In the previous blog, we explored the anatomy of a typical APT attack, and explained how at each stage of its journey, unusual network traffic will be generated. With intelligent monitoring of your network, you can often spot such traffic and identify an APT infection. So how do you go about stopping the attack?
Reducing your attack surface
The first stage in the APT journey (initial reconnaissance and information-gathering) is the hardest for you to prevent, especially since the attacker will be using the most ingenious technical and psychological tactics at his disposal to trick your staff and bypass your defences. Moreover, there’s nothing particularly secretive about Open Source Intelligence (OSINT) techniques, for example – you can’t prevent someone from externally scanning your network. So whilst you might be able to identify traffic changes that signal external scanning, there may be little you can do.
However, moving laterally within your network in order to find your business’s crown jewels, is much more difficult for an APT attacker – and here, you should have the upper hand, because you own and control your network.
There are various signs of lateral exploration to look out for. Are two machines communicating that never normally communicate? Are protocols and ports being used that are never normally active? This kind of unusual activity can signal connections that aren’t part of your normal, day-to-day operations – and may be an APT. Discovering an APT on your network can be daunting. Yet preventing them from doing damage may be easier than you might expect.
Firewalls may seem like old technology – but they are highly effective at filtering and blocking unusual and insidious network traffic, including the latest sophisticated APT – with three caveats.
In previous blog posts we have talked a lot about best practices for network segmentation, so I won’t go into it in great detail here. But in general you need to define and segment your network into internal zones, place firewalls to filter traffic between those zones, and write restrictive security policies for these firewalls to enforce.
Generally speaking there are two key types of zones that all networks should be split into – sensitive data zones and human user zones – let’s take a look at these in more detail.
Sensitive data zones
Most enterprises generate and store significant amounts of sensitive data covering their financials, customers, partners, employees and of course credit card details etc. Organizations need to create individual zones for each category of data and place choke points (i.e. firewalls) to filter all traffic going into or out of each sensitive zone.
Human user zones
Aside from cyber-attacks, the biggest threat to any organizations’ network is its employees. Humans are the weakest link in your network, and any system they access directly is at risk. Therefore it is wise to put all human-accessible desktops in a separate zone protected by a firewall. Such a firewall can block traffic between the APT’s initial entry point – which is often a human-accessible desktop – and the first stepping stone. Additionally, if at all possible, your network structure should prevent users’ machines from communicating directly with other users’ devices, as well as prevent servers from initiating connections to individual desktops.
Back to basics
If all this sounds very simple, that’s because it is. The important thing to bear in mind is that in spite of APTs’ sophistication, they are still operating on your turf. Segment your network intelligently and securely, and deploy appropriate traffic filtering and blocking tools, and you will go a long way to preventing the lateral network exploration.
Receive notifications of new posts by email.