The recent UCLA breach is a prime example. They suspected something as early as October, the FBI identified the breach in May. Quite some time, but a reflection of how good the malware is at remaining undetected. I do not doubt UCLA had firewalls, antivirus and followed best-practice, you have to assume they did.
Many commentators are quick to criticise the IT team, the lack of security investment or they blame human-error. There is no denying the fact that human error and poorly developed software are common causes, but not always.
Advanced Persistent Threats
Nowadays, there is a new class of threat, the Advanced Persistent Threat (APT).
APTs are forcing many enterprises and organisations to rethink their security strategy and revisit their approach to identifying and safeguarding against threats.
I am not going to explain what an APT is, definitions vary by vendor – but in short, it is a new type of advanced threat that can go unnoticed, bypassing existing security controls and often moving throughout an organisation’s internal systems. Some describe it as custom malware. Vendors are quick to develop APT-beating solutions, analysts have a new market segment to discuss and businesses have something new to worry about!
The purpose of this brief article is to outline some of the technologies available to helpsafeguard your business against APTs.
(I am assuming your systems are already patched, hardened and you have a robust perimeter security policy – that is common sense.)
1) Control lateral movement with an Internal Segmentation Firewall
In the network world, your LAN to Internet traffic iscan be described as North-to-South. The traffic flow between your users and servers is referred to as East-to-West. Traffic that moves East-to-West is also known as Lateral movement.
Once you are infected by modern malware or an APT, it (or they!) will attempt to move laterally throughout your IT and network environment. Using network enumeration, privilege elevation and further exploitation, they will try and compromise other systems or hone-in on higher value targets. This can be automated or controlled externally by an individual with malicious intent. The end-game could be ransom ware or data theft.
A common approach to prevent this lateral movement is to break up your network into zones or segments.
Think of your network as a big circle. Your network is on the inside, and the perimeter of the circle is your firewall. Outside of that firewall is the internet. Once someone is inside, they are free to move around your business. It is very similar to castle walls.
Segmentation takes a different approach. Instead of a single circle or “wall”, your network still has that perimeter wall, but it is also made up of several internal zones. Think of a honey-cone structure within the circle, each department is a zone.
Traffic passing between these zones is subject to a network security policy, traffic flows are limited and scanned for malicious content or anomalous behaviour. A breach in one zone can (hopefully) be contained to that zone.
Most firewall vendors such as Fortinet, Palo Alto and Cisco have sold solutions like this for some time. It is only recently that the terms such as internal segmentation firewall and internal network firewall have grown in popularity. SANS has a paper about internal firewalls dating back to 2001, so it’s certainly not new!
In the absence of a firewall, most modern switching platforms also support some form of IP access list or network policies that can be applied to zones (typically L3 VLANs or SVIs). These can be used to inhibit or control lateral movements. They don’t solve the problem but they can make things harder. That is the name of the game.
The network segmentation approach is relatively inexpensive, and unfortunately for high-end environments, it may not scale.
For your typical enterprise or large organisation; 1GE, 10GE and 40GE solutions are available. If you are trying to secure 100Gbps of traffic between blade chassis or Hadoop clusters, then things can and will get out of hand.
Ultimately the cost will depend on your topology (e.g. the number of zones) and the volume of traffic.
Virtualisation presents another challenge. East-to-West traffic can physically move around your network (between devices). With VMWare and the likes, this lateral movement takes place within the virtual environment. Fortunately, many vendors (including VMWare) have virtual product equivalents and to some extent, these are easier (and cheaper) to implement than dedicated appliances. If you run VMWare/Citrix, you cannot overlook the virtual network.
2) Identify threats with DNS Intelligence and behavioral analysis
Every time one of your internal systems or servers wishes to access the internet, the DNS protocol will be used somewhere to resolve the domain name of the website or mail server they are trying to reach. When malware (or a hacker) tries to phone home, they too may use DNS to connect to their command and control (C2) servers.
A growing number of DNS and security providers are offering a new kind of DNS service. Essentially you re-point your DNS traffic towards one of these providers and they screen it.
DNS and its functionality continues as before. The key difference is they check each one of your DNS queries in an attempt to identify anomalous behaviour or attributes that may indicate ill intent. Using their intelligence networks, machine-learning and the power of the crowd – they can make split-second judgements on the behaviour of your DNS traffic, this could be based on known-knowns, inference or patterns.
