Current geopolitical events have most people and businesses concerned, as evidenced by political protests, stock market performances, and questions raised around new government restrictions for businesses. While the simple fact is that most individuals can’t do much about the conflict, North American businesses can, and should, immediately put into action self-protection mechanisms. Even though the physical fighting may be located in Eastern Europe, cyber warfare is a global event. Businesses need to take heed now and immediately do what they can to protect themselves.
Let’s look at what that could mean.
The past is often a predictor for the present
With the current geopolitical environment in Eastern Europe, this is what has been seen in the past. DDoS attacks are a common weapon used against government websites and businesses to prevent commerce from taking place. One such example from 2007 illustrates how Estonia was attacked repeatedly with DDoS. The attacks disrupted government communications and businesses (like financial institutions).
Other security threats include the actual intrusion into networks. In 2015, the German Bundestag network was hacked into, and data was sifted through as part of an espionage incident into German leaders and NATO.
A third type of attack is the electronic crippling of cities or countries. These attacks usually target financial entities (banks and so forth) or critical infrastructure. Another example from 2015 involves Ukrainian power systems. In this instance, the power system operators were locked out of their own systems and power was disconnected to approximately 235,000 homes.
A fourth type of attack involves interference in government elections. This can be where the polling station itself is hacked into with malware and data is wiped or replaced with false data. Another manifestation of this type of attack could also include fake news planted on social media to influence voters. In May of 2014, the Ukraine’s country election commission was taken down by a hacker just days before a major election.
The 2016 election cycle in the United States is also clear example of this. There was election interference against the US by Eastern Europe that involved the posting of misinformation and deep fake articles. More information is available in this article — FBI Agrees with CIA Assessment That Russia Wanted to Help Trump.
A fifth type of attack (ransomware) appeared in 2017. The NotPetya ransomware attack was first launched at Ukraine but then spread across the world. In 2021, other ransomware attacks were launched — some specifically at United States infrastructure like the Colonial Pipeline breach and the JBS meat processing plant.
New ransomware varieties, like WhisperGate, have been unleashed in Eastern Europe within the last several months (2021) to attack specific entities. WhisperGate is a piece of data wiping malware that wipes the master boot record clear and then downloads a DLL file that destroys other files on the infected machine.
Should anyone be wondering if a ransomware attack in North America is still an issue in 2022, please read this — FBI says the BlackByte ransomware group has breached critical US infrastructure. Critical infrastructure in the United States (and probably the rest of North America) is still vulnerable. Steps should be taken now to limit the risk.
So, here is a summary of several security attacks that North American businesses can expect and should prepare for:
· DDoS attacks to interfere with communication and business ecommerce
· Hacking to facilitate corporate (and government) espionage
· Hacking to sabotage and disrupt critical systems like utilities, pipelines, and manufacturing/processing plants
· Potential interference with the United States 2022 mid-term elections
· Ransomware attacks to cause confusion and damage to commerce, hospitals, and critical infrastructure
WRITER’S SIDE NOTE — the above list of attacks and examples is not intended to be an all-encompassing list. These are just point examples of what has occurred in the past and might occur in the future.
What can be done from a general government perspective?
In addition to focusing on beefing up government network security, the United States government has launched a civilian plan called “Shields Up”. The purpose of the plan is to help shore up critical infrastructure and key US businesses. Unfortunately, most critical infrastructure facilities are civilian, which means that the companies need to perform the upgrades and implement security updates themselves. The management teams for those entities must heed the call and prioritize the security of their networks.
Individual business can, and should, update their defenses as well. Attacks against North American food, gas, financial networks, transportation networks, power generation and distribution networks, government websites, hospitals and healthcare businesses, and many more industries can be expected. As mentioned earlier, recent attacks like the Colonial pipeline and JBS company show that this is not some “abstract thought” or “hyperbole.” The threat is real and has already happened in the past.
In general, businesses should consider initiating their own cyber security defense plan, like what MSN reporting suggests here. Besides just shoring up defenses, businesses should start looking for signs of intrusions and setting up a way to create “manual overrides” to security threats and intrusions. After that, it falls upon the business to determine what can and should be done.
What can you do, specifically, to strengthen your network?
The question always gets down to what specifically can YOU do to strengthen your cyber security architecture. Unfortunately, a lot of this is security architecture dependent and industry risk dependent. However, here are some simple but effective general guidelines.
