Gaining visibility and insight into an enterprise network is imperative.Our threat economy from 10 - 15 years ago has evolved.While perimeter-based protection continues to provide a valuable protection model, the attacker philosophy has shifted.Today, threats target the individual.It is no longer profitable and worthwhile from an attacker’s standpoint to weaken the exterior defense when they can simply target an individual.So how do we protect our users if they are the focus and not the perimeter?In an effort to confront this new attack vector, I’d like to present a layered approach to monitoring and addressing these common network-level attacks that will help provide added visibility into internal / user targeted attacks in a more preemptive fashion, versus post discovery remediation efforts.
The first of these layers is Firewall Access control list configuration best practices. Ensure your organization’s firewall focuses on both ingress and egress port filtering.Reduce your attack surface area by restricting the inbound tcp/ udpports you leave open to only those that are crucial to business operations: http(port 80), https (port 443), dns (port 53).Your outbound/egress ports should block all ports related to TOR (the onion router) network traffic, p2p commonly used ports, to name a few. If you have a next-generationfirewall that can restrict traffic based on application categories such as P2P, TOR, Social Networking / Music, etc., then this is a reasonably manageable process to implement without much effort on your part. With these rules in place, even if malware were to get installed on a user’s machine, it will not be able to “call home” as easily since the egress/outbound ports will be blocked by your firewall.
Unfortunately, with network security and monitoring there really isn’t a one size fits all solution. I find the layered security monitoring and protection approach to be the greatest aid in preventing and detecting threats
The second layer is OS security / image hardening and email / threat protection for your users.For your standard user operating system image, you will want to restrict your user’s base level access to standard user.NEVER give users administrator access by default.Turn on User account control at the highest level if using a windows operating system and ensure your version of windows is synchronized with the latest patches and updates through Microsoft SCCM. Your users will receive most of the common attack attempts today through email. Phishing email’s that include malicious attachments are the easiest way for an attacker to introduce themselves into a network.Be sure to invest in proper email protection that can rewritesuspicious URLs contained in the email bodyand also detect malicious attachments included in the phishing email.
The third layer of protection is intrusion detection and prevention systems and SIEM logging.I started installing and configuring Intrusion Detection Systems many years ago when Snort and Suricata were in their infancy.These solutions have both community supported intel feeds and paid subscription feeds.Security Onion is a popular open source solution that integrates logging and intrusion detection in a simple to deploy package.I highly recommend exploring this solution to kickstart your organization’s first view into intrusion attempts against your network.Sensors can be deployed as needed and the use of Elastic Stack for logging allows for easy info retrieval with customizable dashboards and simplified searching metrics.
The last and final layer ofprotection I would recommend performing is vulnerability and penetration testing against both your internal and external assets.There are several reputable organizations I’ve worked with in the past that will scan your external facing devices for free.You can also invest in software such as Rapid7’s Nexpose vulnerability scanner or Tenable’s Nessus vulnerability scanner to perform your own internal and external vulnerability scans.As for penetration testing, this is best handled by an unbiased, outside professional service for optimal results.However, it is also good for you to perform your own penetration testing against your internal assets for good measure.Metasploit is an excellent tool to accomplish this task and has prepackaged exploits that you can use to pentestany vulnerabilities that were discovered on your network.
Unfortunately, with network security and monitoring there really isn’t a one size fits all solution.I find the layered security monitoring and protection approach to be the greatest aid in preventing and detecting threats.This allows for proper security coverage for the user endpoint device and continued awareness at the perimeter level.This also gives both the user and the enterprise admin a greater awareness of their attack surfaceand a greater chance of evading a variety of attack types that are prevalent in our threat economy today.