The most trusted security is to untrust
The traditional view that the security of our network is guaranteed by firewalls on the perimeter alone, and that everything inside is trustworthy and safe, is simply outdated. Adequate perimeter protection is no longer sufficient against advanced threats, and devices can no longer be trusted just based on which side of the firewall they are located in which zone. The paradigm shift in the IT security industry started years ago, resulting in the Zero Trust model.
According to Zero Trust paradigm, we never trust any resource or device by default, they are always checked, authenticated, and the traffic of all communicating elements is constantly monitored. However, the standardized Zero Trust architecture still has some risks, such as the fact that it is often not enough to identify traffic by its parameters and meta-information (source, destination, protocol, etc.), but it is also necessary to be able to filter traffic by content, even in the case of encrypted traffic.
The activity and external communication of a targeted ransomware can be made visible with endpoint protection, firewalls, in several cases DNS security. But a security toolkit of separate elements alone is not enough either. The components must be integrated to achieve the level of visibility, anomaly detection and event correlation that is essential to thwart such a targeted attack.
Most vendors already have integrated solutions that can serve on-prem, hybrid or pure cloud systems. For threat mitigation, cloud services from large vendors – more recently supported by AI – are essential to provide the right level of protection (detection, analysis, zero-day vulnerabilities).
Life Cycle of Cyber Attacks
Targeted, intrusive cyber attacks have their own typical lifecycle, the phases and sub-activities of which are categorized into the following points according to the Lockheed Martin Intrusion Kill Chain model:
1. Reconnaisance (getting to know the target, identifying vulnerabilities)
2. Weaponization (preparation of codes and manipulations that enable penetration and successful attack)
3. Delivery (delivery of attacking agents to target systems)
4. Exploitation (exploiting vulnerabilities for communication, code execution, etc.)
5. Installation (installing malicious programs on infected devices)
6. Command & Control (C2; remote control of bots to coordinate attacks, receive data leaks, distribute malicious code, etc.)
7. Actions on Objectives (execution of subtasks of the attack, e.g. lateral movement, data theft, file encryption, hijacking traffic, etc.)
Countermeasures to protect the corporate network and prevent data leak should cover each stage of a cyber kill chain, to protect against cyber attacks, as well as to detect and mitigate ongoing incidents. Among these, we will only highlight here how to detect traffic generated by malware that has already entered our network.
Once cyber criminals installed their malwares, the malicious programs will try to establish a Command & Control (C2) channel in order to communicate and pass data back and forth between the infected devices and their own infrastructure.
Next-generation firewalls (NGFW) and their new capabilities, such as Advanced Threat Prevention (ATP), help detect and block malicious traffic in the following ways:
– Monitor and inspect all traffic between zones and enforce user access and application control for secure zones. Traffic must always be person/device bound, and the firewall can inspect not only L3/L4 headers, but also packet payloads.
– Block outbound C2 communication and the upload of file and data samples (e.g. bank account number) to prevent data leakage.
– Redirect harmful outbound traffic to the internal sinkhole to identify and isolate the infected host.
– Block outbound communication to known malicious domains through URL filtering.