As we described in the introduction to the Advanced Endpoint and Server Protection series, given the inability of most traditional security controls to defend against advanced attacks, it is time to reimagine how we do threat management. This new process has 5 phases; we call the first phase Assessment. We described it as:
Assessment: The first step is gaining visibility into all devices, data sources, and applications that present risk to your environment. And you need to understand the current security posture of anything to know how to protect it.
You need to know what you have, how vulnerable, and how exposed it is. With this information you can prioritize and design a set of security controls to protect it.
What’s at Risk?
As we described in the CISO’s Guide to Advanced Attackers, you need to understand what attackers would be trying to access in your environment and why. Before you go into a long monologue about how you don’t have anything to steal, forget it. Every organization has something that is interesting to some adversary. If could be as simple as compromising devices to launch attacks on other sites, or as focused as gaining access to your environment to steal the schematics to your latest project. You cannot afford to assume adversaries will not use advanced attacks – you need to be prepared either way.
We call this Mission Assessment, and it involves figuring out what’s important in your environment. This leads you to identify interesting targets most likely to be targeted by attackers. When trying to understand what an advanced attacker will probably be looking for, there is a pretty short list:
- Intellectual property
- Protected customer data
- Business operational data (proposals, logistics, etc.)
- Everything else
To learn where this data is within the organization, you need to get out from behind your desk and talk to senior management and your peers.
Once you understand the potential targets, you can begin to profile adversaries likely to be interested in them. Again, we can put together a short list of likely attackers:
- Unsophisticated: These folks favor smash and grab attacks, where they use publicly available exploits (perhaps leveraging attack tools such as Metasploit and the Social Engineer’s Toolkit) or packaged attack kits they buy on the Internet. They are opportunists who take what they can get.
- Organized Crime: The next step up the food chain is organized criminals. They invest in security research, test their exploits, and always have a plan to exfiltrate and monetize what they find. They are also opportunistic but can be quite sophisticated in attacking payment processors and large-scale retailers. They tend to be most interested in financial data but have been known to steal intellectual property if they can sell it and/or use brute force approaches like DDoS threats for extortion.
- Competitor: Competitors sometimes use underhanded means to gain advantage in product development and competitive bids. They tend to be most interested in intellectual property and business operations.
- State-sponsored: Of course we all hear the familiar fretting about alleged Chinese military attackers, but you can bet every large nation-state has a team practicing offensive tactics. They are all interested in stealing all sorts of data – from both commercial and government entities. And some of them don’t care much about concealing their presence.
Understanding likely attackers provides insight into their tactics, which enables you to design and implement security controls to address the risk. But before you can design the security control set you need to understand where the devices are, as well as the vulnerabilities of devices within your environment. Those are the next two steps in the Assessment phase.
This process finds the endpoints and servers on your network, and makes sure everything is accounted for. When performed early in the endpoint and server protection process, this helps avoid “oh crap” moments. It is no good when you stumble over a bunch of unknown devices – with no idea what they are, what they have access to, or whether they are steaming piles of malware. Additionally, an ongoing discovery process can shorten the window between something popping up on your network, you discovering it, and figuring out whether it has been compromised.
There are a number of techniques for discovery, including actively scanning your entire address space for devices and profiling what you find. This works well enough and is traditionally the main way to do initial discovery. You can supplement active discovery with a passive discovery capability, which monitors network traffic and identifies new devices based on network communications. Depending on the sophistication of the passive analysis, devices can be profiled and vulnerabilities can be identified (as we will discuss below), but the primary goal of passive monitoring is to find new unmanaged devices faster. Passive discovery is also helpful for identifying devices hidden behind firewalls and on protected segments which active discovery cannot reach.
Finally, another complicating factor for discovery – especially for servers – is cloud computing. With the ability to spin up and take down virtual instances – perhaps outside your data center – your platform needs to both track and assess cloud resources, which requires some means of accessing cloud console(s) and figuring out what instances are in use.
Finally, make sure to also pull data from existing asset repositories such as your CMDB, which Operations presumably uses to track all the stuff they think is out there. It is difficult to keep these data stores current so this is no substitute for an active scan, but it provides a cross-check on what’s in your environment.
Determine Security Posture
Once you know what’s out there you need to figure out whether it’s secure. Or more realistically, how vulnerable it is. That typically requires some kind of vulnerability scan on the devices you discovered. There are many aspects to vulnerability scanning – at the endpoint, server, and application layers – so we won’t rehash all the research from Vulnerability Management Evolution. Check it out to understand how a vulnerability management platform can help prioritize your operational security activity. Key features to expect from your scanner include:
- Device/Protocol Support: Once you find a endpoint and/or server, you need to determine its security posture. Compliance demands that we scan all devices with access to private/sensitive/protected data, so any scanner should assess the varieties of devices running in your environment, as well as servers running all relevant operating systems.
- External and Internal Scanning: Don’t assume adversaries are purely external (or internal) – you need to assess devices both from inside and outside your network. You need some kind of scanner appliance (which could be virtualized) to scan the innards of your environment. You will also want to monitor your IP space from the outside to identify new Internet-facing devices, find open ports, etc.
- Accuracy: Unless you enjoy chasing wild geese, you will appreciate scanners that prioritizes accuracy to minimize false positives.
- Vulnerability Research: Every vulnerability requires a determination of severity, so it is very helpful to have information – from either the vendor’s research team or third parties – on the vulnerability directly within the scanning console, to help figure out which problems are real.
- Scale: The scanner must be able to scan your environment quickly and effectively – whether that is 200 or 200,000 devices. Make sure it is extensible enough to cover what you will need as you add devices, databases, apps, virtual instances, etc.
- New and Updated Tests: Organizations face new attacks constantly, and attackers never stop evolving. Your scanner needs to stay current to test for the latest attacks. Exploit code based on patches and public vulnerability disclosures typically appears within a day, so scanners need to be updated almost daily, and you need the ability to update them with new tests transparently – whether on-premises or in the cloud.
A vulnerability scan will provide some perspective on what is vulnerable, but that doesn’t necessarily equate to risk. Given that you presumably have a bunch of defenses in place on the network in front of your endpoints and servers, attackers may not be able to reach a device. Automated attack path analysis and visualization tools can be useful for determining which devices can be reached by an external attacker or a compromised internal device.
It may not be as sexy as a shiny malware sandbox or advanced detection technology, but these assessment tasks are critical before you can even start thinking about building a set of controls to prevent advanced attacks. Assessment needs to happen on an ongoing basis, because your technology environment is dynamic, and the attacks you are subject to change as well – possibly daily. Our next post will dig into emerging technologies to better protect endpoints and servers.