Name Use
Enterprise T1552 Unsecured Credentials

Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025)

T1552.006 Group Policy Preferences

Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025)

Enterprise T1189 Drive-by Compromise

Ensuring that all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.(Citation: Browser-updates)

Enterprise T1602 Data from Configuration Repository

Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)

T1602.001 SNMP (MIB Dump)

Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)

T1602.002 Network Device Configuration Dump

Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)

Enterprise T1137 Office Application Startup

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)

T1137.003 Outlook Forms

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)

T1137.004 Outlook Home Page

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)

T1137.005 Outlook Rules

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)

Enterprise T1068 Exploitation for Privilege Escalation

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1495 Firmware Corruption

Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.

Enterprise T1555 Credentials from Password Stores

Perform regular software updates to mitigate exploitation risk.

T1555.003 Credentials from Web Browsers

Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.

T1555.005 Password Managers

Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.

Enterprise T1611 Escape to Host

Ensure that hosts are kept up-to-date with security patches.

Enterprise T1072 Software Deployment Tools

Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.

Enterprise T1542 Pre-OS Boot

Patch the BIOS and EFI as necessary.

T1542.001 System Firmware

Patch the BIOS and EFI as necessary.

T1542.002 Component Firmware

Perform regular firmware updates to mitigate risks of exploitation and/or abuse.

Enterprise T1212 Exploitation for Credential Access

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1548 Abuse Elevation Control Mechanism

Perform regular software updates to mitigate exploitation risk.

T1548.002 Bypass User Account Control

Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.(Citation: Github UACMe)

Enterprise T1211 Exploitation for Defense Evasion

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1574 Hijack Execution Flow

Update software regularly to include patches that fix DLL side-loading vulnerabilities.

T1574.001 DLL

Update software regularly to include patches that fix DLL side-loading vulnerabilities.

Enterprise T1195 Supply Chain Compromise

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.

T1195.001 Compromise Software Dependencies and Development Tools

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.

T1195.002 Compromise Software Supply Chain

A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation.

Enterprise T1539 Steal Web Session Cookie

Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.

Enterprise T1176 Software Extensions

Ensure operating systems and software are using the most current version.

T1176.001 Browser Extensions

Ensure operating systems and browsers are using the most current version.

T1176.002 IDE Extensions

Ensure operating systems and IDEs are using the most current version.

Enterprise T1203 Exploitation for Client Execution

Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks.

Enterprise T1190 Exploit Public-Facing Application

Update software regularly by employing patch management for externally exposed applications.

Enterprise T1210 Exploitation of Remote Services

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1546 Event Triggered Execution

Perform regular software updates to mitigate exploitation risk.

T1546.010 AppInit DLLs

Upgrade to Windows 8 or later and enable secure boot.

T1546.011 Application Shimming

Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.

Enterprise T1550 T1550.002 Use Alternate Authentication Material: Pass the Hash

Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.(Citation: NSA Spotting)

Enterprise T1110 T1110.001 Brute Force: Password Guessing

Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords.

References

  1. Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
  2. Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
  3. Dusty Miller. (2023, October 17). Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates . Retrieved February 13, 2024.
  4. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  5. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  6. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  7. UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
  8. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
  9. Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
  10. National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.
  11. Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
  12. Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
  13. Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
  14. Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
  15. Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
  16. Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
  17. Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
  18. Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.