Practical Tips to Improve Network Security with What You Already Have: Part 1 of 2

I think we as security experts need to stop focusing on who or what will attack us and start acting like we’re already owned. If we just started thinking in terms of “I’m already compromised” the security and monitoring of your network and systems would improve drastically. The initial fear of security experts was of being hacked or compromised, but in reality this is happening everyday while you’re on the clock. If you’ve ever had malware infect a workstation you’ve been breached. This is just a small example, but it’s true. There are two types of security professionals:

1. Those that know they’ve been breached.
2. Those who’ve been breached, but don’t know it.

With this being said, we need to start focusing on extrusion detection (coined by Richard Bejtlich, @taosecurity) as well as intrusion detection. We speak about security in layers a lot and this is just another way to detect threats. The problem is that often we immediately jump to shiny new objects out there such as Data Loss Prevention (DLP), Next-Generation Firewalls, SIEM, etc. to get the job done. While these are all helpful tools that can certainly improve your ability to monitor for the exfiltration of nefarious traffic, there are things you can do immediately to improve your security posture.

Log for Certain Alerts

There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM,  but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:

• Setup an alert every time the “Domain Admin Group” has a change made to it. If you’re a smaller company there should be a darn good reason this group’s just experienced a change. One of the things a bad guy want’s is complete control, and if he’s already gotten this far it may be too late, but it might give you the time needed to shut things down and save your data from leaving.

• Setup fake accounts that you think hackers will try and access. An example of this is an account named “administrator” in Active Directory. I’m assuming and hoping that you’ve already renamed the original one. On this account you can set the lockout threshold really low and alert every time someone logs into it improperly. In this example if a bad guys looking for low hanging fruit he’s going to tip you off right away.

Detect the “Bad Guys” in Your Network

The network is where all the action happens in a breach. It’s like a highway during a high speed police chase: usually the network has rules that the bad guys must  follow, and often times that means letting them drive into the neighborhood. There are many things that can be done with firewalls, but we’ll get to those in my next blog. At this point let’s just focus on two things which can easily detect bad guys in the network itself.

• One area that takes some time to setup, but can be very beneficial once it’s configured properly is the ability to monitor an alert on what I’m going to call “Dark Networks”. Creation of these dark networks is for no other reason than to alert when people end up poking around in them. Once a bad guy’s in your network one of the first things they do is reconnaissance, and that’s normally done with network scanning. If you see network scans come across your dark network, you know something’s up.

• Setting up honeypots around your network, and in more than one area, will assist with the early warning of certain attackers. As I just mentioned, when attackers are in your network they will start feeling around and this is commonly done with scans. Once a scan against a honeypot is found you can be alerted and at times divert them to where they cannot cause you greater problems.

In the next blog, I’ll share some tips to get more out of your IPS and firewall implementations. Good luck!