Know your network
At any given time, can you see and understand the devices, applications, users, operating systems and vulnerabilities on your network? What about malware? Where is it hiding? How long has it been there? What information is it accessing?
Threats are able to circumvent and breach existing security because today’s cyber attackers often know more about a network and its protection technologies than you, the network’s owner, and use this information superiority to infiltrate and compromise networks, accessing proprietary data and risking cyber security.
Network defenders need visibility into their network in order to protect it. Once they can see their entire network, then they can control it -- before, during and after an attack, swinging the information superiority advantage away from the attackers.
Security professionals also need to consider the approach attackers take to successfully infiltrate what are supposed to be secure networks -- the attack chain, a simplified version of the cyber kill chain. The attack chain describes the events that lead up to and through the phases of an attack and is comprised of the following:
Survey: Attackers deploy surveillance malware to get a full picture of your environment, regardless of where it exists -- network, endpoint, mobile or virtual -- and the available attack vectors and deployed security technologies.
Write: Based on this intelligence, attackers then create targeted, context-aware malware such as malware that behaves differently if it detects it is in a sandbox.
Test: They then validate that the malware works as intended by recreating your environment and ensuring the malware successfully evades the security tools you have in place. This process often includes QA or bench testing.
Execute: Attackers then navigate through your extended network, environmentally aware, evading deception and moving laterally until reaching their target.
Accomplish the mission: Be it to gather data or destroy, the attacker is positioned to maximize the success of the mission.
As evidenced by the attack chain, attackers have full visibility into your IT environment. In order to effectively protect your extended network of endpoints, virtual environments and mobile devices, you need a baseline of visibility into every asset, application, operating system, user, protocol, service, network behavior, potential threat and vulnerability.
A leading US bank was frequently a target of cyber attacks and had existing defenses in place that generated extensive logging details of the attacks. Unfortunately, the security team often spent a large chunk of time analyzing these logs and still found holes where they were lacking information. They needed better visibility into what was occurring on their network, and they needed it faster. Upon deploying a solution that allowed detailed visibility into the bank’s network, they were able to reduce the costs and time associated with responding to attacks from days to hours. Most notably, when a variant of the Zeus Trojan infiltrated their network, they were immediately aware of the attack and able to identify and contain all affected endpoints in a matter of hours.
Cyber attacks are no longer a question of if but now a reality of when. Network owners need to accept the harsh reality that attackers often more about a network than those trying to defend it and take a visibility-driven approach to security, knowing their entire network, to turn the tables on the attackers.
Martin Roesch is Vice President and Chief Architect for Cisco’s Security Business Group. He founded Sourcefire in 2001 where he was Chief Technology Officer (CTO) and a member of its Board of Directors. For more than a decade, Roesch has dedicated himself to developing intelligent network security tools and technologies to address evolving threats, applying his knowledge of network security to network threat analytics and network forensics for numerous government and multinational customers. A respected authority on intrusion prevention and detection technology and forensics, he is the author and lead developer of the Snort Intrusion Prevention and Detection System (www.snort.org) that forms the foundation for the Sourcefire Next-Generation IPS.