Companies are faced with an almost overwhelming barrage of evolving threats to their networks ranging from the disclosure of backdoor “troubleshooting” accounts in infrastructure devices, to zero-day vulnerabilities, to stockpiled exploits leaked from government agencies. To detect and respond to these varied threats, organizations must maintain a flexible approach to information security. One strategy, tool, or technique isn’t enough to provide adequate coverage.
Installation vs. Understanding
While companies can deploy the most novel products within their networks, if no one sees the results or understands the output, then that steady ICMP traffic for the past three months could actually have been data exfiltrating out of your company. Instead of just installing the solutions, people must comprehend their output as well.
Two approaches to attain that understanding are training the users and deploying more intuitive interfaces. Users can be trained in the use of each tool, but that process can take time and be quite expensive. If, instead, an interface is intuitive enough to make sense at a basic level to even the most inexperienced of workers, then the ramp up time decreases and user efficiency increases.
Penetration Testing as a Live Exercise
In line with user training, penetration testing can be a great means of illustrating how security solutions are supposed to work. When people are looking at tool output and everything always appears to be in a constant state of “good,” attention to detail wanes and motivation fades. An incident is more likely to slip through undetected after a period of quiescence. Penetration testing, either announced or unannounced, creates adversarial network activity within the environment that would create a change in activity that should be picked up by the detectors. Like fire alarms and drills, network monitoring tools should also be assessed with a known state change to test the assumption that they’ll trigger when something is wrong.
Penetration testing evolves in tandem with adversarial threats, especially when testing is done in concert with an organization with a mature security posture. When systems are kept patched and the standard means of breaching a network are well defended, testers must step it up a notch and advance their abilities and techniques to maximize value within the time provided for testing. Tools such as CrackMapExec and IceBreaker allow penetration testers to greatly expedite the process of gaining footholds and spend more time on post-exploitation activities such as locating and raiding point-of sale-systems, file shares, and databases. Icebreaker even automates the entire process of gaining a foothold in a basic network.
The Visual Limitation
Any network monitoring product should pick up these activities. However, if no one is looking, or worse, the noteworthy alarms are lost in a sea of irrelevant alerts, then that product is providing neither value nor security. Log monitoring, packet inspection, and Endpoint Detection and Response (EDR), to name a few common techniques, are valuable, but can all be categorized as one approach – visual. Whether displaying logs, a dashboard, or email alerts, most tools rely exclusively on visuals. These utilities, plus employees’ daily workload of emailing, browsing, and documenting, can quickly lead to screen fatigue in both a visual and a mental sense. When a worker is expected to stare into the lights of computer monitors all day to indicate work is being done, burnout, while no longer an issue with modern monitors, is a definite threat to employee wellbeing.
Alternatives in the Form of Sound
Other means of monitoring and detection must therefore be considered. While the common approaches take the form of visual utilities such as dashboards or email alerts, one innovation uses sound instead. By monitoring with sound, eyestrain could be alleviated and provide another alternative to detecting threats on the network. This approach would not be a complete replacement for the standard solutions, but it could provide a worthwhile complement. Certain types of traffic should likely never be seen in a secure corporate environment, such as Tor, peer-to-peer, or IRC protocols. If an audible alert was played upon detecting these types of out-of-place traffic, then analysts would immediately know to begin examining the network more closely.
For example, I recently developed a tool called p@cketr@quet, which allows for different ports and protocols to be mapped to notes, thereby creating specific sound patterns for network traffic. The benefits offered by this approach include the ability to prioritize specific threats for “red alert” style monitoring, as well as not requiring yet another dashboard to check. Instead of reading an email alert minutes or perhaps hours after the initial trigger, analysts can respond immediately to the detection of network traffic deemed malicious. While by no means a panacea, sound-based detection can provide a valuable asset with which to improve the security posture and incident response time for organizations.
Innovation to Keep Pace
Automating penetration testing techniques and setting network traffic to notes are two examples of defensive innovations. What we know for certain is that attackers will innovate, and the pace of that evolution is unlikely to slow. Defensive techniques, both on the solutions and testing sides of the equation, must also evolve at pace to keep up or proactively anticipate malicious actors’ next moves. The cybersecurity industry is demonstrating new and innovative tools toward that end—it’s an exciting time to be a part of the industry and watch it evolve on both sides of the battle.
- The Importance of Innovation in Network Monitoring - May 2, 2018