1 Background
Traditional network border defense strategies have focused on a) keeping intruders out of a network b) protecting internal devices from compromise. Historically, sites have implemented their security strategy from the border inward rather than from the endpoint outward.
895,871,345 records have been breached as of 2/21/2016 according to www.privacyrights.org. Data from this and similar sites suggests the traditional border network defense model has failed as a data protection strategy.
Border firewalls are not effective "protection" devices. They are, however, excellent "detection" devices. Why? Firewalls always have to let data pass through them. Wireless networks negate the effectiveness of a "border" firewall by forcing the network border to be at the endpoint. Whitelisting outbound traffic is a challenge because most sites are now hosted by companies like Akemai which host thousands of sites. However, firewalls log packet traffic and this information is valuable in network forensics.
Continuous monitoring (CM) is an effective strategy to detect and interrupt data exfiltration. Seth Misenar and Eric Conrad [1] list 4 points that show why Continuous Monitoring (CM) is a better strategy for detecting, preventing and/or interrupting data exfiltration. The 4 points are:
1.
Highly portable devices don’t benefit from the
traditional border network defense model.
2.
Client-side exploitation significantly decreases the
effectiveness of traditional network defense architectures.
3.
Lateral movement inside your network after a compromise
increases the likelihood of endpoint exploitation.
4.
Endpoints must be able to defend themselves and aid in
detection.
Monitoring outbound traffic allows a site to use CM techniques to determine if a data breach has happened. Unauthorized data transfers are rarely detected by traditional IDS, IPS or firewalls because intellectual property isn’t just the standard social security, credit card, driver license, bank/debit account numbers. Intellectual property is harder to classify because the “sensitive” data elements are not the traditional items that DLP solutions can find. Netflow monitoring techniques can be used to detect anomalous traffic patterns.
2 Hacker Attack Strategy
- · Compromise the endpoint and search for data that can be stolen.
- · Maintain control of the endpoint so it can be used to attack internal and external systems.
- · Be able to destroy the system to eliminate evidence of a compromise if discovered.
A compromised machine has to communicate back to the hacker when an attack is successful. If defenders interrupt the communications/control channel established, a data exfiltration is prevented or interrupted. This also prevents the hackers from issuing a “self destruct” command to cover their tracks.
3 Continuous Monitoring Defense
1. The general security strategy should be "protect (encrypt) sensitive data regardless of location." Protecting devices is obviously important, however, if the sensitive data is protected then the probability of a data breach is reduced.
2. Monitoring outbound traffic can detect anomalous outbound transmissions. If a system is compromised, we ask if there was any sensitive data on the device.
a. No. Use logs (syslog, eventlog, net flow,
sensor, firewall, IDS, DLP) to isolate the compromised host and if any external
communication has happened. Reinstall/reimage compromised host. Go to step 1.
b. Yes. Run PII search tools like IdentityFinder,
Find_SSN to find out how many records were potentially exposed. If the data
files were encrypted, the chances of a data breach are minimal, go to step 2a.
If PII was in the clear, determine how many unique records were in the file. Go
to step 3.
a) when was the earliest communication between
the attacker and the compromised endpoint. This helps us define the window of
exposure.
b) if other internal hosts were accessed from
this compromised host. This helps us define the extent of the attack.
c) the probability of sensitive data breach
occurring by examining netflow data to and from the compromised host.
4 A Continuous Monitoring Example
Packet traffic within the United States is shown at the bottom of the figure. A possible explanation is the majority of this traffic goes to external search engines. For example, a search engine query for “Randy Marchany” sends a relatively short packet stream to a search engine. The results of the search are usually much greater in size than the original query. Obviously, not all traffic is web based but having this data allows you to do a detailed analysis of your network traffic.
Figure 1. Inbound/outbound network traffic by country
Figure 2 shows a different pattern. It shows a traffic pattern of a large amount of data packets leaving the network for China, Great Britain and Brazil. This pattern doesn’t confirm an exfiltration is happening but we certainly have reason to investigate this traffic further. The analysis confirmed an exfiltration was happening. The incident response team was able to take steps to contain and interrupt the data transfer.
Figure 2. Inbound/outbound traffic by country with anomaly
5 Summary
Some good reference books on this topic are "Extrusion Detection: Security Monitoring for Internal Intrusions" by Richard Bejtlich, "Network Forensics" by Sherri Davidoff and Jonathan Ham, "Applied Network Security Monitoring" by Chris Sanders and Jason Smith.