Start immediately with a simple plan that works with whatever other architecture guidelines you follow (NIST Cybersecurity framework, MITRE ATT&CK framework, Defense in Depth, Zero Trust, etc.). Effective simplicity is one of the best techniques because it ends up being an approach that you can maintain. Elaborate, complicated architectures that are designed to “kick the crap” out of security attacks can become too high maintenance and too complicated to stay effective long term.
Here is one, simple 3-point plan to consider:
Prevention – Reduce as many threats entering the network as possible
Detection – Find and quickly remediate intrusions that are discovered within the network and implement a cyber resilience plan for successful breaches
Vigilance – Whether you trust or don’t trust, periodically test your defenses to ensure that they are actually detecting and blocking threats
Let’s look at the suggestion in more detail. Step 1 is about preventing as many intrusions into the network as possible by implementing a solid security architecture. Simply put — do what you can to stop the threat(s). This due diligence will be worth its weight in gold in stopping a significant number of attacks. Inline security solutions using an IPS, WAF, TLS decryption, and other technology are good examples of a best practice.
Step 2 is about finding intrusions on your network and quickly remediating those issues. The faster you find the problem, the safer you are. This is extremely important as the Ponemon Institute finds every year that it takes way too long to identify breaches on the network. For example, the 2021 Ponemon Institute Cost of A Data Breach report found that it took businesses an average of 287 days to identify and contain a data breach. This gives bad actors way too much time to do their dirty work.
Step 3 is about periodically validating that your security architecture is working as designed. This means using a breach and attack simulation (BAS) solution to safely and repeatedly check your defenses against real-world threats. Your network changes throughout the year, you need to know that a new hardware upgrade, software upgrade, or configuration change didn’t break anything.
The following is a detailed list of actions that security engineers and architects can take based upon each of those three steps.
Preventative Actions:
1. Review your cybersecurity and infrastructure plan, including your escalation plan. Are they up to date? Who has what specific responsibilities? Are there any disconnects between systems?
2. Ask senior management and the CISO to send reminders to employees about potential phishing attempts intended to capture credentials and gain access to the network. The first key message to employees – “never click on the links.” The second message to employees is that they will not be punished for reporting phishing or mistakes that could have led to a compromise. Maybe they should even get a reward? The key point here is that people make mistakes. If they think they will get reprimanded if they report their mistakes, then they never report anything, which actually does more potential harm to the network by obscuring important facts.
3. Make data backups now and continuously. These backups need to be stored on removal memory, i.e., store the data “off network” so that it can’t be contaminated. You want the data and system configurations handy though. If ransomware or other malware is encountered that you can’t get rid of, you want to be able to go “nuclear” and simply wipe the whole system clean and then reinstall programs and data right away. Some data will be lost with this approach but if the backups are frequent enough, this could be a very fast and minimally painful remedy.
4. Implement upgrades and patches. If you are new to the organization, test your security tools in a lab using a security tester like BreakingPoint to make sure (or determine) that your equipment is fortified to handle known security threats like DDoS, malware, virus’, etc. You want to look for architecture vulnerabilities and to determine the EXACT performance (not data sheet specs) for the types of equipment (firewalls, IDS, IPS, WAF, threat intelligence gateways, etc.) within your network.
5. Upgrade/optimize your inline security protection solutions. Deploying security tools like an IPS, WAF, etc. are very effective at preventing threats from entering your network. However, you need external bypass switches and network packet brokers (NPBs) to optimize those solutions. Bypass switches allow you to maintain business continuity for your network and inline security tools. NPBs further enhance this solution with n+1 load balancing, internal data packet decryption, and enhanced data manipulation.
6. Install threat intelligence gateways to augment firewalls. Firewalls are good, but it’s even better to have help from purpose-built devices that provide rapidly updated whitelist or blacklist IP addresses and geographies for you. The purpose here is to remove the human element and use automation to limit threats. Since attacks are constantly “popping up” from new IP addresses, most security engineers simply cannot keep up with the list on a daily basis. Automated threat intelligence gateways fill this need.
7. Deploy TLS 1.3 decryption. It is estimated that 70% or more of security threats are now hidden within encrypted data packets. If you can’t look into the packets, you’re flying blind – so expect a horrific “crash and burn” scenario without TLS decryption functions.
Detection
1. While log files can be erased by certain types of malware — packets don’t lie. Network packet brokers should be used to capture the right security data and relay it to out-of-band security tools, like an IDS, DLP, etc. These tools can then analyze those packets to find indicators of compromise.
