Organizations utilize cybersecurity risk assessments to identify and prioritize risks in an effort to reduce the likelihood and impact of potential cyber-attacks and data breaches, but cybersecurity frameworks often gloss over and don’t dive in deeper into the more technical or in–depth aspects of security controls. To provide entities with guidance from a more technical perspective, the National Security Agency (NSA) identified technical security controls that should be considered to mitigate and/or reduce the likelihood of threats to a network. This new guidance has been identified as the Adversary Obstruction Defense (AOD) Methodology. NSA’s AOD has been developed to assist in the effective survivability and defensibility of previously exploitable networks.
How Are AOD Requirements Different?
Security frameworks, such as NIST 800–53 and ISO 27001, outline aspects of a security program that should be addressed, which include the consideration of controls from an administrative, technical, and physical perspective through documented policies, standards, and procedures. However, the AOD methodology focuses on the technical components of implementing such controls, and in particular, hardening an organization’s network and increasing adversary friction during the Access, Persistence, and Control phases of an intrusion. A few of AOD’s primary goals are:
- Reduce an organization’s attack surface to reduce the number of potential attack vectors into a network.
- Harden devices to reduce the possibility of successful compromise.
- Align defensive resources to improve detection of and response to adversary activity.
- Implement Credential Protections to degrade an adversary’s ability to access and maneuver within a network.
- Segregate networks and functions to contain damage when an intrusion occurs.
AOD’s Targeted Mitigation Techniques
Organizations interested in better defending their network environment through the AOD Methodology should consider designing and implementing controls around the 11 mitigation techniques and their individual capabilities:
1. Protect Credentials:
- Least Privilege – Ensure user accounts are restricted to the minimum necessary privileges required to perform job function.
- Restricting Local Account Use – As password hashes are stored on machines, organizations should limit local account use, specifically those with administrative privileges, to restrict the amount of credentials an attacker can gather.
- Limiting Lateral Movement – Prevent an attacker from moving laterally through an environment via controls such as host–based firewalls and Group Policy settings.
- Admin Access Segregation – Restrict administrative account usage and shared privilege accounts.
- Admin Access Protection – Encrypt transmissions of all management connections where credentials are passed and disable the use of unencrypted protocols in the environment.
- Restrict Email and Internet Access from Administrative Accounts – Separate administrative accounts/functions and restrict users from performing daily tasks using accounts with excess privileges.
- Utilize Strong Authentication – Enforce multi–factor authentication (MFA), especially for privileged accounts and remote access, and maintain strong password policies.
- Log and Monitor Privileged Admin Account Usage – Generate alerts on account misuse, potential compromise, or unauthorized accounts.
- Log and Monitor Use of Administrative Tools – Certain administrative actions or sets of activities used in conjunction can lead to intrusion discovery.
2. Segregate Networks and Functions:
- Network Documentation – Ensure network information is documented and periodically reviewed, which should include but is not limited to information specific to network devices, ports/protocols, security enclaves and zones, and associated data centers.
- DMZ Isolation – Ensure the DMZ is physically and logically segregated from other network components.
- Network Function Segregation– Network switching should follow a tiered structure.
- Limit Workstation-to-Workstation Communications – Prevent attackers from moving laterally through an environment with recycled credentials.
- Perimeter Filtering – Ensure perimeter security devices are appropriately implemented and configured (e.g. firewalls, content filters, IDS/IPS).
- Restrict or Prevent Remote Admin Access – Restrict and monitor remote access to administrative accounts and functions.
3. Implement Host Intrusion Prevention System (HIPS) Rules:
- HIPS Solutions – Monitor hosts for anomalous activity.
4. Centralized Event Logging:
- Aggregate Data to a Central Repository – Protect logs from tampering and allow incident detection and response teams to perform detailed analytics on potential events.
5. Patch Management:
- Maintain Up-To-Date Software – Ensure known vulnerabilities are patched quickly and appropriately.
6. Application Whitelisting:
- Default-Deny Executables – Configure devices to only execute pre–approved applications/programs.
7. Anti–Exploitation Tools:
- Defense–In–Depth Hardening – Consider deploying security software that provides functions beyond normal antivirus tools, like exploitation prevention.
8. Public Services Utilization:
- Manage Public Services – Given the rise of cloud storage and social networking sites, these have become larger attack vectors, and as such, traffic logs should be aggregated in a centralized environment, and users should understand organizational policies surrounding service usage.
9. Baseline Management:
- Maintain a Uniform Image – Ensure standard images are pre-configured with security settings and standardized, approved applications.
- Data at Rest and Data in Transit – Modern and secure encryption methods should be implemented where necessary.
11. Anti–Virus File Reputation Services:
- Threat Intelligence – Leverage solutions that offer cyber threat intelligence to ensure both existing and emerging risks are identified, understood, and addressed.
Benefits of Implementing AOD
If your organization has implemented a set of security controls designed to insulate your networks against attacks, the AOD framework can provide a great baseline for validation of the effectiveness of your efforts. With limited resources to deploy on security protections, it is integral that organizations ensure they are getting the maximum results from the resources that have been deployed. AOD assessments assist companies in understanding the current state of their security and can identify potential gaps that could allow an adversary to enter an environment.
Regardless of your progress in your cybersecurity program activities, understanding where your organization stands within the Adversary Obstruction Defense methodology can give you a guideline for strengthening your current security controls and a finite way to communicate and relay cost-effective improvement activities among stakeholders.
LBMC can help organizations prepare for an AOD assessment, guide control development and implementation, and verify conformity with AOD standards. LBMC will assess controls surrounding credential protection, network segregation, host intrusion prevention configurations, centralized logging, patch management, application whitelisting, anti-exploitation tools, baseline configurations, encryption standards, and threat intelligence tooling, and assist organizations in any potential areas of improvement.
Learn more about our team at LBMC Information Security and decide whether an AOD assessment is appropriate for your organization.