Getting Your Hands Dirty In the Fight on Malware, Part 2
By Wade Williamson on October 17, 2011
Analyzing Outbound and Inbound Traffic, and Network Segmentation Can Help Protect Your Network, Even After It Has Been Compromised.
In my previous column I took a long look at modern malware with a focus on how to prevent malware from getting into your network in the first place. In case you missed it, you can read it here.
While we all probably agree that prevention is the best medicine, it’s also foolhardy to believe that prevention alone will be enough to protect us. Whether coming from a non-network source such as a USB drive or simply from a clever attacker who finds a weakness, we have to assume that eventually our networks will be compromised if they haven’t already.
That statement alone is enough to make many security professionals (and their management) a bit prickly, which is certainly understandable. We commit precious time, money and professional effort to defend against threats, and simply presuming that our defenses have been compromised can feel like all that work has been for naught. This is not the case at all.
Assuming that we aren’t compromised just plays into the attackers hands. What we need is to extend the security we have to bring protection to the soft parts of our network that attackers are targeting. Malware and targeted attacks rely on the assumption that if they can get inside the perimeter, that they can build a foothold and dig deeper with less worry of detection. But just because someone is able to break into a bank doesn’t mean that we should just let them walk out with the money. So in that spirit, let’s pick up where we left off and take a look at some of the practical tools and techniques that we can use to identify and stop live malware infections in our networks.
Traditional enterprise networks have often been described has “hard, crunchy shells with soft, gooey centers”. This refers to the tendency for the external perimeter to be heavily fortified from outside threats, while internal users, traffic and assets tend to be trusted. Attackers have used malware to crack this model and shift the security battle to the inside of the network where security measures are sparse.
While this has been a recognized problem for quite some time, we are finally beginning to see new proposed security architectures that address the problem. Analysts such as Forrester’s John Kindervag have begun to push the notion of the “Zero-Trust Network” (video) where all traffic, including internal traffic is passed through a “segmentation gateway” for analysis. And although many of us may not be able to adopt such a consistently segmented model overnight, there are practical steps that most any enterprise can take today.
The first step is to expand our best threat and application analysis to include outbound traffic as well as inbound traffic. The ongoing command and control traffic is the life-blood of modern malware, and the infection is only the first step in an intrusion that will likely cross our perimeter many times. Given that the malware traffic is flowing in both directions, our defenses should certainly be looking in both directions as well.
Secondly, we should begin segmenting the internal network. A flat, un-segmented network is the hacker’s delight – if you own one machine, you can own the entire network. The network and assets can often be segmented on the basis of application, user and content types. For example, a policy could dictate that only finance managers are allowed to access the database that houses financial data and they can only allow SQL to do so, while all other traffic is denied by default. This not only segments the network based on need, but logs of blocked connections can indicate when someone is trying to get into sensitive assets. And while this is an admittedly simple example, the general process of understanding who needs access to what information, and what application they should use to access it, can be applied to virtually any environment.
Another option is to begin segmenting assets that attackers commonly target for escalation such as domain controllers, email servers or any asset where user identity is managed. These are common targets once an attacker is inside the network because it can allow the attacker to escalate from a low-profile user identity, with relative few network rights, to a far more powerful user role such as a network admin. Unlike our earlier example, the goal here is not to deny access (people need their email), but rather to establish highly granular logging and reporting to identify an intruder that may be skulking around. For example, ping sweeps, or an unusual spike in failed login attempts, or newly created admin accounts should be cause for alarm.
The end goal is to make our networks less flat with better internal controls so that we can get rid of that soft gooey center.
In my next piece, I will cover off on what to look for, now that we are looking in the right places, and how we can often detect telltale signs of malware infections.
Direct Link: http://www.securityweek.com/getting-your-hands-dirty-fight-malware-part-2