"Reality is merely an illusion, albeit a very persistent one."
-Albert Einstein
"You live in a world of illusion Where everything's peaches and cream. We all face a scarlet conclusion, But we spend our time in a dream."
-Jungle Love, Steve Miller Band
Ignorance is not bliss when it comes to network security. Threat actors love to hide their activities. The attack du jour on our networks is "Living off the Land" attacks, where the attackers purposefully don't download "hacker tools" to explore your network and instead use what is already on your network to do their investigations.
I have spent a lot of time on this topic lately, so I will switch gears and talk about the attackers outside of you who are trying to get in.
One of the go-to tools hackers use is "Attack Surface Mapping." This is where attackers look up in consolidated form everything known about your domain on the Internet. This includes DNS entries, how your email is configured, devices advertising on the Internet, and domains and sub-domains.
They are looking for a crack in your defenses. Perhaps an internet-facing service that you forgot to update or knowing exactly how your email is set up to craft a better phishing attack to launch a business email compromise (BEC). You should periodically review your external attack surface mapping. There are many services online. If you are one of our accounts subscribing to one or more of our services, I am happy to run that for you and share the results.
Then, you, or someone you hire, need to actively monitor what is attempting to enter your network through your firewall.
There are a couple of ways to approach this. First, your firewall produces logs that you should send to a Syslog server for historical forensic data. Someone in your organization needs to review those logs for potential malicious traffic. That is generally a combination of human and machine analysis.
CSI has our firewall service to review significant events for you and report items you need to address. We also have our SYSLOG service to help you maintain forensic logs on switches, firewalls, event endpoints, and Active Directory to help you adhere to EdLaw 2-d and NIST CSF standards.
Then there is geo-blocking, which is the concept of saying I won't accept traffic from Serbia, Brazil, Russia, etc. Often, an attacker takes their first shot from a known malicious IP or banned country. If the firewall blocks it, they reach into their magician's bag of tricks.
The bad IP goes away, and suddenly, a hacked Optimum cable modem in Yonkers, NY, is knocking at your door, attempting to breach your network. This is called "proxy as a service," where you can go onto the dark web and buy access to hacked modems and routers to hide your malicious traffic. This is extremely cheap for hackers to do, so it is pretty standard fare in their playbooks. The hacker has, in minutes, completely negated "geoblocking" as a valid defense.
However, there is something even more nefarious that hackers are now doing.
Hackers are buying "clean IPs."
We know that things like Cisco Umbrella's DNS filter or even the free version of OpenDNS filter out "known malware sites." So now hackers are going to legitimate vendors, getting a completely clean IP that isn't on any lists from a reputable place, and launching their attacks!
Now, geo-blocking and DNS filtering have been circumvented as a defense.
How exactly is one supposed to protect your network if two of the top-line defenses are already gone?
There are two answers:
Look for behavior. This is also known as "impossible logins" or "impossible travel." If I sign on from a local ISP in Poughkeepsie and then five minutes later sign on from an ISP in Virginia or Tunisia, that really can't be me. It is most likely something bad going on. That is a "shields up" moment. But it is hard work looking through firewall logs or M365 or Google logs. It is unlikely that you are going to catch this traffic in real-time.
Have a SOC watching all these disparate telemetry feeds 24x7x365 and correlating seemingly disconnected events to identify a potential attempted or actual breach. Through a combination of humans and AI automation, these SOC services can identify the source and automatically block it so it is no longer a threat to your network. No action is required on your part. It just happens. They are constantly monitoring your network's inside and outside perimeters and blocking the bad guys from even trying to do bad things to your network. It is not optional to actively monitor and log your firewall traffic.
One way or another, you must do it.
CSI has some proven systems and services to help get this vital work done without going insane.
It isn't magic to us. It is what we do every day to help keep you safe.
If you'd like to discuss how to better protect the outside of your network (or any other part), please contact us. We can discuss your options.
-Scott Quimby, CISSP