Olivier Le Moal - stock.adobe.co
Network attacks can come from anywhere, and preparation often seems impossible. The Defender's Dilemma: Charting a Course Toward Cybersecurity perhaps said it best: "Defenders need to be right every time. Attackers need to be right only once." Never has an IT quote rung truer.
Network attack types are many and varied, including ransomware, insider threats and even those launched by nation-states in some cases. When defending a network, it is critical to apply a methodical mitigation approach to the different types of network attacks.
Methodical mitigation makes network access as difficult as possible for attackers, while remaining usable for staff. It's a delicate balancing act.
Common types of unauthorized network access include the following:
- Email phishing.
- Automated bot scanning for unpatched servers or exposed ports.
- Ransomware exploits.
- Internal threat actors.
The triad model of data security
In security circles, there is a model known as the CIA triad of security. This states that information security can be broken down into three key areas: confidentiality, integrity and availability.
Data theft is a confidentiality issue, and unauthorized access is an integrity issue. Availability is the area most people think of with regards to network attacks, access to the infrastructure and data. The effects of losing access can be devastating to a business.
Defense is essentially about managing risk of occurrence vs cost. That said, some key changes have low cost but help ensure security when implemented properly as part of a defense-in-depth scenario.
Defense in depth
Some of the most important measures to help reduce this type of network attack are based around a defense-in-depth posture. An example of this is a lot of companies have spent big on perimeter security, such as firewalls and VPNs. This ensures limited access to outside attackers, but internally, the network is left undefended.
This kind of scenario means that, with one successful email phishing attack, it could be possible for the attacker to get into the internal network and laterally expand to own the entire system. At that point, they could exfiltrate extremely sensitive documentation, either to sell or to use as a bargaining chip that opens the organization to reputational risk. Some network attacks even upload ransomware to encrypt all the systems and sell the data anyway.
Defense in depth can be summarized as the following:
- Have known-good, tested backups.
- Apply all program updates in good time.
- Segregate and firewall infrastructure with virtual LANs and appropriate access control.
- Ensure users only have the appropriate level of network access to do their job.
One area a lot of administrators miss is auditing access controls and having a good logging policy to be able to see what happened. While it may sound trivial, it helps to understand who has what rights and what has changed. For example, someone not following process and granting a third party or application incorrect rights should be flagged by periodic access control reviews. Accounts that can grant access and create users should be well defined and audited as they carry a huge amount of risk.
This goes hand in hand with ensuring that employees are onboarded and offboarded according to company policy. Having a process is key as well because modern user accounts reach into VPN access, SaaS infrastructure, document repositories and other sensitive data.
Planning is key
Defending against different types of network attacks is not something to be done piecemeal or in isolation. If the worst does happen, restoring service depends on previous planning. That is why it is so essential to have a documented and tested network DR plan.
If an organization has not recently suffered an attack, now is the time to do the planning. The priority is service restoration, and often, there is a service-level agreement in play, which means that an outage can have serious financial consequences beyond your own internal losses.
With small companies, a dedicated DR plan can be cost-prohibitive. For this reason, a lot of companies fail to cloud to ensure that they are able to restore service on a temporary basis while dealing with the issue.
Not all applications are critical and need to be protected. Within any company, there are several key systems upon which the company heavily relies. These are the important ones to ensure are protected and able to be spun up.