Small to medium-sized companies seek the same level of protection for their networks, systems, and user data as large enterprises. The first part of the process is known as baselining.
Whether you are a CISO or other security professional, baselining tells you all you need to know about existing systems. It also helps guide the next steps in determining a security plan or changes to the existing one that will lead to maturing your business’s security.
Typically, when you enter into a managed security services relationship, they will run a series of assessments on all endpoints to develop a baseline or starting point. The assessments reveal vulnerabilities, problems, malware, and any possible infections that are already present. They will also uncover permissions issues and risky behavior of end users. From there, a plan is developed on what needs improvement or elimination.
Here we’re taking a look at the baselining process and common issues commonly found during the process.
Beginning Steps in the Baselining Process
During this stage, do a deep dive or what they call baselining into the infrastructure. It includes searching, examining, analyzing, and finally, reporting on what is discovered.
Baselining is the method used to assess network performance or behavior and compare it to a baseline of historical data. It is a critical method of detecting and analyzing anomalies and suspicious behavior.
During this process, complete a search for critical activity and patterns of activity that point towards the presence of possible vulnerabilities and other cybersecurity risks.
- They create Mitre threat maps by industry
- Other more specialized Mitre maps
- Run standard threat hunts that root out malicious activity based on living off the land techniques
These methods combine to help determine where there are gaps, and security issues that need attention. Then they will explain the queries, searches, and threat hunts that they used, the results and discoveries, and recommend actions that align with Mitre techniques.
Abnormal or Misconfigured DNS Traffic
During the process, look at any Domain Network System (DNS) traffic that appears abnormal or misconfigured. This DNS traffic can be indicative of a few problems in a network or expose it to possible attacks.
Additionally, most anomalies in the DNS are typically treated as suspicious until fully assessed. It’s essential to take them very seriously and trace whether it’s a case of malware or threat actor activity causing misconfigured traffic. They will also determine what the abnormal traffic is related to and offer corrective steps.
Potentially Unwanted Programs (PUPs)
There are many occasions where you may find apps that can pose a risk to a business’s infrastructure. These include spyware, dialers, and adware that get included in some programs that users download. While these mainly interfere with system performance, some of them are malicious and have security risks.
Some of these include:
- Unwanted Remote Desktop (RDP) Tools
- Telnet (used for PuTTY-ing)
- Scheduled Tasks (run on startup)
These programs appear during spans that cover an array of different searches. Each one has cybersecurity risks.
Depreciated Protocols
There are many protocols that businesses should no longer be using. Not only because they are depreciated; but since they don’t include the security needed, they are full of potential risks.
For example, since Telnet is an outdated protocol often found during baselining in business networks. However, it should no longer be in use because it has no security mechanisms and sends data in plain text form over network/internet connections. The data transfers will contain sensitive information such as passwords.
Since the data is in an insecure state, it’s vulnerable to anyone wanting to sniff the packets and steal the private information.
These risky protocols are often seen to be in use:
- FTP
- TFPT
- Rlogin
- Rexec
- RSH
- POP3
- IMAP
- Telnet
It is critical that businesses keep track of these risky protocols that may be in use to prevent threat actors from achieving their goals.
Unapproved Workflows
Often users have too much access, or admin rights and can do risky activities that I.T. admins should restrict. There are many events where users who shouldn’t have admin privileges and are running unapproved workflows.
Controlling who has access and to what it is another critical item regarding network and infrastructure security.
Network traffic, specifically DNS traffic, must run through internal servers, but its often seen that it’s not. Unauthorized workflows during the analysis of business networks are also found.
45 Days of Baselining
When deciding to baseline your environment, there are many discoveries. From programs to DNS issues and users with rights they shouldn’t have, you will find many risks you weren’t expecting. Developing a plan and following professional recommendations is pivotal to securing your most important assets and maturing your environment.