Evolution not Revolution
Network perimeter security is often a key focus area for most organisations. The idea of securing the perimeter is well understood and practiced throughout all organisations and even homes. Even the most basic network appliances such as home routers come equipped with basic firewall capabilities.
Many organisations now realise that securing the perimeter is the first of many steps required to protect assets and sensitive data from attacks and look to implement multiple layers of security across the enterprise often described as “Defence in Depth”.
There are a whole host of technologies out there which can be introduced to add more layers of security, however, there are fundamental flaws in the way we think about and design our security architectures.
Industry and Media
Breaches and network intrusions used to be the type of news you would only read about in technology blogs and security focussed websites, however, over the last five years, privacy and security has shifted from this limited audience and is now covered by the mainstream media. Breaches no longer go unnoticed and organisations losing customer data, sensitive documents or embarrassing emails can face real damage in the face of public opinion.
Industries such as retail and financial services are widely considered to be the biggest targets of cyber-attacks. Trustwave’s global security report cited the retail industry as the single largest target with over 40% of all breaches being attributed to retailors. Financial services also face significant risks and in recent months Nettitude has observed a significant rise in incidents we have responded to for clients operating within this vertical.
‘Defence in Depth’ to ‘Response in Depth’
When we look at the facts, we know organisations are still being breached; multiple layers of technology and controls do not prevent an attack being successful, and the fallout of public opinion is significantly worse than it used to be.
Security consultants, engineers, teams and analysts need to rethink the basic principles of network security and begin by re-evaluating what a modern network perimeter really is.
Crossing the line
When we think of a perimeter, we think of a border, or a line which is secured and cannot be crossed. In physical terms, it could be a wall or a fence, any sort of line which separates a private zone from a public one. In technology, we think of a firewall being that wall or fence which separates a private network from a public one. In the image below, the corporate network is protected by a firewall which theoretically defends against attacks. This wall might have multiple layers such as intrusion detection and URL filtering in place which all contribute towards this multi-layered approach.
The flaw with the above design is that our controls allow access to services such as web browsing and email. Firewalls permit this type of traffic and malware scanning of email and web traffic is trivial to bypass. This means that there are several methods such as phishing emails or drive-by domains an attacker can use to deliver malware to a machine within your network and evade detection.
To think back to physical security, If we were to build a tall wall around a building to protect it, but put a few doors in the wall, protected by a sleeping guard which an attacker could easily sneak past, would we consider that building to be secure?
The idea of perimeter security is outdated and does not truly represent the attack surface your organisation presents to an attacker. While clients within your networks have the ability to interact with untrusted zones such as the internet, you are at risk of compromise and should adapt your defences to account for this exposure.
The New DMZ
Since workstations can be so easily reached and compromised by attackers, they should be considered as untrusted. Many organisations already implement network segmentations and strict access controls, however, is this enough to detect an attack, or just hinder one?
While it’s great to hinder or disrupt an attacker, the goal for all organisations should be to detect attackers, and adequately respond to them.
A mature and robust security posture can be achieved once monitoring is extended beyond the perimeter to include end points where users and information is most at risk. This can be achieved in many ways. Many organisations collect and monitor anti-virus logs from the end point, however, there is a wealth of information available for collection, which can be analysed and used to alert Incident Responders to potential compromises.
We recommend organisations enrich their monitoring of the endpoints to include:
- Command Line Monitoring
- Process Monitoring
- Registry Monitoring
- File Integrity Monitoring
With rich data being collected from across the estate and feeding into an intelligent alarm engine such as LogRhythm, organisations can become alerted to suspicious activity which has bypassed perimeter and anti-virus defences. Using this additional level of monitoring, it is possible to detect activity such as the opening of a malicious documents. An example of this is demonstrated below.
Nettitude specialises in sophisticated penetration testing, incident Response, consultancy and managed security services. Our teams share a common understanding of how exactly attackers gain access to organisations and Nettitude offers comprehensive managed security solutions which are designed to detect intrusions rapidly, providing information assurance to you and your organisation.
To contact Nettitude's editor, please email firstname.lastname@example.org.