Despite constituting the lifeline of every corporate IT infrastructure, network devices happen to be the most notoriously insecure, making them favorite targets of both sophisticated hackers and script kiddies.
In the thick of mounting pressure from political groups in favor of government surveillance through backdoors in encrypted devices to combat terrorism, the likes of Juniper’s ScreenOS vulnerability have taught us how, to an experienced attacker, it can turn out to be a master-key not just to the organization’s data, but the government’s as well. The most valuable lesson we learned from the past year’s device hacks is that cyber criminals will never ignore an opportunity to exploit a gaping hole in discrepant security policies, mandates and protocols.
Turning the tables on evasive device attacks
Enterprise network devices shipped and installed with default insecurities and IP address spoofing possibilities unchecked by ISPs can be simultaneously leveraged by a number of extortion groups and individual threat actors.
A colleague who correlates threat signatures pointed out an upsetting hike in sophistication of emerging exploit malcodes written for embedded devices. These next-generation Malware writers are challenging virtual machine sandboxes, proprietary operating system artifacts, and obfuscating internal data.
In the wake of waning certainty, an organization’s last line of defense undoubtedly rests on how well an anomalous activity is tracked, observed and interpreted.
Your security monitoring system needs functionality that extends beyond mere alerting of suspicious traffic. A combination of active network scanning and passive monitoring will give you through information about the origin of malicious packets, intent and what gaps to fill. The result is an up-to-the-minute inventory of assets, addressing, traffic and header analysis in addition to system information of entities on your network.
For instance, a threat actor might advertise a forged Autonomous Systems Number and trick an ISP gateway into redirecting to him, all traffic destined for the victimized route.
The best way to deal with this at your perimeter is to monitor the routes of incoming packets and look for anomaly. Do the packets appear to be coming from Autonomous Systems Numbers that your ISP does not accept routes from? What are they targeting and what could be their motives? Such questions are inescapable and can only be answered with help from a threat data platform that documents known bad actors.
Dig deep for vulnerabilities
– Embedded systems configured for remote administration must be protected from emerging malware families that employ custom-built rootkits in password-guessing brute force attacks, especially those that can self-update once inside your network. Deep-level scanning of file integrity, registry settings and rootkits can help you detect it when abnormal infiltration attempts are underway.
– Fix baselines for acceptable network activities and assess suspicious behavior with reference to asset databases and your inventory of active software and services.
Tools that analyze network breach malware are limited to predefined detection signatures. Intrusion detection systems on the other hand, are designed to keep the entire attack lifecycle in perspective.
– Most importantly, align network security policy management with your enterprise threat information. An organization that is well-aware of its security posture is one that uses a well-documented evaluation process to manage policies, appraise effectiveness and identify where to make amends.
– Integrating your firewalls configuration rule sets, secure shell server authentication policies and cryptographic key management tools with your incident response workflow can facilitate automated analysis of device-level policy compliance. Make sure that policy changes for all elements of perimeter defense are run through a streamlined risk assessment process to avoid risky changes.
At Aleph Tav Technologies, we don’t just share insights. We show you how it’s done – for free.
Visit alephtavtech.com to know more about the 15-day no-obligations trial period for our 24×7 Managed Security Operations Suite.