Modern network security technologies: what you need to know about it_PART 2
The article content
- What is threat hunting and why is it needed
- What can be gained by full traffic recording and event correlation?
- The nuances of checking for malicious files in network traffic
- Nuances of working with encrypted traffic
- What are the signs of compromise
- How to ensure stable operation of the corporate security system
- Summing up
The topic of corporate network security is extremely relevant today. We have already talked about the problems that specialists working in this field had to face, examined attack signatures, and dwelled on the main points related to ensuring thorough control over the actions of employees and the application layer. You can read about all this here. Now let's dwell on other important issues related to ensuring network security. In particular, we will focus on such issues as threat, traffic recording and event correlation. Let's look at ways to check for malicious files in network traffic. We will show you how to deal with encrypted connections, indicators of compromise and DGA, and also touch on a number of related issues. But, first things first.
What is threat hunting and why is it needed
Threat hunting — a technology aimed at proactively searching for traces of hacking or the operation of malicious software that cannot be identified by standard protection tools. In this case, it makes no sense for the analyst to wait for the configured sensors to work. He is already initially looking for traces of compromise. This work involves the development of assumptions about how an attacker could get into the network, as well as their verification in practice. Regular and timely conduct of such checks can significantly increase the level of security of the corporate network.
To implement threat hunting as efficiently as possible, you must adhere to the following rules:
- assume that the system has already been hacked, that is, your task is to find traces of this penetration;
- creating several hypotheses about exactly how the system was hacked;
- Hypothesis testing is performed in iterations: we checked one option, did not reveal any traces, we take the following theory as a basis and test it.
What makes threat hunting effective in practice? The fact is that classic corporate protection tools are not able to catch complex targeted attacks. Often, attackers stretch them in time. Automated software cannot tie all these phases together. When organizing complex targeted attacks, attackers think through different scenarios of actions, choose the appropriate directions. As a result, they manage to pass off their activity as quite legitimate. That is, the security system simply does not notice them.
The use of this technology in organizations that have previously been hacked will be especially relevant in practice. Thus, research results showed that over 60% of previously compromised organizations were re-subjected to hacker attacks. That is, the task of information security specialists of such companies will be to identify the facts of hacking earlier, which makes it possible to implement the threat hunting technology. Moreover, by regularly using it in practice, you will be able to consolidate knowledge about the infrastructure that you have to protect.
What can be gained by full traffic recording and event correlation?
Modern network security tools offer professionals the ability to save all traffic, as well as view the full record later. This also includes application and protocol metadata. For example, PT NAD, which we have already mentioned earlier, offers information security officers the detailed parameters of network applications and protocols that can greatly simplify the analysis of incidents. So, raw data is recommended to be stored for 7 days, and metadata— 14 days. But you can set other parameters based on the performance of your security service when analyzing incidents, as well as the volume of incoming traffic. This allows you to check new indicators against old traffic indicators, revealing tangible discrepancies, which in itself may indicate an attack.
Another tool implemented in PT NAD (PT Network Attack Discovery) — this is a fairly convenient correlation of several sessions and events. The fact is that a standard firewall can identify an attack only within one session. Here you can analyze not only the current state, but also check all earlier sessions and their parameters. Alternatively, this can be information about past requests, as well as DNS answers. One of the distinguishing points here is that these works are performed in a passive mode, that is, they do not directly affect the current network performance.
The nuances of checking for malicious files in network traffic
PT NAD — one of the few network products currently operating on the Russian market and capable of separating files from the traffic flow, sending them for subsequent scanning in the sandbox and antivirus. For those who don’t know, a sandbox is a server that contains a huge number of virtual machines that allow you to detect zero-day vulnerabilities and previously unknown malware. Experts can run any program code inside the sandbox or directly open the file in order to evaluate its contents. Even if this documentation contains malware, this code will remain on the virtual machine, that is, it will not be transferred to working computers.
To send a file from traffic to the sandbox, you need to:
- clearly understand how applications transfer files in a particular case;
- develop a protocol and extract the necessary file from the stream using any of the TCP ports;
- Pass the identified files to the sandbox via the manufacturer's API or using the ICAP protocol.
All this is done so that the sandbox virtual machines perform behavioral analysis and provide you with an opinion on whether there is malicious code in the incoming traffic or not. Most often, this method is used to check files in those applications that the browser uses in its work. We are talking about traffic that:
- goes through the connection protocols HTTP, FTP, SMB;
- used to transfer files over Microsoft networks;
- applies NFS-based file shares;
- enables SMTP, POP3, IMAP protocols for file transfer.
In addition to being sandboxed, all traffic is also subjected to antivirus scanning.
Nuances of working with encrypted traffic
Today, a huge number of files are transmitted over the network through encrypted channels. Take at least the same messengers Telegram and WhatsAp, which use IPsec and SSL tunnels. Many other applications work the same way. At first glance, it may seem that network security will be powerless here. Especially if you know the fact that almost all malicious codes that exist today are distributed through encrypted channels.
