Did you ever think: what’s on my network and how do I make sure it’s secure? I know the question seems absurd – how can someone not know the answer to that? It’s absurd until you arrive to work to discover that someone with an internet connection in the middle of the Java Sea managed to successfully establish a VPN connection or worse – used RDP to log onto personal workstations.
Ask yourself – could I even identify this if it happened? Do I know which firewalls the user was able to get by to connect to the VPN? Or, which subnets they have access to?
Let’s backtrack for a second to figuring out how that malicious hacker got VPN credentials and how, were he on my network, would one accomplish this hack? If you’re not thinking about these factors it could be the difference between mitigating a breach and updating your resume because your answer is “I don’t know what is on my network.”
The key to finding the answer to these questions is hidden in data collection. If take a moment to consider everything that happens on your network an internet connection or opening a shared folder is an event can be recorded. You can cut your IR (incident response) team’s work in half through proper data collection and analysis.
Consider the investigative process: you’ve been told that an unknown user accessed your network through VPN. If you’ve been collecting logs and events you can use a parser to identify a VPN connection being established. With that, you would also know the time, destination, and possibly the source addresses. If you correlate this behavior and look for VPN connections at that specific time slot over several weeks, valuable patterns emerge:
- Machines accessed
- Files accessed – important for your forensics team
Let’s go a step further and think about what you can collect from your network. You can use Windows Management Instrumentation to collect windows events from workstations and snort to determine user rules violations and other anomalous behavior. If you want to go deeper, network taps allow you to view traffic packet by packet.
The amount of events a network receives in 15 minutes, however, could bury an analyst in work for a year. Data collection is useless if you do not understand what you’re looking at. It’s a process of understanding the devices on your network and how they interact. For instance, with SIEM products, to fully utilize the functionality you have to establish patterns based on internal and external security policies, such as user restrictions, ACL rules, and device and user behavior.
We’ll call this pattern establishment a passive analysis. An active analysis is the correlation of events I mentioned earlier – comparing your logs against IP blacklists, monitoring traffic flows and why they are shifting. Those spikes on your VOIP server might be malicious pings looking for open ports…Or, is it your remote site pinging to make sure the server is up?
If you actively know where the vulnerabilities are, you are saving vital time rather than sending your incident response teams to image 25 servers across 5 sites because your security cannot pinpoint the source of malicious activity. If you stay on top of your weak points, you’ll know to send your team to the server that has not been patched in three months, instead of analyzing a file server that is not connected to the internet. If you’ve lost track, remember that everything starts with this question:
What is on my network and how do I secure it?
If you can’t answer it, you are not going to know what information to collect, yet alone analyze and come to a conclusion about the state of your security. More importantly, you will not be able to explain to your CEO why someone on an island in the Java Sea is connecting to his/hers computer.