Cybersecurity Practice #6: Network Management (medium/large)

Organizations leverage IT networks as a core infrastructure to conduct business operations. Without networks, there would be no interoperability. Networks must be deployed securely to limit exposure to and the potential impacts of cyberattacks.

Sub-Practices for Medium-Sized Organizations

An effective network management strategy includes the deployment of firewalls to enable proper access inside and outside of the organization. Firewall technology is far more advanced than standard router-based access lists and is a critical component of modern network management. Organizations should deploy firewall capabilities in the following areas: on wide area network (WAN) pipes to the internet and perimeter, across data centers, in building distribution switches, in front of partner WAN/VPN connections, and over wireless networks.

There should be clear boundaries that determine how traffic is permitted to move throughout the organization, including a default-deny ruleset whenever possible. At the perimeter, inbound and outbound rules must be configured with a default-deny ruleset to limit accidental network exposures. This often-complicated process can be achieved by establishing security zones through network segmentation.

Consider limiting the outbound connections permitted by assets in your organization. This can be a challenge to implement across the board. However, for zones of high sensitivity, egress limiting can prevent malicious callbacks or data exfiltration. The SOC should monitor egress logs.

Firewall rules may change when technology is added or removed. A robust change management process should include reviewing every firewall to identify necessary changes. These change requests should comply with standard IT operations change management processes and be approved by cybersecurity departments before any firewall is modified.

As part of standard rule management for firewalls, it is important to periodically review firewalls to ensure they are properly structured as required by cybersecurity teams. Consider a monthly or quarterly review of the highest-risk rulesets.

Partitioning networks into security zones is a fundamental method of limiting cyberattacks. These zones can be based on sensitivity of assets within the network (e.g., clinical workstations, general user access, guest networks, medical device networks, building management systems, IoT networks) or standard perimeter segmentations (e.g., DMZ, middleware, application servers, database servers, vendor systems). Examples of standard network zones follow:

• Perimeter defenses: Most organizations host services that are accessed through the internet. A robust defense strategy should be deployed to monitor these “front doors.”²⁴

Best practices for perimeter defenses include the following:

• Implement highly restrictive rules on inbound and outbound ports and protocols. Use default-deny rules in firewalls and enable access only when clearly understood.
• Restrict DMZ from middleware, application, and database servers. DMZ controls are critical, because these servers are exposed to the internet and have a large threat footprint.
• Restrict the ability for DMZ servers to log in directly to servers on the inside network, specifically using remote desktop protocol, server message block, secure shell (SSH), or other remote access ports (tcp/3389, tcp/445, tcp/139, tcp/22).
• Ensure that local administrator passwords are unique to each DMZ server and do not use these passwords for any other server in the organization.
• Ensure that DMZ servers cannot connect directly to the internet. Instead, these servers should access the internet through outbound proxy services. Outbound proxy rules should limit the sites, URLs, IPs, and ports that a DMZ server can access to only whitelisted sites required for updates or application functionality. Be cautious of whitelisting hosting organizations like Amazon Web Services: malicious actors may use them to download malware to a compromised server.
• Consider this type of restriction configuration for partner WAN links or site-to-site VPN connections. Do not permit access to systems/applications that are not required by the user.

• Data center networks: Servers in the data center should be segmented into appropriate zones. Several different layers of segmentation may occur within data center networks, including
  • database servers;
  • application servers; and
  • middleware.

• Critical IoT assets: It is important to restrict access to assets that have a potentially high impact on the business or patients if compromised. Management and patching of security vulnerabilities in IoT devices is often limited. Examples include medical devices, security cameras, badge readers, temperature sensors, and building management systems. These assets generally exist outside of the data centers. Without proper segmentation, they may infiltrate general access networks. To achieve segmentation in the physical buildings, leverage multiprotocol label switching to build out virtual networks and place these network access restrictions behind core firewalls.
• Vendor access: Vendor access should be limited based on need. It should be temporary, and only access to required information should be granted. Some assets are managed exclusively or accessed by third-party vendors. These vendors may need continual access to the organization’s network. It is important to segment this vendor access from other networks and limit the vendor’s ability to access other parts of your corporate network. Whether these networks exist inside or outside of the data center, the principles are the same. In 2015, Target was the victim of a cyberattack leveraging these exact channels.²⁵ Common examples include building management systems, security systems, physical access controls, and persistent tunnels required to enable cloud functionality.
• General access networks: The majority of your workforce will operate on general access networks. These are “edge” networks that provide connectivity back to the services offered in data centers, the internet, or other assets. General access networks require a sense of openness when communicating with services that are hosted by the organization. However, restrictions should be implemented that prohibit the assets in one general access network from communicating with the assets in another general access network. This critical control that can help stop the outbreak and spread of malware and ransomware attacks.
• Guest networks: It is common for organizations to provide guest access to the internet, especially in provider organizations visited by patients and their friends and families. Access to the internet is a core value of provider organizations. However, it must be restricted and controlled appropriately. These restrictions should exist on wireless networks, where it is most common, as well as wired networks often located in public spaces or conference rooms. Explicitly prohibit access to the internal network; guest users should access the organization using the same front door through which they access the rest of the internet. Lastly, as much as possible, limit the ability of your workforce to access guest networks. 
  