But still, there are ways to solve this problem. Alternatively, you can determine the presence of a malicious year code even without decryption. It also uses the technology of analyzing encrypted traffic by behavior. The fact is that botnet control centers are not able to change the working protocols for new bots. Otherwise, they will simply lose control over the old ones. It is this vulnerability that researchers are exploiting. It is supposed to monitor the connection frequency, as well as the sizes of transmitted packets and other parameters. Constantly monitoring them, you will be able to notice that even the encrypted traffic of a malicious connection will be noticeably different from the usual one, which will be able to identify the behavioral engine.
And one more option — using special indicators of the botnet control center. The fact is that most of them are located at addresses that are already well known to everyone. That is, the connection to the control center will be identified by known IPs, url addresses, domain names, even if the traffic is encrypted. And this, in turn, allows you to notice a third-party connection.
What are the signs of compromise
As practice has shown, quite an impressive part of the threats comes from fixed IP addresses and domain names, and also uses well-known urls. These parameters can be attributed to indicators of compromise (IoC, indicator of compromise). It turns out that if someone from your corporate network connects to the botnet control center, this will indicate a compromise of internal resources. Such a connection must be blocked as soon as possible and the incident investigated. There are special databases of such addresses. They are completely free and available to the public. They contain all those addresses from which hacker attacks have already been identified. And if you notice such traffic in your network, then this will be a signal to block the channel. But the problem is that such public databases are updated quite slowly, and the percentage of false positives is quite high.
Along with free ones, the modern market also offers commercial databases of indicators. This is a more reliable and proven option, since the information they contain is constantly being cleaned and updated, which minimizes false positives and increases the percentage of attacks detected. Most of the modern commercial bases — This is no longer our usual list of addresses. These are huge portals that not only provide the corresponding IP-address, but also a description of why it is classified as untrustworthy.
But the problem here is that not a single intruder will sit and wait until his address is in the database of information security specialists. They are tirelessly working to create new techniques to quickly move around the network while hiding their presence. Often in practice, such a technique as the generation of new domain names domain generation algorithm (DGA) is used, as well as the movement of the control center to a new address is carried out literally every 3-5 minutes. Attackers embed this algorithm directly into the malicious code. Thanks to this, the program knows at what address its control center is located. The only way that modern corporate security systems can resist this is to detect DGA names with an indication of which particular family of malicious code is used under it.
How to ensure stable operation of the corporate security system
Many specialists in the field of information security make a number of mistakes and miss attacks, not paying attention to elementary norms and requirements. Here are the highlights:
- No control over geolocation. Pay attention to the regions through which your employees connect to the network. If it turns out that the connection is made through some other country, then this fact can already be considered as an incident. This is especially true for public organizations. Yes, not every detected connection through another country will turn out to be a hacker attack. So, your employees can connect via VPN, they can access their computer from another state, while they are on vacation or on a business trip. However, such cases will be rare. It’s better to stay safe and be sure to monitor geolocation.
- Finding passwords in the public domain. Practice shows that in most corporate networks, LDAP is used instead of LDAPS, and instead of HTTPS — HTTP. This means that all passwords and logins walk around your system in a completely clear form. It will be enough for any employee or the same attacker to run a sniffer, collect all the necessary logins and passwords to gain access to the network. Then all that remains is to use someone else's account and take all the necessary information from your system or infect it with malware. That is why it is very important to check which connection protocols you are using and perform a simple reconfiguration.
- Determining the host's role in the network. The fact is that many information security tools can use their own algorithms only if they reliably know the role of the host in the network, namely its workstation, mail server, domain controller, DNS. Until recently, all these parameters were determined manually, which greatly complicates the work in large networks. It was possible to solve this problem by introducing special behavioral techniques. The actions that are typical for a particular device are simply determined: you obviously cannot confuse the operation of a video camera and a printer. Relevant information about new hosts is constantly being accumulated. That is, now you do not have to wait for data on available hosts, and those roles that do not play from the IT service — the system itself will notify about new components, which will reduce the frequency of false positives and provide protection against shadow IT. As a result, your database will contain information about all hosts with a detailed description of all devices that connected to it, open ports. There will also be an interaction schedule. Due to the fact that such a database is rarely monitored by security specialists, this opportunity is often used by hackers, hacking into networks through shadow IT.
As you can see, in order to ensure the highest level of security in your corporate network, you need to constantly monitor traffic. This is true both for the perimeter of the network itself and for its internal segments. Experts recommend paying special attention to those nodes that are mostly targeted by attackers. We are talking about nodes where:
- all kinds of payments are being processed;
- employees are authenticated;
- personnel with privileged access works.
The demilitarized zones can also become a weak point. Yes, the work ahead is not easy, but, alas, this is the only way to detect hacker attacks and prevent them from reaching their goal.
By the way, to ensure personal security and network stability, you should use mobile proxies from the MobileProxy.Space service. In this case, you also get a high level of confidentiality of actions on the Internet, effective bypass of regional blocking, the ability to work in multi-threaded mode, including using software for automating actions. The features and functionality of mobile proxies can be found at https://mobileproxy.space/en/user.html?buyproxy. In any case, you get a reliable product that will make your work on the network safe and avoid all sorts of restrictions. Any difficulties and problems in work are quickly solved by the technical support service, whose specialists are in touch around the clock.