Installation of Dark Web-Capable Browsers

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file.

Network Access Control (NAC) manages and regulates devices accessing a organization's network(s), including personal devices under a Bring Your Own Device (BYOD) policy. NAC systems ensure that only authorized and compliant devices can connect to the network, reducing security risks.
 

NAC performs the following functions:

• Device Authentication and Authorization: Checks whether the device meets the organization’s security policies before granting access.
• Compliance Checks: Verifies that devices have up-to-date security patches and configurations. Non-compliant devices may be denied access or placed in a quarantined network zone.
• Segmentation and Isolation: Restricts devices' access to sensitive areas, limiting potential impact from compromised devices.
• Continuous Monitoring: Tracks connected devices for ongoing compliance and can automatically quarantine or disconnect those that fall out of compliance.
• Policy Enforcement: Applies security policies to ensure devices can only access appropriate resources based on their security status.

NAC functionality can be provided by dedicated NAC appliances, next-generation firewalls, unified threat management devices, and some network switches and routers.

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.

A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.

This log contains the timestamp, the action conducted, and the package name and version.

To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*

To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*

Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.

NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.

Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.

This detection is not enabled by default and requires additional configuration.

System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system.

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.

Windows Jump Lists are a feature that provides quick access to recently or frequently used files.