  

  6.M.C

  Intrusion Prevention Systems

  NIST FRAMEWKORK REF: DE.CM-1

An intrusion prevention system (IPS) is important for your network perimeter, data center, and partner connections. An IPS is capable of reading network traffic to detect and potentially prevent known attacks. 

Today, these signature-based systems are not as prevalent as they once were, owing to limited effectiveness. However, they still serve as vital input to an organization’s SOC providing context to the types of attacks that occur. Though they might not identify every single attack, they provide information enabling your IR team to conduct forensic activities.

Web proxy systems provide important protections against modern phishing and malware attacks. These systems are implemented at the perimeter of the network or in the cloud to provide protections for your mobile workforce. Because most phishing and malware attacks are web-based, web proxy systems provide users with friendly error pages explaining that the user has been restricted from accessing a known malicious website. Such pages also provide informative feedback for users. When configured properly, web proxy systems leverage the following methods to limit client-side attacks:

• Reputation blocking: Many blackhole lists are available publicly or through ISACs and ISAOs; proxies can use such lists to prevent users from accessing malicious websites. The lists are usually integrated into proxy systems through automated feeds.
• Organizational block lists: As part of an organization’s IR, malicious websites and other sites can be identified based on actual attacks against the organization. Web proxy systems are critical shut-off points to limit access to websites quickly.
• Category blocking: Most modern, commercial web proxy technologies will pre-categorize websites on behalf of the organization. Considering the millions of websites that exist, this is a highly useful service. Consider blocking categories that contain malicious, suspicious, or illegal websites.

Network devices are deployed throughout an organization’s facilities. Inside the general user space, physical data closets that contain network devices must be secured. Additionally, it is useful to limit network ports on switches. Consider the following controls:

• Data and network closets should always be locked. Consider using badge readers instead of traditional key locks to monitor access.
• Disable network ports that are not in use. Ensure that procedures are in place to maintain ports in shutdown mode until an activation request is submitted and approved.
• Establish guest networks in conference rooms that are configured to access only these networks.

Sub-Practices for Large Organizations

This section includes methods to detect and potentially prevent cyberattacks against an organization’s network. These methods should be engineered into network management practices. Once network- level detection and prevention methods are established, cybersecurity departments can follow Cybersecurity Practice #8: Security Operations Center and Incident Response to monitor and respond to attacks on the network.

As your network expands, other strategies can be deployed to maintain secure segmentation. Consider the following:

• Required VPN access for data center: Consider implementing a VPN, or bastion hosts, that must be enabled before access is granted to privileged servers in the data center. These VPN or bastion hosts should be equipped with MFA. Only authorized IT administrators should be granted access. Logs should be routed to the SOC for monitoring.

Hackers commonly use layered command and control (C2) traffic to maintain access to compromised computers. C2 traffic consists of beacons, typically outbound from the computer, that check back in to a central server. Identifying such traffic can help detect where an attacker has maintained persistence.

There are many methods to look for C2 traffic, including the following:

• Direct to compromised server via Internet Protocol (IP) or Internet Control Message Protocol (ICMP): In this method, traffic runs over the network using outbound ports or protocols that are generally open (e.g., HTTP, HTTPS, or ICMP protocols). C2 traffic can be in encrypted or cleartext forms, depending on the attacker’s level of sophistication. The attacker must have compromised a series of servers or other assets This method tends to be less effective for hackers than others, because it is easy to shut down offending systems once the compromise has been detected. When a shutdown occurs, the attacker loses persistence control.
• DNS queries: In this method, the attacker establishes control using a DNS query embedded in malware that is downloaded to a computer. As long as the DNS record is maintained, the servers that maintain C2 communications can switch out and flex as they are discovered. This method is also fairly easy to detect and resolve. When the DNS name has been identified, the organization can implement a DNS sinkhole. The sinkhole can be an entry on the local cache in the organization’s DNS resolvers to remove a nonexistent IP address, such as 127.0.0.1. Once the fully qualified domain name is identified, these DNS registrations can be taken down through abuse reporting to DNS hosting services.
• Fast flux DNS queries: In this method, the hacker leverages DNS to maintain persistence, knowing that the DNS registrations will likely be taken down at some point. When this occurs, malware downloaded to the local client and C2 services runs an algorithm that checks the first several bytes of well-known sites (e.g., cnn.com, nbc.com) to create and register fake DNS names on the organization’s DNS resolvers. These domains tend to live for 24 hours or less. Using the same algorithm, the clients switch to the next domain until command is reestablished. Fast flux methods are fairly successful. Defending against fast flux DNS queries requires analytics that relate to local DNS lookups and can discover “gibberish” domain names. “Oiewr921ai/evil/com” is an example of a gibberish domain name. 

A variation on C2 monitoring is to analyze network traffic, rather than focus on a particular vector or attack style. This requires specialized tools that can profile inbound and outbound network traffic. Some versions of these tools provide “deep inspection,” which allows the full contents of a packet to be analyzed, categorized, and built into massive databases of network-based metadata.

