The number of breaches that have occurred in the past 12 months (Target, U of MD, etc.) serve as a warning that traditional defense mechanisms are not working.  I ask audiences of security professionals that I address at conferences and other venues if they would let me ping machines inside their net from my site. The answer as you would expect is “no.”

When I ask why not, the usual answer is they don’t want me to map their network. However, when I ask them if they would allow their users to ping me, an overwhelming majority answer “yes.”  This tells me that their primary focus is to prevent inbound attacks but not to really monitor anything leaving their nets.

I’ve said in the past that firewalls are NOT effective “protection” devices. They are excellent “detection” devices. Firewalls always have to let data pass through them. Wireless networks at a site negate the effectiveness of a “border” firewall since the network border effectively becomes the device itself.

Host based firewalls become a critical component of a network security architecture. Historically, sites have implemented their security strategy from the border inward rather than from the host outward. Monitoring outbound traffic allows a site to use network security monitoring aka continuous monitoring techniques as an effective security strategy.

When hackers attack a site, they have 3 goals:
1) compromise the machine and its data
2) maintain control of this machine in order to attack other internal systems
3) have the ability to destroy the system to cover their tracks if discovered.

If a hacker compromises an internal system, the score is hacker: 1, Security Team: 0. If the security team interrupts the communications/control channel established in step 2 above, then the score is hacker: 1, Security Team: 1 and tie goes to the defender.

Yes, the attack was successful but it was contained and hopefully no sensitive data left your network.

We play into the hacker attack strategy of data exfiltration by focusing on inbound protection rather than outbound monitoring.

This is a problem. Data exfiltration is a major goal of any attack these days. The primary vector for hacker goal #1 is the “web drive by” attack where an internal user visits a legitimate www site that has an infected ad. The ad is loaded onto the client machine with an “info-stealing” class of malware. This malware class searches the target system for sensitive data such as SSN, CCN, bank or debit account information. Antivirus software finds on average only 40% of malware so it’s not very effective. Web application firewalls/IPS find slightly higher numbers but the plain simple fact is something is going to get through your perimeter. The defenders’ best chance for containing the attack lies in interrupting hacker goal #2.

Here’s some of the strategy behind our madness.

0. Prevention eventually fails but Detection/Containment is forever :-). Anyone who disagrees with this statement need only read about the recent data breaches. If you want a historical view, look at http://www.privacyrights.org/data-breach and look carefully at the causes of the data breaches listed at this site.

1. The general security strategy should be “protect (encrypt) sensitive data.” Protecting devices is obviously important but in our BYOD word, if the “D” is compromised but the sensitive data is protected, then it’s a tie ball game and tie goes to the defender.

2. If a system is compromised, we ask if there was any sensitive data on the device.

a. No – use logs (syslog, eventlog, net flow, sensor) to determine where the attacker was. Notify the offending site that they have a problem. Reinstall/reimage compromised host. Go to step 1.

b. Yes – now the fun begins. Run PII search tools like IdentityFinder, Find_SSN, Spider, SENF to find out how many records were potentially exposed. If the data files were encrypted, declare victory, go to step 2a. If PII was in the clear, determine how many unique records were in the file. Prepare your data breach notification letters and credit monitoring for affected individuals.

3. At this point, you need reasonable proof that the sensitive data file(s) were exfiltrated from the net. This is where network forensics prove their worth. Use network forensics to determine:

a) when the earlier record of an intrusion occurred, and any communications with suspect external hosts.

b) if other internal hosts were accessed from this compromised host.

c) the probability of sensitive data breach occurring using netflow data. If we believe a data breach.

d) Inform the affected department that they will have to pay for a year’s worth of credit monitoring.

So, this is where NSM/CSM comes into play. In order to make the decision mentioned in #3, you need data. That data comes from various sensors each fulfilling a role in NSM. The biggest advantage defenders have is the ability to monitor their network traffic. A system whose logs have been wiped can still be monitored by examining network traffic.

It’s time to change our defensive posture from inbound-centric to outbound-centric.

Network Security Monitoring and Network Forensics techniques are the difference between a small, internal breach and a major disaster.

Some good reference books on this topic are:

“Extrusion Detection: Security Monitoring for Internal Intrusions” by Richard Bejtlich, “Network Forensics”  by Sherri Davidoff and Jonathan Ham, “Applied Network Security Monitoring” by Chris Sanders and Jason Smith. Information on Identity Finder is at www.identityfinder.com. Information on Find_SSN, Spider, SENF can be found at http://security.vt.edu/resources_and_information/find_ssns.html.

We’ll talk more about Cyber Defense strategies in later articles.

Leave a Reply