Practical Tips to Improve Network Security with What You Already Have: Part 2 of 2

In our first blog on improving network security with what you already have, we examined some tips around logging for certain types of alerts as well as tips to detect bad guys in the network. But we saved the best for last: the IPS and firewall.

As you might have noticed from the first blog, I started this discussion with  alerting for extrusion attacks at the node level and went through the network, which brings us to the perimeter. If the data goes out beyond this point you’re officially screwed! Being notified that someone’s in your network and attempting to push data out of you network sucks, but successfully getting data out of your network sucks even more!  Here are a few things to review in your IPS or firewall in attempts to stop or alert on this malicious activity.

• One way of alerting on sensitive material, like merger and acquisitions info, is to look for keywords on the data itself. I’ve seen people hide certain phrases or words in documents while creating an IPS rule to search for these keywords. This isn’t a failsafe method, but it can help.

• Review the signatures on your IPS to make sure they’re reviewing protocols for exfiltration. A few of the protocols to review are DNS and SMTP, which will allow information leakage out of by adding or padding the protocols packets with additional information. This is a sneaky way to walk right past an IPS.

• Implement blacklist and malware lists into your IPS/SIEM that use the intelligence aggregated across the internet to your advantage. An innocuous call to a webpage might not be seen as something malicious, but when it’s hosting malware that others have seen and blacklisted, these tools become very useful.

• If you’re not already performing egress filtering on your firewall stop reading this now and go implement egress filtering on your firewall! There is no reason that all of your users need the internet, or need full outbound access to the internet (besides HTTP and HTTPS). Also, I highly doubt that most of your internal servers need access to the internet.  Review the internet access in your company and what ranges and people have access to it. This will help slow down certain attackers and stump others completely. Also, the ability to monitor the excess DENY’s on the firewall will tip you off to potential sneaky business.

There are many other methods which can be used to assist with the notification of attackers within your network, or those trying to sift data out of your network. You know your network better than anyone and by just thinking about how you’d get data out, or what systems you’d compromise first are good first steps into putting monitoring and alerting around these assets. Okay, now you can go install egress filtering.