With the re-awakening of ransomware attacks that plagued many networks last year, cybersecurity is arguably at the top of every network administrator’s priority list. With that being said, here are 7 ways to respond to network threats.
1. Network Segmentation
In specific circumstances, network segmentation, which is a process by which we separate parts of our network into different subnets, can be a necessary response to a network threat. Suppose you’ve discovered a workstation that is communicating to a C2 server somewhere out on the Internet. Knowing this is a telltale sign of a malware infection, you decide to segment this workstation onto a quarantine network that you configured beforehand. The workstation can be physically re-located to a safer subnet by switching cables or it can be logically relocated to a virtual subnet by re-assigning it to an isolated VLAN where lateral movement of the malicious code can be prevented.
Once the workstation is on the isolated network, an Incident Response (IR) team can analyze the behavior of the malicious code to gain an understanding of how it works, where it resides on the machine, and if it’s likely compromised other hosts on the network.
Regardless of whether or not you’re using network segmentation to respond to a threat, segmenting your network is very beneficial from an administrative standpoint. By separating our network into specific subnets, we can more easily manage the systems on our network, improve security by preventing spillover of sensitive data, and decrease network congestion.
2. Honeypots & Honeynets
A “honeypot” is usually just an attractive server designed to lure a cyber criminal into attacking the server. These servers are usually placed in a DMZ and installed with false-sensitive information. For example, it’s common to put fake username-password combinations on the server, which is meant to entice the attacker. Honeypots can be placed on the production network as bait. That way, when an attacker gains access to the production network, he will hopefully attack the honeypot instead. On the other hand, the honeypot can be purely devoted to researching the Tactics, Techniques, and Procedures, or “TTPs,” of cyber criminals and hackers whereby we can learn the steps they take and tools they use for exploitation.
Because a honeypot is decoy system, it can be assumed that any activity occurring on a honeypot is malicious. A “honeynet” works just like a honeypot; however, it’s not one dedicated baiting system. Honeynets are small networks with multiple systems and software designed to lure a cyber criminal to attack. When an attacker becomes preoccupied with a honeypot or honeynet, the real network is left alone. Some Network Intrusion Prevention Systems (NIPS) can even re-locate a real-time attacker onto a honeynet, which spares any production systems that might’ve been attacked. When attackers discover they’re on a honeypot, their best option is to destroy the honeypot in someway, such as a permanent DDoS attack or some remarkable code execution. Since the honeypot gathers information on the attacker, this information could identify them and be used as evidence in court.
3. Access Control Lists
An “Access Control List,” or “ACL,” is a table or matrix of objects and privileges. Objects can consist of things like files, folders, network resources, and so on. Privileges encompass a user’s rights and permissions. A right is an action. An example of a “right” would be a user’s right to access a file server. A “permission” would be what can be done to an object, such as read-only, write, read-write, modify, delete, etc. An ACL can be file system-based or network-based.
File-system ACLs control access to files on a system. Some systems used “Discretionary Access Control Lists (DACLs),” where every object has an owner who can assign rights and permissions. For example, if User Bob creates a file called abc.txt, he can create separate Access Control Entries (ACEs) for other users that set rights and permissions to access the file and also what they can do to the file. The Windows NTFS uses this DAC model. The most common ACL can be found in the Role-Based Access Control (Role-BAC) model. In this model, administrators assign roles in an organization (e.g., finance, R&D, Sales, Marketing, Software Designers) specific roles. When an accountant is hired for the company, an Administrator places the accountant in the finance department role where he or she inherits all the rights and permissions for that particular group.
Network-based ACLs are the rule-based ACLs you’d see in network devices, such as firewalls, switches, routers, and IDS/IPS systems. These rule-based ACLs define what traffic is permissible on the network. For example, a firewall may allow inbound http traffic to a web server, but block other forms of traffic. Switches may allow access to the network based on a device’s IP address or MAC address. Some rule-based systems can even trigger in response to an event and modify the ACLs. For instance, a NIPS that detects a DoS attack originating from one source IP address can modify or create a rule that blocks all incoming traffic from that source.
4. Endpoint Security
Seeing as our endpoints contain a lot of common vulnerabilities, it makes sense to build a good defense in this layer as well. Workstations and other endpoints are routinely facing risks of malware from sources like e-mail attachments, web links, unauthorized downloads, lack of updating, and system misconfigurations.
To prevent malware from propagating on our endpoints, we can use an anti-malware solution to detect and block malicious code. Anti-malware software usually comes in one of two flavors: signature-based and behavior-based. “Signature-based” anti-malware compares hashes of files to known-malicious files (or signatures). If a match is observed, the anti-malware quarantines the file and alerts the user or administrator. “Behavior-based” anti-malware uses a type of dynamic analysis to observe the behavior on the endpoint, which it then compares to known bad-behaviors. The obvious advantage of behavior-based anti-malware is that you can detect unknown malware that doesn’t have a current signature as well as polymorphic and armored viruses. Of course, learning which behaviors are normal will result in a lot of false positives at first, which might not be feasible on larger networks with hundreds of endpoints. Malware that is discovered by anti-malware software can be analyzed or reverse engineered.
