Best Mitre D3FEND advice to harden Windows networks

Often it just takes a defensive mindset to come up with effective options to protect and defend against today’s threats. The Mitre organization has recently released its D3FEND matrix that documents ways to harden the network, detect and isolate threats, and deceive and evict attackers from your network. I’m focusing on D3FEND guidance Windows admins can follow to harden their networks.

Application hardening

Mitre D3FEND recommends these processes to harden applications:

• Dead code elimination
• Exception handler pointer validation
• Process segment execution prevention
• Segment address offset randomization
• Stack frame canary verification
• Pointer authentication

While you might have influence on software choices, you might not have the ability to influence the actual software coding. As a CSO for a larger organization, you can discuss these concepts with your software vendors and query them about their security processes. You can hire consultants to review your internal code projects to ensure that your applications are designed with security in mind.

Credential hardening

Credential hardening starts with certificate pinning, which includes both end-to-end certificate pinning and certificate and public key pinning. According to Mitre, this “allows for a trusted copy of a certificate or public key to be associated with a server and thus reducing the likelihood of frequently visited sites being subjected to man-in-the-middle attacks. Certificates or public keys can be pinned after a trusted connection has been established or the pinning can be preloaded in an application, which is the preferred method for mobile applications.”

The next credential hardening advice is multi-factor authentication (MFA). MFA deployment can take the form of tokens, key fobs, cell phone apps, or phone calls to a designated phone number. It usually requires you to identify the common authentication platform that most of your key high-risk applications are supporting. Typically, this means an application like the Microsoft Authenticator, Google Authenticator, or a third-party platform such as Duo.com. Key fobs such as Yubikey can provide an additional level of authentication.

If you use cell phones and applications to be the authenticator, you may need to either deploy business phones to your staff or provide reimbursement to your staff for the use of their personal phones as an authentication device.  Often the IT department must test MFA with multiple phone platforms and ensure that instructions to the end users are clear and the help desk is set up to handle incoming questions and issues as MFA is rolled out.

One-time password deployments are another alternative, but this needs to be balanced with the risk of SIM swapping, insecure delivery of the password, and other compromises. I often see one-time passwords used in indirect transfers of files or information between two parties rather than a permanent deployment in an office environment.

A strong password policy, as well as communication regarding what that constitutes a strong password, is key to keeping a network safe. Provide education regarding password handling (proper choice of password saving programs) as well as how passwords should not be shared or given over the phone in a potential vishing attack. It’s not enough to use group policies to set up a strong password policy; you need to provide education as well.

Message hardening

Message hardening can be a hard-to-implement defensive technique. Unless you are in an industry that demands encryption, email messages are sent in the clear. Encryption is often added with third-party encryption messaging systems. Just like with passwords, this is a category of hardening that needs user education along with actual implementation.

Transfer agent authentication can be easy or difficult to do. If your only email process relies on third-party mailing platforms such as Gmail or Office 365, the vendor provides the necessary DMARC, DKIM and SPF settings. If you use additional email platforms as part of your domain mailing processes such as third-party bulk emailers and other platforms, you may need to have multiple settings in your SPF and DNS records to identify the email platforms you will use. Often you have to review email headers to ensure that the settings are what you intended.

Platform hardening

Platform hardening is where we spend a lot of time and resources on network security. Starting with disk encryption, this ensures that if an asset is stolen an attacker can’t read the data on the hard drive. Driver load integrity checking ensures that the device has integrity from the boot process. If devices need RF shielding, ensure that such systems have appropriate protections.

TPM boot integrity a category that Microsoft is pushing forth the Windows 11 platform. As they note: “During the boot process, the BIOS boot block (which with this defense enabled, is the Core Root of Trust for Measurement) measures boot components (firmware, ROM). The TPM hashes those measurements and stores the hashes in Platform Configuration Registers (PCRs). Upon a subsequent boot, these hashes are provided to a verifier which compares the stored measurements to the new boot measurements. Integrity of the boot components is assured if they match.” Combined with Bootloader authentication, this ensures that a system won’t be tampered with before the boot process begins.

Finally, we need to have a plan in place to manage frequent software changes. Replacing old software on a computer system component is a key way to keep a system secure. Patching ensures that attackers can’t use persistence or privilege escalations to take over our systems.

I’ve just scratched the surface of the ideas and concepts that you need to know to properly protect and defend your network. Review the D3FEND techniques and recommendations. How many are you already doing now? How many do you need to work on?