Security Operations (SecOps) team members have interesting stories to tell about their run-ins with cyber adversaries. Some of these professionals have built and run Security Operations Centers (SOCs) for some of the world’s largest companies. They’ve seen daily incidents that they strive to address and resolve. And from these war stories comes a fundamental understanding of some of the best practices to fight cybercriminals.
By Chris Triolo, Vice President of Customer Success, Respond Software
1. Pay attention to lateral attacks
The steady flow of news articles about vulnerabilities in IoT devices may seem like hyperbole, but the reality is that the risk continues to grow. In fact, during a recent proof-of-concept I worked on, an organization detected evidence of lateral movement from an IoT device (in this case, a network of security cameras) to other systems in the environment. Lateral movement is a technique where an attacker breaks into one system and uses that as a beachhead to move on to other systems in the environment. In this case, their physical security camera systems were on the same network as systems managing critical data. A best practice is to monitor all devices on the network and ensure appropriate network segmentation so that critical systems would never be on the same network as IoT devices like security cameras and smart TVs.
2. Don’t make assumptions when you tune
Another company I spoke with recently found a Zeus infection within their network. Infected internal systems were reaching out to known malicious IPs. The company had seen so many of these alerts that they assumed they were false positives and began disabling the intrusion detection signatures – that is, tuning down the sensors. Eventually, they found evidence that these “false positives” were real, re-enabled the signatures, and took action to clean up the infected systems.
3. Infected systems need cleaning
It’s a common occurrence for systems to be infected with malware and “beacon out”—that is, they’re communicating with attacker systems outside the network. In some cases, the customer who has already anticipated this situation has technology controls in place that drop or block the traffic on its way out of the network so that the internal system can’t reach out to the external system of the attackers. Some organizations will say, “No problem! The traffic is blocked; I’m safe.” However, that still leaves them with a compromised or infected system inside the network that needs to be cleaned.
Just because the malicious traffic is blocked, doesn’t mean it can be ignored. What if the system is a laptop and is taken home (out of the office) where it’s no longer protected? There’s nothing to stop it from communicating with the attacker’s system when on the employee’s home Wi-Fi.
4. Watch out for misconfigurations
Organizations also must regularly deal with security sensors that don’t work as expected. The solution is to catch misconfigurations and ensure that security controls are working as they should. For instance, pay attention to traffic volumes. What if they are unusually low–too low for normal URL traffic? If there is not enough user activity for this size of the environment, review the configurations on the URL Filtering software; it is most likely misconfigured. Once fixed, SecOps teams are better able to detect malicious and actionable security incidents that need an incident response. This makes the difference between a company thinking it is protected and being protected.
Daily, a typical environment will have more than 300 unique IDS signature alerts. Dramatic changes in this can be indicative of problems. For instance, let’s say a company had only 30 unique signature alerts on a day. This could indicate that their IDS was misconfigured or over-turned, so the company reviewed its configs, made updates, and began seeing normal volumes of IDS traffic. The company started catching the bad guys again, escalating new incidents once the fix had been made.
It is important to consistently make sure that the sensor grid is working. Pay attention to expected traffic volumes and signature feeds, and when there are anomalies, investigate.
5. Be careful about whitelisting
By constantly monitoring a company’s incident, discovery solution, one can catch pen-test and red team activity of its own defense testing. Interestingly enough, companies with a managed security service provider (MSSP) or internal security team typically miss the tell-tale signs. Here’s the interesting part: since this is just testing and not actual, malicious traffic, companies often want to “whitelist” the system(s) conducting pen-tests or red teams, as they are not real incidents. The best practice is to not whitelist these systems because it’s a great way to prove the incident discovery solution is working; and it’s good to test security controls and security detection capabilities regularly.
Benefit from SecOps Wisdom
It’s clear that many things can go wrong when defending against malicious actors, but cybersecurity is something organizations must get right. Fortunately, many dedicated SecOps professionals have learned valuable lessons to draw from. Use the best practices outlined above to pay attention to the details, properly configure the system, and ensure a clean, well-tuned, and secure network.
About the Author
Chris Triolo is the Vice President of customer success at Respond Software. His security expertise includes building world-class professional services organizations as Vice President of professional services at ForeScout and Global Vice President of professional services and support for HP Software Enterprise Security Products (ESP). Triolo’s depth in security operations and leadership includes a long tenure at Northrop Grumman TASC supporting various Department of Defense and government customers including Air Force Space Command (AFS PC) Space Warfare Center, United States Space Command (USSPACECOM) Computer Network Attack and Defense, Air Force Information Warfare Center (AFIWC), and others.
Disclaimer
CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.