Web Security Gateways and proxy servers can also protect our endpoints. These devices can act as content filters whereby they can restrict access to something malicious, such as a blacklisted URL or an e-mail that contains a suspicious attachment. Attacks can then be analyzed in order to warn other users on the network.
We can also use a “sandbox” to respond to a network threat. A sandbox is a virtual machine that runs a restricted-guest operating system, completely separated from the host operating system. Sandboxes, like Cuckoo, have been historically used for dynamic malware analysis. In dynamic analysis, the malware is placed in a sandbox and its behavior is observed. Unfortunately, malware authors are becoming increasingly more creative because different forms of malware have been observed to detect when its in a sandbox. If that’s the case, the malware either does nothing or “self-destructs.”
5. Group Policies
Large Microsoft environments typically deploy a directory service on their network, such as Microsoft’s “Active Directory (AD).” AD uses specially configured servers called “Domain Controllers (DCs)” to provide authentication, authorization, and access to directory objects, like printers, files, and other resources. AD has a feature called “Group Policy,” which allows network administrators to configure “Group Policy Objects (GPOs).” The GPOs are where groups of individual users and settings reside. With Group Policy, a network administrator doesn’t have to manually configure the settings for every user in a domain. Instead, he can centrally manage this process from the Group Policy Management Console. For example, the network administrator only has to set the password policy for a domain once because this policy applies to EVERY user in that domain or GPO.
Let’s say you discover a P2P application you no longer want on your network. Instead of going to every workstation and tediously blacklisting the application, you could black list the application in a GPO for a group of users.
A “host” is any system connected to your network. “Hardening” a host means we are making it more secure from its default configuration. Many of our systems come installed with unnecessary services or unsecured default configurations and accounts. Besides the Access Control methods mentioned earlier, here are some other ways we can perform host hardening.
Disable unnecessary services. By disabling unnecessary services, we reduce the attack vector. If you remove the Telnet protocol (TCP port 23) on your server, for example, you eliminate the possibility of an attacker exploiting that protocol. The bottom line is that if your system needs a service, then keep it; if it doesn’t need it, then disable it.
Another way to harden our hosts is by disabling unnecessary applications. Software frequently has bugs and other vulnerabilities, which could be exploited. Other applications, like P2P or BitTorrent, are definitely applications you don’t want on your network since they are inherently harmful.
You should also disable or modify unnecessary default accounts. Older Windows systems used to come with the default account enabled and, because some users and administrators didn’t disable this account, it allowed access to attackers. All accounts that come with a default password must be changed as well. There are online repositories of default username-password combinations that attackers frequently use as a resource for obtaining unauthorized access. If you discover user accounts that have elevated privileges, it could be the result of an assignment mistake by an administrator or evidence of a privilege escalation attack. When accounts like these are discovered, they should be reviewed or disabled for investigation.
When vulnerabilities are discovered, vendors take the time to create and test patches before distribution. Sometimes, you’ll be alerted to critical vulnerabilities by your vulnerability feed, to which you’ll likely need to apply an out-of-band patch that strays from your original patching schedule. When a vulnerability is discovered, we can patch them in response, which makes a feel more at ease.
7. Network Access Control
“Network Access Control,” or “NAC,” controls what has access to the network. Aside from the aforementioned Rule-BAC network devices, there are dedicated NAC technologies that allow us to restrict devices access to our networks.
Many networks deploy IEEE 802.1X, which is also called “Port-based Network Access Control (PNAC).” On 802.1X networks, supplicants must authenticate before accessing the network. The real drawback of 802.1X is that it’s binary (1 or 0; yes or no); meaning supplicants are either granted access or they are not granted access to the network. There are no options in between.
On the other hand, other NAC technologies offer a more robust set of options. Cisco’s NAC and posture assessment, for example, not only allow administrators the ability to grant or deny access to the network, but also allows them to block, quarantine, and remediate the endpoint. As a quick example, if a malware-infected client attempts to connect to the corporate network, a pre-installed agent must first scan the client to see if it meets the specific prerequisities before granting it access to the network. It would scan for anti-malware software, if the anti-malware is up-to-date, level of QoS, the type and version of the operating system, and so forth. If the result of the scan isn’t satisfactory, the agent reports this to the Access Control Server (ACS), which then comes to a decision for the client. Instead of just immediately denying it access, it can (if configured) redirect the client to a quarantine network where it can download whatever it needs to meet any network policy enforcement checks.
Maymi, F. J., Chapman, B. (2018). All-in-One CompTIA CSyA+ Cybersecurity Analyst Certification Exam Guide CS0-001. McGraw-Hill Education: New York, NY.