This week, the topic in my Information Security
Management class was planning for contingencies. Unexpected incidents are bound
to happen in any organization. They could be man-made like hacking attacks or
they could be nature based like tornadoes and earthquakes taking out a data
center. Focus this week will be on the preparation phase of the Incident
Response Plan (IRP). The IRP is a detailed set of
processes and procedures that anticipate, detect, and mitigate the effects of
an unexpected event (Whitman & Mattord, 2014, p. [Page 85]).
Nature based incidents are not easy to prevent, the
best course of action for those is to have plan B in place, be it a backup data
center, multiple locations acting as hot, warm or cold sites. This blog post will
discuss different monitoring configurations that can help to prevent a hacking
attack or reduce the response timeline necessary in mitigating potential
discovered attacks in a network.
Defense in Depth is “a
concept used to describe layers of defense strategies. The components at each
layer work in tandem to provide one cohesive security mechanism” (Arconati 3).
The following monitoring services can be employed to
ensure that different areas within a network are covered in terms of preventing
breaches:
Firewall
A firewall is a critical security control for
controlling ingress and egress traffic. As such, it can have visibility to an
attack in potentially multiple areas. By leveraging IP reputation and
geographic features in next generation firewalls, attacks may be mitigated.
Additionally, monitoring for suspicious ports and traffic sizes and volumes can
indicate malware beaconing or command and control traffic, as well as any data
exfiltration.
Intrusion
Detection System (IDS) / Intrusion Prevention System (IPS)
An IDS or IPS, either host or network based, may detect
suspicious activity surrounding a possible breach. Signature detection for
early stages of reconnaissance can led to firewall blocks or defense against
the IP indicators. Modern IDS/IPS solutions also provide vast detection around
exploitation of desktop and server software such as Java or Internet browsers.
Even if attackers leverage a zero day for exploitation, command and control
signatures may provide insight into attack activity.
Behavioral
Malware Detection
Behavioral malware detection solutions are a newer
market but have had huge growth recently. These systems provide far more
accurate detection and protection than traditional antivirus products due to
their ability to dynamically execute and evaluate portable executable (PE)
files. This provides for dynamic detection of even the most advanced and
customized malware. By leveraging learned behavior of traffic patterns, an
advanced malware solution such as this can be used to detect things like
malware payload drops regardless of the entry point.
Operating
System
Operating system monitoring is a key component of many
compliance and regulatory standards due to the wealth of information available.
By monitoring the operating system, an organization can have visibility into information
such as login attempts which can be used to identify unusual login hours or
user behavior. Additionally, this level of monitoring can provide key insight
to system or policy changes leveraged by malware to gain persistence.
Database
Application
Database level monitoring can provide key insight into
the types of activity and access happening on critical and privileged tables in
the database. Structured databases usually require login information and
special privileges. As such, suspicious and large volume queries can be indicators
of compromise and early stages of data exfiltration.
Anti-virus
Application
Anti-virus solutions provide signature and heuristic
detection of possible infection or suspicious behavior at the endpoint. Top AV
vendors such as Symantec, McAfee and TrendMicro can be leveraged to flag suspicious
files before propagation on the network.
File
Integrity Monitoring (FIM)
Similar to operating system monitoring, FIM is a key
component for standards such as PCI-DSS. By leveraging a FIM solution, an
organization can have insight into changes on a compromised endpoint through
looking for payload drops after exploitation, password dump tools and file
movements associated with data exfiltration. FIM can also be used to capture
key changes to the registry if an attack is conducted in a Windows environment.
Application
Whitelisting
Application whitelisting is an often overlooked
element of security that can provide robust protection. While the effort is
very high in comparison to other defenses, it can render malware and malicious
tools ineffective by preventing them from ever being deployed or executed on a
system. If a file is not part of the system baseline, it will be instantly
blocked, therefore, malicious files are blocked before they can run on the network.
Data
Loss Prevention (DLP)
Data loss prevention systems provide content aware monitoring
of endpoints and the network. By leveraging a DLP solution, an organization can
have visibility into the data being moved around and out of their network by
identifying patterns in the data such as personal information. This can be
considered as a last resort in terms of preventing a breach and potential data exfiltration,
but even at this stage, ample protection against the data ever leaving the
protected network can be provided.
These solutions may be costly and most organizations
may not be able to implement all of them due to budget or personnel issues but
thinking about different attack vectors and planning on how to prevent the
attacks from occurring should be on the minds of Security Professionals. The
universal mindset of “failing to plan is planning to fail” always comes to
fruition if we don’t adhere to that concept.
References:
Whitman, M. E., & Mattord, H. J. (2014). Management
of information security (4th
ed.). Stamford, CT: Cengage Learning.
ed.). Stamford, CT: Cengage Learning.
Arconati, Nick. “One Approach to Enterprise Security Architecture.”
14 Mar. 2002.
SANS Information Security Reading Room. SANS
Institute. 7 Sept. 2004.
No comments:
Post a Comment