Security added to a network environment should be based on the threat landscape that exists today and is predicted to exist tomorrow. This applies to home, business, or service provider networks.
Effective network security takes into account known vulnerabilities, hackers or other threat actors, and current attack trends. To properly add security to a network, you must understand all the exposed assets of your business and how they may be compromised.
The threat landscape or environment includes many elements that are important to identify and understand. This arms you with the knowledge to take appropriate action.
Let's start with the threat actors. They are the ones launching attacks and breaking into systems. Malicious actors are people or entities, and they have a variety of different goals depending on the type of actor they are.
- Cyber terrorists attack nation-state-critical assets to cause harm to that country. For example, they could attack a country’s power grid.
- State-sponsored actors attack on behalf of their government. They attack another government to further the agenda of their country.
- Organized crime or cyber criminals have the goal of making money. They consider this a job or source of income. They are criminals who steal from businesses logically rather than physically.
- Hacktivists have a message to communicate. They are activists who logically attack companies.
- Script kiddies use someone else's attack tools. They do not possess the knowledge to launch the attack without those tools.
- Insiders are those who work for the business and have an intent to cause harm to their employer.
The threat vector is the path the attack takes. It could be as simple as the attacker asking someone to physically open a door to the building, which is basic social engineering. It could also be much more complicated and require a great deal of skill to accomplish.
For example, it is common for an attack to begin with a social engineering attack known as phishing. A user falls for a phishing email. It installs software on the system and the software opens a back door into the system. The hacker exploits the back door to access the system and navigate, or move laterally, across the network.
Vulnerabilities are weaknesses or flaws that exist within technology. This includes security products such as firewalls, anti-virus, and anti-malware. It also includes normal end point devices such as servers, workstations, laptops, cameras, thermostats, and refrigerators. In addition, it includes network devices such as routers and switches. Vulnerabilities fall into three categories:
- We know about it and have a fix or patch. (n-days)
- We know about it but do not have a fix or patch. (n-days)
- We don’t yet know it exists. (0-days)
Sites such as Mitre record the first two types, and together they are known as the Common Vulnerabilities and Exposures (CVE) list. The National Institute of Standards and Technology (NIST) maintains another site that lists known vulnerabilities called the National Vulnerability Database (NVD).
You find vulnerabilities by running vulnerability scans on your network. Good tools, such as Nessus from Tenable, automatically link discovered software to databases of known vulnerabilities. Vulnerability scans report on suspected vulnerabilities but do not confirm that they are exploitable. The next step is to confirm that they are exploitable on a network and take action to protect the systems.
For example, if there is a Microsoft Windows Server 2019 on your network, the vulnerability scanner should discover Zerologon, a problem that can affect this server. The scanner first discovers that there is a windows server 2019, and then searches the database for known vulnerabilities.
This scan should discover a CVE at NIST called Zerologon that allows improper privileges. This CVE has a Common Vulnerability Severity Score (CVSS) of 10 out of 10, which means it is as bad as it can get and must be addressed immediately. The CVE page has links to advisories, solutions, and tools. It also points to the Common Weakness Enumeration (CWE) page, which provides even more information about an attack.
Red teams, blue teams
There are many different tools and methodologies a business can use to test a network for security vulnerabilities. One method is to simulate an attack on the business, which is also known as a penetration test, or pen test. Businesses employ ethical hackers for this purpose.
When ethical hackers attack a network, they find vulnerabilities specific to that network. What makes these hackers ethical is that they have permission to attack a system. They could prove that the vulnerabilities listed in CVEs exist on the network, or they might uncover misconfiguration or unknown vulnerabilities.
One way to execute a pen test is with red teams and blue teams. The red team uses real hacking tools and attempts to breach existing network defenses. The blue team is an incident response team that uses existing incident response plans, or playbooks, to respond to the active attack.
When these two teams work together in a pen test, the benefits are greater than with a standard pen test. The red team uncovers the vulnerabilities, and the blue team gets to practice responding. Networks will be attacked by real hackers, so it is important for the incident response team to be ready. Practice is critical to that end.
The goal of network security is first and foremost to prevent attacks. When an attack does happen, the first step is to detect it. Once the attack is known, it is important to respond. Triage and assess the damage, understand the scope, and patch vulnerabilities or the path used to execute the attack. This process is commonly referred to as prevent, detect, and respond (PDR).
Prevention entails hardening systems and defending them with security controls. Hardening a system includes the following:
- Patching the system
- Removing the default account if possible
- Changing the default password if it cannot be removed
- Closing unnecessary ports
- Shutting down or removing unnecessary services
- Adding controls such as anti-malware software and firewalls
Detection is done mainly through logs. Systems such as intrusion detection systems (IDS) watch traffic pass by and record suspicious activity. The system logs activity and sends it to a syslog server. A security information event manager (SIEM) correlates and parses the logs that alert security personnel of indications of compromise (IoC). The security department or incident response team then takes action to prove whether it is a real compromise, and corrects the environment to prevent it from happening again.
Response may be as simple as downloading a patch to a system, but it could also take a great deal of work. It might be necessary to analyze existing configurations within firewalls, intrusion prevention systems (IPS), routers, and all the other network and security software and devices to figure out what is incorrectly configured.
A response can also be adding new or different security tools to the network. That can be an extensive process that includes building a business plan.