Proactive Cyber Defence: Optimising Network Security to Stay Ahead of Threats
Introduction
In today’s ever-evolving digital landscape, staying ahead of cyber threats requires more than just basic security measures. As a network security specialist, it’s my job to dive deep into the intricacies of network architecture, identify potential vulnerabilities, and ensure that our digital fortresses remain impenetrable. In this article, we’ll explore a real-life scenario that highlights the importance of understanding every component of a network, selecting the best endpoint detection software, and crafting a robust strategy for threat detection and response.
Table of Contents
1.0 Introduction
1.1 Assumptions
1.2 Detection of Reconnaissance
2.0 Session Data Collection
3.0 Snort vs. Suricata
4.0 Incident Response
5.0 Advanced Persistent Threats (APTs)
6.0 Cost Effectiveness
7.0 Conclusion
8.0 References
1.0 Introduction
As a network security specialist, my role is not just about fixing problems as they arise. Instead, it’s about anticipating potential issues, understanding the unique demands of the network, and crafting solutions that are as resilient as they are efficient. In this scenario, we’ll delve into an optimised network diagram that I’ve crafted, which serves as a blueprint for defending against cyber threats. We’ll take a close look at how each network component plays a crucial role and how the right tools can make all the difference in keeping the bad guys at bay.
1.1 Assumptions
To build a realistic and effective scenario, we’re making a few educated assumptions:
- Active Directory (AD) is in use within the organisation, providing a centralised way to manage user access and permissions.
- Detecting services on subnets may require the use of more specific Nmap options, ensuring thorough scanning without missing critical details.
- The network design includes separate VLANs (Virtual Local Area Networks) specifically for guest access, keeping them isolated from the internal network.
- Multi-Factor Authentication (MFA) is employed in server farms, but biometrics are avoided due to potential manipulation risks.
1.2 Detection of Reconnaissance
Imagine a stealthy intruder lurking in the shadows of your network, quietly gathering information without setting off any alarms. This is the reconnaissance phase of a cyberattack — a crucial step where attackers map out your network and pinpoint its weaknesses. But fear not, because understanding this phase gives us the upper hand in stopping them before they strike.
How Reconnaissance Works:
Cybercriminals often start by performing network and port scans, using tools like Nmap to discover open ports, running services, and the software versions in use. They might even employ OSINT (Open Source Intelligence) and social engineering to gather more intel, such as finding out which software versions are vulnerable to known exploits.
With this information, they can exploit weaknesses such as Active Directory misconfigurations, lack of brute-force countermeasures, and poorly defended web applications. The goal is to find a way in, whether through a poorly secured endpoint or by tricking an employee into handing over their credentials.
Insider Threats:
But it’s not just external threats we need to worry about. Insiders — employees with legitimate access — can be just as dangerous, if not more so. Armed with knowledge of the network, a malicious insider can easily avoid detection by blending their activities into regular network traffic. They can map out the network, identify honeypots designed to lure and trap attackers, and find unsecured endpoints ripe for exploitation.
Rogue Devices and Network Interception:
Let’s not forget the risk of rogue devices. An attacker might deploy a device to intercept network packets at a vulnerable spot — like ‘node 9’ in our network diagram — which could give them access to everything from employee credentials to sensitive company data. This kind of attack could lead to credential farming, data theft, or even the launching of additional targeted attacks.
Mitigation Strategies:
So how do we stop them? Regular network audits, the use of strong encryption protocols like WPA3 and TLS/SSL, and the strategic deployment of VLANs, firewalls, and intrusion detection systems (IDS) are all key to making network reconnaissance as difficult as possible for would-be attackers.
2.0 Session Data Collection
Once an attacker has infiltrated the network, the next step is to monitor their activities closely. This is where alert data and session data come into play — two critical types of information that help us detect and respond to threats in real-time.
Alert Data:
Alert data is like the early warning system of your network. It’s generated by IDS systems such as Snort or Suricata when they detect something out of the ordinary — like an unusual spike in DNS traffic or a process suddenly gaining root privileges. This data helps security teams respond quickly to potential threats before they can cause serious damage.
Session Data:
Session data, on the other hand, provides a detailed record of interactions between network devices. This might include information like the duration of a session, the amount of data transferred, and the IP addresses involved. Collecting this data allows us to spot suspicious patterns — such as an unusual data transfer late at night — that might indicate an ongoing attack.
Strategic Data Collection Points:
To make the most of alert and session data, it’s important to collect it from the right places. For example, monitoring data packets at core routers (like points 2, 7, and 8 in our network diagram) can reveal a lot about network traffic patterns. Similarly, collecting authentication logs from server farm nodes (points 4, 5, 10, 11–15) and EDR data from client nodes (10, 11, 12–15) ensures that we have a comprehensive view of user activities across the network.
3.0 Snort vs. Suricata
When it comes to choosing the best IDS for your network, the decision often comes down to Snort vs. Suricata. Both are powerful tools, but they have different strengths that might make one a better fit than the other, depending on your specific needs.
