AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

APTs: Get Back to Basics to Reduce Your Attack Surface (PT2)

by

In the previous blog, we explored the anatomy of a typical APT attack, and explained how at each stage of its journey, unusual network traffic will be generated.  With intelligent monitoring of your network, you can often spot such traffic and identify an APT infection. So how do you go about stopping the attack?

Reducing your attack surface

The first stage in the APT journey (initial reconnaissance and information-gathering) is the hardest for you to prevent, especially since the attacker will be using the most ingenious technical and psychological tactics at his disposal to trick your staff and bypass your defences. Moreover, there’s nothing particularly secretive about Open Source Intelligence (OSINT) techniques, for example – you can’t prevent someone from externally scanning your network. So whilst you might be able to identify traffic changes that signal external scanning, there may be little you can do.

However, moving laterally within your network in order to find your business’s crown jewels, is much more difficult for an APT attacker – and here, you should have the upper hand, because you own and control your network.

There are various signs of lateral exploration to look out for. Are two machines communicating that never normally communicate? Are protocols and ports being used that are never normally active? This kind of unusual activity can signal connections that aren’t part of your normal, day-to-day operations – and may be an APT. Discovering an APT on your network can be daunting.  Yet preventing them from doing damage may be easier than you might expect.

Firewalls may seem like old technology – but they are highly effective at filtering and blocking unusual and insidious network traffic, including the latest sophisticated APT – with three caveats.

  1. They must be placed on internal traffic paths, not just as a perimeter around your network: a firewall cannot block traffic that it doesn’t see.
  2. They must be properly configured. In other words, they must be able to recognize, analyze and block the kind of internal communications that signal APTs – by being both positioned and programmed correctly.
  3. Perhaps most importantly, the network must be properly segmented in order to maximise firewall effectiveness.

In previous blog posts we have talked a lot about best practices for network segmentation, so I won’t go into it in great detail here. But in general you need to define and segment your network into internal zones, place firewalls to filter traffic between those zones, and write restrictive security policies for these firewalls to enforce.

Generally speaking there are two key types of zones that all networks should be split into – sensitive data zones and human user zones – let’s take a look at these in more detail.

Sensitive data zones

Most enterprises generate and store significant amounts of sensitive data covering their financials, customers, partners, employees and of course credit card details etc. Organizations need to create individual zones for each category of data and place choke points (i.e. firewalls) to filter all traffic going into or out of each sensitive zone.

Human user zones

Aside from cyber-attacks, the biggest threat to any organizations’ network is its employees. Humans are the weakest link in your network, and any system they access directly is at risk. Therefore it is wise to put all human-accessible desktops in a separate zone protected by a firewall. Such a firewall can block traffic between the APT’s initial entry point – which is often a human-accessible desktop – and the first stepping stone. Additionally, if at all possible, your network structure should prevent users’ machines from communicating directly with other users’ devices, as well as prevent servers from initiating connections to individual desktops.

Back to basics

If all this sounds very simple, that’s because it is.  The important thing to bear in mind is that in spite of APTs’ sophistication, they are still operating on your turf. Segment your network intelligently and securely, and deploy appropriate traffic filtering and blocking tools, and you will go a long way to preventing the lateral network exploration.

Subscribe to Blog

Receive notifications of new posts by email.