The Cybersecurity and Infrastructure Security Agency (CISA) calls one of the problems “insufficient internal network monitoring.” The 10 most common network misconfigurations this year. Indeed, network analysis and visibility (NAV) remains a perennial challenge. As the boundaries around the traditional network disappear and the active threat landscape becomes more complex, businesses need new methods and solutions to defend their performance, security and continuity.
That’s where ATT&CK MACHINE GUN the framework comes into play. The adversary tactics and techniques it collects help us understand and combat cyber threats such as ransomware, as well as advanced persistent threats (APTs) whose goal is to inflict potentially devastating damage on an organization. By looking for known tactics and techniques of known APT groups, cybersecurity teams can counter threats before they turn into successful attacks.
Once ransomware is detected, it is normally too late to prevent damage. This highlights the need for comprehensive and continuous network monitoring, an understanding of preventative strategies, and uninhibited visibility capabilities to detect anomalies that include not only “north-south” traffic between the data center and clients, but also the “east-west” traffic. even between servers.
Understand the threat landscape and your network
While the ultimate goal is complete network visibility, that’s easier said than done. Organizations require holistic visibility through the service delivery ecosystem. Monitoring network activity to track and identify trends in traffic and application usage is essential. Additionally, you need to go beyond enterprise-wide visibility to implement a broad performance and availability strategy that includes not only headquarters, remote offices, and private data centers, but also colocation centers, contact centers, public clouds, and SaaS environments.
Additionally, maintaining high-performance digital services in increasingly distributed hybrid cloud environments is critical for enterprise IT organizations. A more distributed environment brings new challenges in providing customers and hybrid workforces with safe, secure access and availability of business applications and services. In some cases, managing quality performance in the wake of traffic growth across SD-WAN links, critical Internet circuits, VPN gateways, and hybrid cloud has gone from an operational challenge to a critical business priority.
For example, many companies today have permanently moved thousands of employees to work-from-home and hybrid cloud environments during and after the pandemic. As companies passed by to hybrid workforces and Zero Trust models, NetOps teams realized they needed better tools to identify whether SD-WAN bandwidth could adequately handle spikes in remote network traffic for thousands of remote users. At the same time, SecOps teams needed the same level of visibility to detect threats and verify that Zero Trust network policies were working as intended.
Ultimately, by understanding the network threat landscape in this case, IT management can better understand and identify where the “crown jewels” such as key servers, applications and databases reside. This way, when threats occur, the anomalous behavior is more clear to NetOps and SecOps teams.
In today’s extended service edge environments, viewing the remote end-user experience in the context of multi-tier networks and vendor environments is essential to quickly isolate issues and provide visibility into all phases of MITER ATT&CK.
Ensure network visibility is both internal and external
IT teams need end-to-end visibility across their enterprise network, from SD-WAN and remote offices, to hybrid/multicloud environments, to co-los and data centers. When visibility is lacking, SecOps teams do not have adequate insight into all phases of MITER ATT&CK.
A modern Zero Trust environment assumes that the network has already been compromised. That is, the initial phases of MITER ATT&CK – reconnaissance, asset development, and initial access – have already occurred. North-South network visibility alone is now inadequate to track the internal movement of the attacker, who is now progressing through the successive MITER ATT&CK phases of execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement and collection.
To spot intrusions at these stages, SecOps teams need visibility into east-west traffic. With this level of visibility into server-to-server communication, SecOps teams can detect anomalous traffic behavior affecting their flagship servers. In the event of a ransomware attack, many of MITER ATT&CK’s tactics and techniques precede the actual exfiltration and encryption of data.
Attacks of this nature highlight the need for comprehensive and continuous network monitoring, an understanding of preventative strategies, and uninhibited visibility capabilities to detect anomalies that include traffic flowing from every direction. By using both internally and externally facing solutions, IT, NetOps and SecOps teams can implement the best performance monitoring of both worlds.
Leveraging data derived from both forms of network packet traffic helps address issues that are difficult to isolate in hybrid and remote environments. The combination of north-south and east-west network visibility is necessary for the final phases of MITER ATT&CK: command and control, exfiltration and impact.