The common adage of “homefield advantage” is very applicable to the world of network security. While attackers must learn the ins and outs of your network, as a defender, you should be aware of every nuance in your ecosystem. In a past life of doing incident response, when we would roll up to a new site, we would always ask for a briefing of the network architecture and infrastructure from the teams responsible for maintaining them. Many times, the teams would have a pretty good idea of what was what, but more times than you’d hope they were inadequately prepared to explain the layout. If we were to do network scanning, there would be times we would find infrastructure they were unaware of or thought had been decommissioned.
While it may be (almost) impossible for anyone to have an up to the minute view of many of their complex ecosystems, as a network defender you still need to understand as much of it as possible. You cannot defend what you do not know exists. More importantly, you cannot plan a proper defense if you do not know what you must defend. Like planning for any defensive action, there will be things you have to protect, things you should protect, things you would like to protect, and things you likely cannot protect. This is a key distinction that should be the cornerstone of your defense in depth strategy. What can you not afford to lose (or lose access to) to the extent that it would halt operations or even cripple your business permanently? That should be your first priority for building out your defense in depth strategy. The other pieces get prioritized as you build outward.
What does understanding your network really mean though? It’s not enough to know the critical IP addresses and server names and subnets. Knowing some of the software running and web technologies isn’t enough either. Those are key components for sure but there’s a lot more to knowing your network. You need to understand the ebbs and flows of the traffic as well.
What subnets should be talking to other subnets? Would you ever allow an engineering PC access to the finance network? Not usually but except for that one time when you had to ….. but did you take that connection away when it was no longer needed? And while it was operational, were you giving it special attention to ensure it wasn’t being misused? Do you understand the patterns of netflow throughout your network? Which systems talk to which during what periods of the day? Do you know the volume of traffic you should be seeing across network boundaries and can you tell if the typical threshold is crossed? This is all the more important on the critical networks.
Do you know all the paths into and out of all your subnets? Could you tell if someone set up a bridged connection on a server or laptop somewhere? If so, how long would it take you to find it? Do you know where all of your Wi-Fi access points are located and how they are secured? Do you check regularly for new ones?
Do you track your users? Can you pattern their network behavior? Are they sending out more data than usual at odd hours all of a sudden? Are they accessing unexpected applications or servers? Are there unexpected logins on a person’s computer from another legitimate account?
Do you track the software that is running in your networks? This includes both server type applications as well as user installed software. Knowing what software (and versions of said software) you are running will be very helpful with patch management and can also give you some insight if a new vulnerability is disclosed. It is much easier to know these things before any incidents may happen than having to do a network scan to find out after the fact.
With the shift to the post-COVID-19 ‘work from anywhere’ model, understanding your network became an order magnitude more complex. Unless you are backhauling all traffic through your corporate VPN, you have a substantial amount of activity happening that you have no visibility into. In this new model, what really is your network? The boundary has shifted from within your corporate walls into the homes of all of your employees. The common solution to the new work from anywhere model is to support split tunneling such that only traffic destined for your resources returns to your network. In this case, you lose the visibility into traffic patterns, bandwidth, access to company resources hosted in the cloud, etc. for your users. You now no longer have the ability to find anomalies because you cannot establish a meaningful baseline. By utilizing the iboss Cloud Platform, you regain the visibility and access controls for your remote workers. From the user’s perspective, nothing has changed in their day-to-day operations; however, from a security perspective, it is once again as if your employees are working in the office.
While it can be a lot of time-consuming work, understanding the baseline behavior of your networks will go a long way to helping secure them. During the process, you may find several things you did not expect, which will give you a chance to remediate them before a threat actor can take advantage of them first. This will also give you the paths you need to monitor or protect on the way to accessing your most critical data and systems. The results should be documented somehow in a way that makes sense to the company and can easily be utilized by the IT and security organizations in both times of calm and crisis.
The follow on to this would be to implement behavioral analysis techniques within your networks to find deviations from these baselines. Any deviations should be investigated and if legitimate, a new baseline needs to be generated.
If you’re looking to understand how preparing for a cyber incident should be a company-wide effort, watch our recent webinar, A Cybersecurity-first Approach to Prevent Your Company’s Cyber Armageddon.
Blog post authored by Jim Gogolinski, VP of Research and Threat Intelligence at iboss.
