The Cyber Attack is Coming from Inside the Network
By Chris Phelan and Peter Bahas, Keysight Technologies
Monday, 02 May, 2022
Remember the horror movie where the babysitter finds out she is being harassed by calls that are coming from inside the house? Well, here’s a real-life threat to come to grips with: most modern cyber-attacks are being launched from inside “secure” networks.
A number of factors have significantly increased the danger of insidious internal attack spreads.
- Remote work and hybrid work structures — More employees are accessing corporate networks and applications using personal (or BYOD) devices as business devices.
- Apps for Work — There are millions of work-related applications and new ones crop up every day – some with attacks hidden within.
- Widespread use of social media, texts and embedded links on devices used for work — This activity regularly opens the gateway to infection and attack via malicious links and messages designed to look like they are being shared by authenticated users.
- Increased use of IoT and Industrial IoT — Every other device is connected to corporate network infrastructures. These devices often provide critical systems control but don’t have the “smarts” or computing resources to thwart attacks.
Too many “trusted” and “authenticated” devices have been given unfettered access to enterprise networks, providing conduits for attackers to bypass perimeter security.
Australia’s public sector must gain and maintain greater visibility within its networks to monitor for, detect and prevent cyber-attacks. Network fortification combined with a Zero-Trust approach is the way forward to strengthening your cyber security position.
The Dangers Within
Devices are easily compromised by users clicking on malicious links. In the absence of Zero Trust, these previously authenticated, trusted devices have access inside the network and are used to launch attacks. What do insidious attacks from within look like? Here are some examples.
- APTs. Cyber criminals can hit your company with Advanced Persistent Threats (APTs), using that initial point of ingress as a launch pad for attacks that spread across internal trusted network corridors. Most networks are porous — they have a lack of visibility, too many unsecured access points, and a prevalence of trusted devices. Once a hacker compromises one device with network access or identifies a web server left open to the internet, the attack can be propagated within that initial network and even jump across into another connected network. Perimeter security does nothing to detect APTs. Research shows that such incursions can remain undetected for months or years, while criminal activity pilfers away business intelligence, client data, financial information etc.
- Drive by Downloads: Cyber criminals can gain Command and Control access of a server within your network once a legit-looking link is clicked and triggers a malicious download to a trusted device. Criminals can also hide malicious code inside legitimate programs and applications. The user downloads an app, and it works, but they’ve also downloaded hidden malware which infects their device and then the network. Criminals use Drive by Downloads to install keystroke loggers, rootkits, and BOTs designed to infect a host, gain privileged access (usernames and passwords) and capture sensitive information. Successful infection is typically followed by deeper penetration across internal network avenues.
- DoS: Connected IoT devices inside trusted networks are often hijacked and used for Denial of Service (DoS) attacks from within the network. They are common and easily accomplished, and can swiftly prevent the performance of key functions, exhaust network resources, deny network access and more.
3 Ts of Public Sector Network Fortification
Three key approaches can help fortify your network to battle today’s sophisticated cyber-attacks.
Trust. (Zero Trust.)
Any modern enterprise network is challenging to secure thanks to increasing network speeds, hybrid cloud deployments and limited budgets. The myriad networks strung together to make up Australia’s public sector compound the issue with a complex web of inter-departmental traffic that simply cannot be trusted.
Adopting a Zero Trust approach dictates that all devices and users that try to access the organisation’s network, data, applications and digital services must be verified each and every time. No device is trusted by default, even if it is internal or previously verified.
Many cybersecurity tools can be leveraged to design a Zero Trust architecture, such as next- generation firewalls (NGFW), security information and event management (SIEM), and asset discovery tools. You’ll also need a modernised network with intelligent network visibility to eliminate blind spots and ensure the network is delivering the data your security tools require to detect threats.
When an IT team works to understand a cyber-attack, they typically must rely on logs and flow records, which are summaries of events or notifications from a variety of security devices within the network and can be challenging to correlate. IT departments. They usually don’t have access to the actual communications or actions involved in the attack, itself.
Hackers know how to erase or encrypt logs and flow records, so the available data is often incomplete. It can be difficult to identify the extent of what an attack has accomplished or stolen.
To see the complete anatomy of an attack, and to put ongoing monitoring in place to prevent such insidious attacks, what you need is access to the network packets that will give you a complete picture of the actual code within the communications that initiate and propagate attacks.
Network Taps are used to see the complete anatomy of an attack: the conversations, the actual frames including the metadata which represent those conversations. Instead of simply knowing that a person from point A accessed your network at point B, you can “listen” to a full recording of the conversation between the hacker and your infrastructure. Network taps are invisible in the network; hackers will never know you are recording and watching their activities.
In addition to performance verification, Network Testing helps to ensure effective network security, allowing you to validate security tools, discover vulnerabilities in security posture, and get step-by-step remediation instructions.
The threat landscape is dynamic, so building and testing a robust security infrastructure is not a one-time event. Your security practice must include a continuous validation process of ‘checks and balances’ to ensure the effectiveness of your design and policies. If your overarching approach to cybersecurity doesn’t include effective and regular Breach and Attack simulations that include dark web attacks, you’ve got work to do.
A Modernised Security Mindset
As you update your security posture, make sure to modernise processes and develop a keen understanding of which systems within your network should, and should not, be talking to one another.
Intelligent visibility and continuous validation are critical to support a heightened cyber security strategy — whether you are ready to adopt a Zero Trust strategy or you are somewhere on the path towards it.
Chris Phelan, Regional Sales Manager and Peter Bahas, Senior Systems Engineer are from the Networks Security and Applications team at Keysight Technologies. Keysight delivers advanced design and validation solutions that help accelerate innovation to connect and secure the world — including network performance optimisation and visibility in enterprise, public sector, service provider and cloud environments.
Visit Chris and Peter at Tech in Gov 2022, 11–12 May, Booth 132 to discuss Intelligent Visibility, Network Fortification and more.
A report has identified cybersecurity vulnerabilities, outdated infrastructure and remote...
The complex online ecosystems governments work with today demand equally sophisticated defences...
A robust security strategy for government bodies should include changes at the organisational and...