This tip is part of SearchSecurity.com's Intrusion Defense School lesson on targeted attacks. For more in-depth tutorials, visit SearchSecurity.com's Security School page.
No single security control can prevent a targeted attack from compromising a network.
Read that first line again. It's a sobering reality for organizations that have invested heavily in any one specific security product. In practice a defense-in-depth strategy is the only way to reduce the likelihood that attackers will be able to access and extract any data they want to steal. Antivirus, firewall and Web security gateways, data encryption, and robust patch and configuration management are all essential to stand a chance of thwarting these attacks; none can do the job alone.
To that end, it's important to ensure specific controls are deployed to hamper or stop an attack at each stage of the targeted attack life cycle, from the arrival of the phishing email through to attempts to extract data. In this tip, we'll discuss the targeted attack protection plan every enterprise should have in place.
Step-by-step targeted attack protection
Start by blocking phishing campaigns using rule sets and blacklists that are updated on at least an hourly basis. Blacklists of known bad IP addresses and domains can be updated automatically using threat intelligence feeds from the likes of Symantec Corp. and the other antivirus vendors. Enterprise network security teams need to keep abreast of the latest attack vectors being used so that suitable rules for specific campaigns and exploits can be deployed.
Next, check that all systems and devices are patched and correctly figured. Vendors like Secunia and SolarWinds offer automated vulnerability discovery and patch management tools that work well (and both offer free trials). Effective patch and configuration management will eliminate known vulnerabilities, forcing the attackers to rely on other methods, such as zero-day exploits, to gain unauthorized network access. Application whitelists can prevent unapproved executables and malicious code from running on user endpoint machines, and device controls should be introduced to block infected USB devices, another common tactic used in targeted attacks.
For those enterprises running legacy applications on older versions of Windows, consider deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET) to provide protection while systems are updated. EMET can also provide additional protection for "in support" versions of Windows, such as Windows 7, by offering supplementary mitigations and by enforcing protection for software that have not opted to use Microsoft's latest defensive controls, such as Data Execution Prevention (DEP).
Identify critical host and network resources, as this will be any attacker's primary target, and put them within the protection of smaller network segments based on business processes or data types and data classifications.
Network segmentation makes it easier to implement rules appropriate for a specific resource, such as limiting access outside of office hours or denying access from specific destinations. Also more frequent checks can be made to ensure that access control lists (ACLs) and other controls are operating as expected. For example, a firewall protecting a DMZ containing only a Web server and a DNS server can be configured to send alerts for any traffic on ports other than 80, 443 and 53, as in this deployment scenario all other traffic should be blocked.
Data protection, logging and monitoring
The end goal of any targeted attack is to identify, collect and send valuable data to a command-and-control server. This network activity -- along with attempts to explore the network in search of information -- provides an opportunity for diligent administrators to spot and locate any infiltration.
However, to do so, it requires extensive logging and near-real time monitoring of internal, incoming and outgoing network traffic. For those on restricted budgets, look at deploying an open source tool like OSSEC. This host-based intrusion detection system (IDS) can provide log analysis, file integrity checking and Windows registry monitoring. It can also receive event logs from a variety of firewalls, IDSes, servers, switches and routers, providing real-time correlation and analysis, policy monitoring and alerts. Security Onion can also be used for intrusion detection and enterprise network security monitoring. It includes a host of tools that can be used as sensors and controls to monitor and allow early detection of APT-like behavior.
More on targeted attack protection
Targeted malware attacks demand new defense approach
Targeted APT attacks: Hardening the network
Trend Micro says traditional security fails against targeted attacks
In the event of a pervasive attack, having comprehensive logs will help in tracking down not only the extent of the infection, but also the source. For example, an attack that included the installation of a PI-RAT Trojan can be spotted with an IDS rule that checks outbound traffic to port 3460 for the presence of the string it uses in its initial communication sequence flag. Analysis of the communications between the device attempting to use port 3460 and other devices can help determine which other machines may have been compromised. A network protocol analyzer tool such as Wireshark is indispensable when manually analyzing traffic logs.
Deploying and monitoring technology-based controls is vital in the war against targeted attacks, but still requires constant vigilance by employees with regard to opening email and following hyperlinks. Enterprise network security awareness training is the only way to really counteract social engineering-based attacks, both during the reconnaissance phase and when the attack is launched. Everyone's vulnerable to social engineering manipulation, so training needs to explain how social engineers operate and the tactics employees may encounter on and off the job.
Procedures need to be in place so employees can report unusual email or other suspicious activities, and an emergency response plan drawn up for handling a breach, including identifying how the breach occurred and what data might have been stolen.
Combating targeted attacks requires that an organization is able to spot them, stop them and deal with those that still get through. This targeted attack protection plan, once implemented, will help your organization improve its state of readiness for the inevitable next attack.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.