Researchers feel altering the network after a targeted attack is a must - to negate sleepers and invalidate what attackers know about the network.
Attackers using targeted exploits seem to have their way with enterprise networks. Every day, media outlets report of yet another major data breach. Trying to understand how and why, I've been following this section of Trend Micro's website dedicated to targeted attacks — exploits that target a single entity, be it a person or organization.
The blog entries, for the most part, mirrored what other security companies are saying. Then I read a column by Ziv Chang, director of Cyber Safety Solutions. It was different, addressing a topic missed by those of us who write about digital security.
Covert network reconnaissance
Chang begins by explaining the various methods bad actors use to gain access to a company's internal network. Phishing tops the current list. Once ensconced in the company network, the attackers employ what Trend Micro calls lateral movement — reconnaissance, credentials stealing, and infiltrating other computers to get familiar with the compromised network.
When the network topology is understood, the attackers either grab what they can or dig in for long-term occupation. In either case, the attackers compromise additional computers/servers (sleepers). The logic behind this: if the company's IT staff discover the exploited machine or the exploited machine is portable; the attackers still have a way to access the company network. This brings us to the overlooked topic mentioned earlier.
Chang has two concerns. Both relate to how an affected company mitigates the results of a targeted attack. Even with the attacker ousted; it is not always discernible if every compromised computer was discovered. Chang's other concern: the attackers still understand the network's topology, making it easier to break in again. "It's not enough to change passwords and remove the malware," according to Chang. "To protect an organization from targeted attacks, changing the network topology should also be considered."
Chang defines network topology as how devices are connected within a network, both physically and logically. "The term refers to all devices connected to a network, be it the computers, the routers, or the servers," explains Chang. "Since it also refers to how these devices are connected, network topology also includes passwords, security policies, and the like."
Chang suggests altering the network's topology and security policy in ways that would make it impossible or at least hugely difficult for sleepers to obtain company secrets. Chang also recommends changing the network in ways that make the attacker's reconnaissance information obsolete.
To clarify the point, Chang uses the following example. The first slide depicts a normal network. It also exemplifies how an attacker gains access to a company's internal network. In this case using a phishing email to compromise PC-1.
Next, the attacker scans the network (lateral movement), finds other PCs, and compromises them using one of many available exploits. Since all of the computers have access to document server, the hard part is over. Attackers can access the document server. To continue the example, the attack is discovered, PC-1 is re-imaged to remove the malware, and the IT department is now extra vigilant. That said, it is no trouble for one of the other compromised PCs to phone home and the bad actors are back in business.
Alter the network topology
Chang says to alter the network topology. The next slide does just that. Adding the proxy server and second firewall will make it difficult for attackers to get to the document server even if control of the compromised (sleeper) computers is regained.
Chang explains, "Should the attackers attempt to infiltrate the network again, this time using PC-3, they will need to spend time rescanning the network. This is so they can understand the function of the proxy server and attempt accessing the document server via trial-and-error. This amount of time may be enough for IT admins to detect malicious activity on the network and address it."
Modifying network topology is difficult
Chang understands that altering an enterprise network is no small task. However, one can argue altering the network might be easier than trying to ensure every computer on the network is pristine and not a sleeper waiting to phone home.
New technology will help as well. According to Chang, "Newer techniques like Software-Defined Network and Network-Functions Virtualization can reduce the degree of difficulty in changing the network topology. Admins can first change the network topology on a network simulator and emulator to ensure the alterations are okay before using an SDN policy rule to alter the topology."
Chang concludes the article mentioning that altering a network under attack should not be the only recourse. Security in layers is still the key with network misdirection being one of the layers.