2. Deploy threat hunting tools, like Viavi, to actively look for on-premises and cloud-based threats. For any threat hunting tool to be effective, it needs to see ALL of the data. Seeing part(s) of the data isn’t good enough. The tool needs everything, or it will miss intrusions. This is why you need to deploy data taps at critical points across your network and then use a network packet broker to aggregate and filter that content so that your security tools (IDS, DLP, SIEM, etc.) get exactly the right data at the right time to properly flag any anomalies or suspicious activities. The tap and packet broker combination gives you the visibility you need so that your security tools are as successful as possible. At the same time, you also need lossless visibility. You don’t want to add just any packet broker. Depending upon their design, some packet brokers (like ones that use CPUs to process advance functionality) drop packets — i.e., they “lose” data. This means that you could be missing up to 60% of your security threats and not even know it. So, packet broker selection is critical.
3. Use application intelligence to look for indicators of compromise. Flow data can provide some general information, but you still need a deeper look. You can get this from application data, i.e., Layer 7 packet data. This allows you to see how applications in general are flowing across your network and also if there are specific problems. For instance, is there a DNS or NDP packet flood attack happening? You can literally see it by using a network packet broker that supports this application intelligence function.
4. Reinforce your cyber resilience plan. If you do get attacked, how do you get back to normal operations as fast as possible? There are many possible components to this plan. Here are a few to consider:
a) Optimize network continuity with external bypass switches and heartbeat messaging. These devices can be set to Fail Open or Fail Closed, as you choose. The reason for an external bypass is that if you have to completely replace a security tool (and you are relying upon an internal bypass), then your network goes down during the changeout.
b) Inline and out-of-band network packet brokers using load balancing and n+1 survivability allow you to maintain operations during “impaired” network situations. The right choice of packet brokers also provides reversion capability which means that they can automatically sense when out of service security tools become operational again (i.e., if a security tool does a reboot and comes back online). This provides a “self-healing” component to your security architecture.
c) Inline packet brokers with Active-Active processors provide enhanced business continuity without loss of data. Active-Standby solutions will lose data while the standby processor comes online.
d) The ability to completely simulate the attack in your labs to validate any fixes is especially important. This is where you need a security threat generator, like BreakingPoint, to faithfully reproduce the security attack in your lab so that you can determine whether your security fix actually works. The last thing you want is to shoot yourself in the foot by rolling out a security fix that doesn’t work. This could lead to another successful attack/breach and be a career limiting event for yourself.
e) Something else to consider is network packet brokers that support integration to SIEMs. This allows your network to support automation to collect data faster and thwart security attacks as fast as possible.
f) Start conducting cyber range training exercises so that you can recognize and respond to attacks faster. It’s one thing to suspect that a certain type of attack has happened, or is happening, and another to be able to “see” the indicators of different types of attacks in real-time. Practice seeing these attacks in a cyber range is critically important. While you may not be able to tell a Petya attack from Ryuk, you can at least narrow down your search to the fact that it is probably a ransomware attack and proceed forward with that information.
Vigilance
1. Every network has security issues. You know it, I know it, and hackers know it. You need to hack yourself before someone else does it. A straightforward and fairly easy way of doing this is perform breach and attack simulations (BAS). Pen testing is only good for a point in time and is typically expensive. You need repeated and continuous evaluations.
2. You need to be able to answer executive questions as well as your own. For instance, what systems were updated recently (both hardware and software)? Did these new changes adversely affect the security architecture? You need to know and just not assume that everything is okay. Once a few weeks or months have passed, new weaknesses will probably exist. There is a reason why businesses continue to be hacked, even though those businesses invest in security solutions.
3. If you’re a new security engineer to a business, BAS gives you a way to check and see if routine patch maintenance has been conducted. For instance, maybe a patch wasn't applied or was applied incorrectly. How would you know unless you performed an extremely time-consuming audit of all of your equipment?
4. And crucially, were the right fixes applied if a vulnerability was found? For these reasons and more, you need to use a BAS solution to determine the current strength of your defenses.
Hopefully this blog has given you some things to consider. If you’re looking for help, Keysight offers many solutions that could be beneficial like:
· Security threat testers like BreakingPoint
· Network taps like Flex Taps
· External bypass switches like iBypass
· Network packet brokers like Vision ONE
· Application intelligence like AppStack
· Threat Intelligence gateways like ThreatARMOR
· TLS decryption like SecureStack
· Breach and Attack simulators like Threat Simulator
See for yourself how Keysight’s solutions can significantly enhance your company’s security architecture.
