Analyzing Outbound and Inbound Traffic, and Network Segmentation Can Help Protect Your Network, Even After It Has Been Compromised.
In my previous column I took a long look at modern malware with a focus on how to prevent malware from getting into your network in the first place. In case you missed it, you can read it here.
While we all probably agree that prevention is the best medicine, it’s also foolhardy to believe that prevention alone will be enough to protect us. Whether coming from a non-network source such as a USB drive or simply from a clever attacker who finds a weakness, we have to assume that eventually our networks will be compromised if they haven’t already.
Assuming that we aren’t compromised just plays into the attackers hands. What we need is to extend the security we have to bring protection to the soft parts of our network that attackers are targeting. Malware and targeted attacks rely on the assumption that if they can get inside the perimeter, that they can build a foothold and dig deeper with less worry of detection. But just because someone is able to break into a bank doesn’t mean that we should just let them walk out with the money. So in that spirit, let’s pick up where we left off and take a look at some of the practical tools and techniques that we can use to identify and stop live malware infections in our networks.
Looking Inward
Traditional enterprise networks have often been described has “hard, crunchy shells with soft, gooey centers”. This refers to the tendency for the external perimeter to be heavily fortified from outside threats, while internal users, traffic and assets tend to be trusted. Attackers have used malware to crack this model and shift the security battle to the inside of the network where security measures are sparse.
While this has been a recognized problem for quite some time, we are finally beginning to see new proposed security architectures that address the problem. Analysts such as Forrester’s John Kindervag have begun to push the notion of the “Zero-Trust Network” (video) where all traffic, including internal traffic is passed through a “segmentation gateway” for analysis. And although many of us may not be able to adopt such a consistently segmented model overnight, there are practical steps that most any enterprise can take today.
The first step is to expand our best threat and application analysis to include outbound traffic as well as inbound traffic. The ongoing command and control traffic is the life-blood of modern malware, and the infection is only the first step in an intrusion that will likely cross our perimeter many times. Given that the malware traffic is flowing in both directions, our defenses should certainly be looking in both directions as well.
Another option is to begin segmenting assets that attackers commonly target for escalation such as domain controllers, email servers or any asset where user identity is managed. These are common targets once an attacker is inside the network because it can allow the attacker to escalate from a low-profile user identity, with relative few network rights, to a far more powerful user role such as a network admin. Unlike our earlier example, the goal here is not to deny access (people need their email), but rather to establish highly granular logging and reporting to identify an intruder that may be skulking around. For example, ping sweeps, or an unusual spike in failed login attempts, or newly created admin accounts should be cause for alarm.
The end goal is to make our networks less flat with better internal controls so that we can get rid of that soft gooey center.
In my next piece, I will cover off on what to look for, now that we are looking in the right places, and how we can often detect telltale signs of malware infections.
Related Reading: Getting Your Hands Dirty in the Fight on Modern Malware, Part 1
Related Reading: An Introduction to Modern Malware
Related Reading: Using Network Segmentation to Protect the Modern Enterprise Network