Snort:
Snort has been around for years and is backed by industry giant Cisco Systems. This corporate backing means that Snort enjoys robust support and regular updates. It’s highly customizable and can be configured to meet the unique demands of just about any network. However, Snort’s single-threaded architecture can be a drawback in high-traffic environments, where it might struggle to keep up.
Suricata:
Suricata, on the other hand, is an open-source IDS that excels in multi-threading — meaning it can process multiple streams of data simultaneously. This makes Suricata particularly well-suited for large-scale networks with heavy traffic. It’s also user-friendly and offers better logging capabilities, including the ability to log via HTTP, FTP, and SMTP streams. While Suricata doesn’t have the same corporate backing as Snort, it’s an excellent choice for organisations that need high performance and scalability.
Which One to Choose?
If your network is large and experiences high volumes of traffic, Suricata is likely the better option due to its multi-threaded architecture. However, if you require extensive support and customisation, Snort might be the way to go.
4.0 Incident Response
No matter how robust your defences are, there’s always a chance that an attacker will find a way in. When that happens, a well-prepared incident response plan is essential to minimise damage and recover quickly.
Data Collection for Incident Response:
The first step in incident response is to collect all relevant data, including log files from servers, applications, and network devices. This data provides a detailed record of the incident and helps us understand the scope of the breach.
For instance, capturing network flow data can help determine whether any suspicious packets infiltrated the network, while email headers and content can reveal whether social engineering tactics, such as phishing, were used. Activity logs and privileges should also be scrutinised to detect any unauthorised access or privilege escalation attempts.
Responding to Suspicious Off-Hours Engagements:
Suppose we detect unusual activity during off-hours — perhaps an employee is accessing sensitive data late at night. In that case, we would need to collect access logs from the file server connected to ‘gate 11’, examine network logs at ‘gateway 6’, and review workstation logs for any signs of unauthorised access or USB usage.
Ensuring Forensic Soundness:
Throughout the incident response process, it’s crucial to maintain the integrity of the data. This means using write-blockers to prevent accidental modifications, preserving original metadata, and ensuring that all evidence is handled in a way that would stand up in court if necessary.
5.0 Advanced Persistent Threats (APTs)
Advanced Persistent Threats (APTs) are some of the most dangerous adversaries you can face. These attackers are patient, skilled, and well-funded, often working over long periods to achieve their goals. Detecting and responding to APTs requires a sophisticated approach.
Testing Monitoring Effectiveness:
To ensure that your monitoring systems are up to the task, regular penetration testing and red team activities are essential. These tests simulate real-world attacks, allowing you to identify vulnerabilities and assess your team’s ability to detect and respond to threats.
Detecting APTs:
To catch APTs in the act, it’s important to monitor a wide range of data sources, including Windows event logs, Linux audit logs, application logs, and network traffic. Tools like sysmon can be particularly useful for detecting API calls that might indicate an attempt to escalate privileges or exploit kernel vulnerabilities.
Example: APT39
For instance, APT39 has been known to use DNS and HTTP to communicate with Command and Control (C2) servers, so monitoring network traffic for unusual patterns can be a key way to detect their presence. Similarly, event logs can reveal attempts to brute-force network credentials or execute malicious code via AutoIt or PowerShell.
6.0 Cost Effectiveness
Security is an investment, and like any investment, it’s important to weigh the costs against the benefits. While some of the tools and strategies we’ve discussed — like IBM QRadar and Suricata — can be expensive to implement, the protection they offer against cyber threats is invaluable.
Justifying the Costs:
The initial setup costs for a robust security system can be high — IBM QRadar alone might set you back up to £8000. However, this cost is justified by the protection it offers against potential threats, especially in high-traffic environments where the stakes are even higher.
Investing in Employee Training:
Another important investment is in employee training. Offering training in tools like ADTool and running simulated environments can help employees better understand the threats they might face and how to respond to them. While this training might be a bit of a burden on the budget, it’s a small price to pay for a well-prepared workforce that can protect your company’s intellectual property.
Balancing Costs and Benefits:
In the end, the costs associated with a comprehensive security strategy — whether they’re related to hardware, software, or human resources — are more than offset by the benefits. A secure network means less downtime, fewer data breaches, and ultimately, a stronger, more resilient organisation.
7.0 Conclusion
Cybersecurity isn’t just about technology; it’s about strategy, preparation, and constant vigilance. By understanding the intricacies of your network, selecting the right tools, and investing in your team’s training, you can build a proactive cyber defence strategy that keeps your organisation safe from even the most sophisticated threats. Remember, in the world of cybersecurity, it’s not just about responding to threats — it’s about staying one step ahead of them.
8.0 References
DeVito, A., 2023. Suricata vs Snort: A Comprehensive Comparison and Review. StationX.
Gurkok, C., 2014. Cyber Forensics and Incident Response. Verizon.
Midland Information Systems, n.d. Getting a Quote is Easy. Available at: https://www.midlandinfosys.com/component/tags/tag/component/tags/tag/qradarpricing
Mitre Att&ck, n.d. Enterprise Matrix. Available at: https://attack.mitre.org/matrices/enterprise/
