One problem with today's digital adversaries is that they are very stealthy; after breaking into an organization,...
they can go undetected for long periods of time.
Anyone working in security is likely familiar with the tag line, "prevention is ideal, but detection is a must"; it is something I say often, as it is very relevant today. An organization needs to prevent as many attacks as possible, but with an advanced adversary who is persistent, sometimes prevention only postpones the inevitable.
Given that an organization will not be able to prevent every attack, it is essential that when prevention fails, attacks are detected in a timely manner. However, because reports like the Verizon Data Breach Investigations Report and the Mandiant M Trends report show that most organizations perform little to no detection practices, those businesses are unable to control the amount of damage that is caused following an attack.
Hence the focus of this month's column: how to conduct timely attack detection to control and mitigate the amount of damage. To accomplish this, we'll look at how to effectively use existing technology, and based on how quickly damage occurs, how to implement continuous monitoring that can automate the response component.
NAC: Why is it underutilized?
When considering ways to prevent security breaches, the typical knee-jerk reaction is to buy new security products. The problem with this approach is that most organizations aren't failing at security because they need more products; they are failing at security because they do not have enough trained, experienced security professionals (budget is not the issue). If an organization does not have enough staff to maintain the products it currently has, what happens when it buys more products? The problem gets worse because now the limited resources are spread even thinner.
It is always good to first use functionality that has already been purchased. One of the best and most underused technologies for doing this -- and one that many organizations already have -- is network access control (NAC).
Organizations that use NAC often underuse its potential; they simply apply NAC at the network's initial connection point. When a system seeks to join the network, NAC evaluates it and determines what virtual LAN to put the system on. It does not perform any additional validation throughout the day.
This all-too-common use case has its shortcomings. First, just because a system is secure at 9:00 a.m. does not mean it is secure at 1:00 p.m., and if the system is compromised during the day, it will typically go undetected. The second problem is that most NAC configurations are not implemented to look for parameters that are indicative of advanced attacks. It is great that NAC checks for patch levels and that endpoint security is running, but most advanced attacks bypass and do not change those parameters. NAC, therefore, is not looking in the right areas to catch an attack. Third, many networks are not properly segmented to control and minimize damage.
Implementing NAC-based continuous monitoring
To solve these problems, let's look at several concepts and show how they can be combined to create a continuous monitoring system. First, NAC needs to continuously monitor network traffic, not specific hosts, in order to catch a compromise. Most NAC implementations look at host-based parameters, which are difficult to track and monitor. In addition, to monitor many of the advanced features requires you to install host-based agents, which can add significant cost and complexity to a deployment. Using network-based parameters is much easier and more scalable to implement.
The second concept is the importance of identifying network parameters that would indicate a system compromise. In evaluating many attacks, the C2 or command-and-control channel is one of the best indicators of compromise. A C2 will always change three parameters in outbound traffic:
- Length of the connection
- Number of connections
- Amount of data
After building a profile of normal activity, any time there is a deviation in these parameters, it is indicative of a compromised system.
The third and final piece of the puzzle is to create a properly segmented network to contain and control damage. While there are many ways to do this, one segmentation model that I have used successfully in many enterprises is the following:
Level 5 -- Full internal and full external access
Level 4 -- Full internal and limited external access
Level 3 -- Limited internal and limited external access
Level 2 -- Limited internal and no external access
Level 1 -- No access
Now, we have to put all of these pieces together, and here's how this paradigm works. NAC will continuously monitor the three above-mentioned parameters for outbound traffic. If the traffic deviates by 10% in all three areas, then NAC will drop the system down to a lower trust level. Now, as a system exhibits bad behavior, that system's level of access is reduced and the amount of damage an adversary can do is contained. However, as the system exhibits good behavior, access increases.
Keep in mind that while this method of NAC-based continuous monitoring will control the amount of damage caused by an attack, it will not fix an infected system. Therefore, if a system ever drops below level three, an alert should be triggered to indicate that a system has been compromised so appropriate incident response actions can be performed.
As a rule of thumb in security, instead of buying a new security product to solve a problem, look at the technology already place. As demonstrated in this column, NAC can be used to continuously monitor a network and contain the amount of damage the adversary causes.
About the author:
Eric Cole, Ph.D., is an industry-recognized security expert with more than 20 years of hands-on experience. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance state-of-the-art information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. He is actively involved with the SANS Technology Institute (STI) and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.
Learn about the benefits and challenges of today's advanced threat-detection products.
Check out the winning NAC products in SearchSecurity's Readers' Choice Awards.