Reverse Deception: Organized Cyber Threat Counter-Exploitation (71 page)

IDS/IPS

Firewalls

The firewall is one of the earliest technologies developed to protect organizations and network nodes connected to the Internet. Depending on the setup of your network, these may be your last line of network defense. Your demilitarized zone (DMZ) and routers are likely to see malicious traffic ahead of your firewalls.

Over the years, this family of technology has evolved into prolific systems that are quite expensive, depending on the vendor. However, firewalls can still allow criminals to get in and out of your system. Firewalls must know what to look for or have predefined access control lists in order to prevent specific threats. With most advanced cyber threats, there won’t ever be much of anything known to ensure protection beforehand.

Today, firewalls are basically great validation points when engaging active threats within your enterprise. If it’s properly configured, a firewall can be used to tell you more information about everything that has passed through it. However, you must keep in mind that the firewall is only as good as the policies, rules, and configuration a human sets for it to follow. And don’t forget to monitor the state and logs of the systems in your DMZ as well as your routers. They can provide you with more information to feed firewall rule sets.

Things to Think About

The following are some considerations for increasing the protection of firewalls:

Be prepared to put some work in initially.
Until you get a good baseline of traffic entering and leaving your network, you may experience many false positives.

You don’t need to reinvent the wheel.
Firewall rules are readily available across the Internet. They’ve been created by those who face the same challenges as you do. In addition, your firewall of choice will likely include useful rules and may offer the ability to easily modify the rules provided by the vendor.

Firewalls can help protect you at different layers.
Do you want your firewall to focus on the network layer (straight TCP/IP traffic) or the application layer (traffic to and from your database)?

Intrusion Detection/Prevention Systems

Developed for enterprises initially in the late 1990s to detect malicious network activity, an IDS is a sensor that is placed on your network to monitor incoming and outgoing traffic to alert administrators if anything out of the ordinary is observed. An IPS is a sensor that can respond automatically to any anomalous events, thus working to prevent malicious traffic from entering or exiting your network.

Over the years, these systems have improved quite a bit, but they face a tremendous number of challenges in keeping up with the speed at which malware is currently distributed. This type of system may not be able to stop the advanced threats you face today, but it could be one more system to alert you that something is wrong.

Things to Think About

The following are some considerations when using an IDS/IPS:

What do you want your system to do?
Do you want a system that will alert you when it thinks an intrusion has happened, or would you rather it also take some type of reactive action in order to stop the intrusion?

What type of system do you need?
Do you require a system that is based on known malicious signatures, one that adapts to the environment and detects anomalies, or both?

Is your network configured so that these can actually be of use?
Where are the choke points on your network where you can monitor all incoming and outgoing traffic?

Deception Technologies

Have you ever wanted to know just how in the world the infection on your network started? How did the intruders get in? How are they communicating? What did they use to compromise your system? What traffic are they sending or receiving? Are they stealing the crown jewels of your company, or simply using your computer as just one more spoke in the spam machine? Well, keep reading.

What you might want to do is set up a system that somewhat resembles your network, luring in potential attackers so you proactively (there’s that word again) learn from them instead of waiting for the aftermath. While much progress has been made over the years to facilitate your deception, it is not for the faint at heart, because you must dedicate yourself (or someone on your team) to monitoring and learning about threats and creative mitigation technologies. To accomplish this task, the following are your new friends:

Honeynet
A system that resembles a real system as a decoy but serves no production (direct business) purpose, although it does act as an early warning indicator for malicious activity within an enterprise.

Honeyclient
A client-based system that is configured to crawl websites for malicious content and/or client-side exploits and alert security professionals of potential malicious websites. These sources of data could be your own enterprise’s squid web logs, proxy web logs, known partner sites, and your own organization’s internal and external sites.