Once metadata on the network traffic profile are gathered, analytics can be conducted to look for outliers, anomalous traffic, and other highly sophisticated methods of discovery. Network monitoring tools are not preventative in nature. Rather, they are intended to widely increase the SOC’s visibility, facilitating detection, confirmation, or validation of suspicious actions. These tools are especially useful in replaying events that occurred as part of an attack to support network forensic activities.

By monitoring common protocols that allow downloading of binaries and files, organizations can check a download prior to permitting it to run on the organization’s devices. Downloaded binaries, executables, or even data files (e.g., docx, xlsx) are run in a virtual environment that looks for malicious activities when the file executes.

Common methods include

• watching what registry keys are queries, amended, added, or deleted;
• monitoring for outbound network connections;
• launching processes in memory; and
• conducting anomalous system calls.

Tools that facilitate automated sandboxing look for suspicious outputs or actions rather than attempting to base actions on a particular signature of a particular configuration.

To be effective, these technologies monitor network flows. This can occur passively or actively. Passive systems monitor network traffic at the stream level, not residing in line with the communication flows. Active systems insert themselves inline to the communication flows and conduct checks on the fly, denying access to downloaded files until they are cleared.

Sandboxing systems provide protection against malicious files. However, they do not provide protection against active attacks inside your network.

NAC systems are engineered to automatically profile new IT assets that connect to network resources, such as wireless networks, wired networks, or VPN. They help ensure that the controls discussed in Cybersecurity Practice #2: Endpoint Protection are in place on each asset. NAC systems execute these controls in real time when the asset connects to the network.

NAC systems are highly effective at discovering personal devices leveraged on the network (BYOD). They can be configured to permit authorized BYOD devices to access the network or prohibit them entirely.

When basic NAC controls are implemented and you can monitor the security of endpoints that connect to your network, there are other interesting, advanced techniques that can be leveraged to provide checks and balances for general IT controls.

One example is to integrate your NAC solution with your ITAM repository. As discussed in Cybersecurity Practice #5: IT Asset Management, ITAM repositories should be populated using your organization’s standard procurement processes. That said, not all processes run perfectly, and there are other ways that assets are integrated into an organization’s environment, often due to human error or sidebar procurement channels that are not leveraged consistently.

Configuring your NAC solution to check against your ITAM enables assets to be profiled spontaneously, providing self-directed work streams to users. Such a configuration can be achieved as follows:

• Set up application programming interfaces between the NAC solution and the ITAM solution that enable read and write options.
• Query the ITAM database when an asset connects to the network. If the asset does not exist, present the user with a splash page.
• Determine whether the asset is organizationally owned (purchased with organizational funds) or personally owned (purchased by the user).
• Register the selection, conduct the NAC security scan, and publish the results in the ITAM.
• Execute IT general controls that reconcile assets that are out of compliance with standard asset management procedures. Such controls can include
  • ensuring that appropriate monitoring controls are in place;
  • registering the asset with the right identifiers (asset IDs); and
  • updating asset ownership based on actual human interaction.

These mechanisms are effective at providing visibility to the devices being used on the network, increasing the IT! M system’s accuracy and consistency.

Threats Mitigated

1. Ransomware attacks
2. Loss or theft of equipment or data
3. Insider, accidental or intentional loss of sensitive data

4. Attacks against connected medical devices that may affect patient safety

Suggested Metrics

• Number of assets on the network that have not been categorized, trended over time. The goal is to establish a process to register and understand all assets on the network. After the baseline is complete, minimize the number of uncategorized assets.
• Number of organizationally owned assets discovered using NAC that were not previously categorized through asset management procedures, trended by month. The goal is to monitor this lagging metric that measures effectiveness of the supply chain and IT operations processes. Increases in the number of organizationally owned assets that were not previously categorized indicates that standard processes are not being executed properly. Implement continuous improvement processes for IT operations.
• Percentage of assets that comply with security policies, trended by week. The goal is to establish a baseline, then set stepwise goals to improve compliance over time. Ultimately, compliance percentage should range from 95 to 99 percent.
• Number of malicious files captured and secured with advanced networking tools (sandboxing), trended by week. The goal is to capture all malicious files. An extended trend of no detected malicious files may indicate that sandboxing solutions are not working.
• Number of malicious C2 connections discovered and removed, trended by week. The goal is a weekly report showing that all detected C2 connections are mitigated successfully.
• Number of approved servers/hosts in the DMZ compared to hosts in the DMZ, trended by week. The goal is zero servers/hosts in the DMZ that are not understood. IT operations practices should be reviewed if servers are added that were not previously authorized.

 24. CIS Control 12: Boundary Defense. (2018). Retrieved from Center for Information Security Controls: https://www.cisecurity.org/controls/boundary-defense/

25. Anatomy of the Target data breach: Missed opportunities and lessons learned. (2015, Feb 2). Retrieved from ZDNet: http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed- opportunities-and-lessons-learned/