This is an easy service to implement and rarely requires any kit or significant change in your infrastructure.This service is more of a diagnosis tool rather than a fix. It can tell you something is going on, but it won’t necessarily prevent it. It is a starting point though!
DNS solutions are often priced upon the number of users or on the volume of DNS queries originating from your network. This is often a simple inroad for an organisation, even if the solution is used as a barometer to gauge if something is going on.
It is worth mentioning that many firewalls support IP reputation analysis which performs a similar function. If your network assets are connecting to dodgy networks (and IP addresses), it alerts you and blocks said traffic.
3) Advanced Endpoint Threat Detection
Traditional antivirus has its limitations. It uses a database of known vulnerabilities and viruses. It attempts to identify known threats through signatures or basic behavioural observations, often using heuristics. Traditional AV has a place but in many respects it is being overtaken by more advanced solutions.
The concept of databases is like having a register of all the bank robbers in the world. Naturally, you wouldn’t want these in your bank, but at what point does a bank robber become a bank robber… After they’ve robbed a bank. Before they do, they are a civilian like any other. In a similar way, a virus is only a virus once someone says it is. Until then…
The latest generation of solutions that build upon the limitations of AV are known as Endpoint Threat Detection systems or Endpoint Behavioural Analysis platforms.
The intelligence in these solutions is typically a central appliance, software solution or it is located in the Cloud (keeping the vendors intellectual property safely tucked away).
The agent’s job is to observe behaviour, kernel system calls, privileged processes, network-traffic and file access – all the while communicating its findings to a centralbrain. The brain has insight into your whole IT environment so using its advanced intelligence, machine learning, pattern matching or crowd-intelligence – it can make a judgement call.
Many of these agents work in harmony with additional devices or controls, providing containment alongside detection. In the event an attack or if a potential incident is detected, the solution can trigger events that can force other solutions to take action, whether that be containment or alerting individuals.
To make this work effectively, you need an agent on each and every endpoint (workstation or server). This can be costly, but effective.
4) Sandboxing (Payload Analysis)
Sandboxing is a technology that effectively mimics your live environment. In an enterprise, traditionally if someone e-mails you an attachment, your mail filter would scan it for spam and viruses, perhaps the file-type (e.g. PDF) and if ok – pass it through.
Much like traditional AV, these solutions are unable to spot advanced threats.
Sandboxing takes a different approach. When someone e-mails you a file, the sandbox will open the attachment in a secure contained environment and observe its behaviour. Does it act maliciously? What does it do? What files does it access? It then makes a judgement call. This is also known as payload analysis. Rather than looking at the label on the packet, it opens the packet, pokes it, eats it, tests it and sees what happens.
The challenge with sandboxing is that malware is intelligent. Modern malware attempts to detect the presence of a sandbox, trying to evade detection.
Sandboxing solutions are clever too. They are aware of these evasion techniques so they employ their own anti-evasion techniques.
Crafted malware is intelligent too, it understands the evasion-detection techniques the sandboxes use so it tries to avoid the anti-evasion-detection techniques with more magic. You get the picture. It really is a constant battle.
Sandbox solutions are rated on the number of files or messages they can process per hour. There is typically a capex purchase with ongoing support and maintenance. Some sandboxing vendors are cloud solutions, so represent an ongoing opex.
With Cloud, you need to be careful from a regulatory compliance perspective (HIPAA, Data Protection, PCI-DSS), after all, you may be uploading your files to the sandbox provider who could be located in a country that falls foul of your obligations.
That was a quick run through some of the technologies available to help safeguard your organisation against APTs. It is by no means exhaustive list but serves as starting point in any discussion around network security.
Cyber-security is an increasingly board-level topic of discussion, and conversations about security should now happen at every level. If you are in IT, educate your board. If you are on the board, ask IT.
Now is a good time to consider the security controls your organisation employs to safeguard against these emerging threats.
If your IT budget is a challenge or if the business has other priorities, you may find your existing systems (albeit with some tweaks) are already capable of providing an additional level of security without a massive capex or the sudden onslaught of a security subscription.
— Technologist Joe Hughes is a CEO of Manx Technology Group, a company that provides a range of IT, network and security services to organisations of every size. A key area of interest to Joe is cyber-security, FinTech, healthcare technology and the growing use of data throughout every aspect of business.