With increasingly sophisticated and updated malware and ransomware emerging, networks need to continuously upgrade security and evolve risk reduction, breach detection and real-time, proactive security engagement. For every daylight digital innovation to better illuminate and monitor a commercial network, the twilight arm of mal-technology also takes a parallel leap forward. It is like a horse and rider being chased by a pack of wolves – a race until one of the two parties stop. If the horse tires before the wolves, the rider is lost. If the wolves tire, they remain hungry. As the wolves in question are not just lone-wolves working in their bedrooms, but highly organized, international criminal packs with corporate-sized research and development budgets, the race is going to be long and hard. This is why it is vital to look at hardening a network not as a scheduled or periodic routine, but as an ongoing operational necessity.
To confront this challenge, a multi-layered approach must be undertaken, and simultaneously and continuously applied. The five integral layers can be thought of in the following way:
Pre-infiltration Risk Reduction
The first line of defence is to create and maintain as much distance between the malware and its endpoint and objective as possible. The best starting point is to work with a security software vendor to configure the best primary defence to employ for a particular business network’s configuration. Most developers are happy to supply consultancy services, or have a list of recommended/certified contractors for this purpose. This is the perimeter and should be patrolled by a strong and capable anti-malware program. This should then be evaluated by a penetration test (carried out independently by a Pen. Tester). An anti-malware program should not rely solely on signature-based detection – with rootkit elements and file-less malware, software now has to be next-generation anti-virus (or NG-AV) that combines behavioral, heuristic methods of detection with efficiently up-dated signature-recognition databases. However good the security suite chosen is, it cannot always be relied on to prevent entry so Native Internal Policies and Restrictions should be implemented on end-points (including where files can installed, &c). If a balance between permission and restriction is reached, this will enable routine operating while disabling much malware from running, should it gain entry. The use of macros in penetrating a network is becoming so common that it is vital to deal with this attack vector – disabling malicious macros.
Concurrent Infiltration Reaction
The second line of defence to create malware resistance is to have a system which can actively indicate a breach in progress. This can limit damage if the perimeter is penetrated. This is done by either passively creating taps – like road-blocks in the network, and issuing a user alert – or by proactively using decoy and deception techniques like honeypots/tokens that attract the malware and issue a warning. Concurrent Reaction gives the quickest possible warning for anything missed by perimeter AV security, providing the opportunity to limit the compromise damage. This layer of security is independent of the outer, so provides an holistic view to determine anything overlooked so far.
The third line of defence is connected to the previous and determines the location of where the malware is running. This stage is forensically equipped to perform packet-captures and to recognize indications of compromise (IoC) and networking anomalies. This is done by comparing the intruder’s behavior/appearance with one or several databases to identify known malware characteristics. It also searches other network systems for any similar indications of intrusion to determine the scale of infection. This incident response tool then isolates the infected nodes. Having a Post-infiltration layer (sometimes referred to as Endpoint Detection and Response, or EDR) that is independent of the preceding layers strengthens the ability to carry out these tasks if the precedents have been circumvented. This is the point where sandboxing is usually employed.
Continuous Active Monitoring
The fourth line of defence – Continuous Active Monitoring is important because most networks are now constantly running even when personnel are not present. And malware can have in-built Start Up delays or even prolonged dormancy until remotely commanded in order to attempt to evade or obfuscate security. Continuous monitoring of all of the above security levels is necessary to spot an infection present that has managed to so far hide its presence, as soon as it starts running. Either establishing an internal Security Operations Center (SOC) or enlisting a third-party SOC to undertake continuous monitoring of logs is necessary for today’s non-stop networks.
Continuous Tuning and Configuration
The final line of defence is the continuous fine-tuning and integration of all layers – updating and improving configurations in all aspects: both third party systems and the network OS. With changes in external systems, the tuning of policies is on-going work to achieve the best operation with the maximum defence. The obvious routine precautions should be periodically reviewed and hardened, if at all possible: enhanced file scanning; restricting servers on the internet; the denial of split tunneling on the VPN; the routing of all systems through a proxy; updating spam protection (and reviewing staff work practices); preventing the use of DVD and USB externals; efficiently segmenting networks and most important of all – initiating an efficient and safe backup system. It’s hard work to clear infections, and much easier to harden a network.