by Leo Taddeo, Chief Information Security Officer, Cyxtera
There’re no big surprises in the recent Technical Alert issued by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI). Once again, we’re hearing that nation-states have successfully targeted U.S. government entities and critical infrastructure with well-worn tactics and known exploits. The big surprise is that these entities still haven’t taken measures to defend against such attacks—measures that are readily available to any organization.
According to the Technical Alert, “a multi-stage intrusion campaign by Russian government cyber actors … targeted small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”
There’s nothing innovative about the attackers’ methods—and that should be troubling to all of us. Adversaries continue to use the same tools and techniques to successfully break into private networks, wreak havoc, and steal data. Clearly, our defense mechanisms are failing. So why do we keep doing the same things?
It’s well past time for organizations to modernize their security. Traditional network defense tools were designed to work within a secured perimeter. Hybrid IT has forever changed the game and rendered these tools outdated. Since the network perimeter no longer exists, security needs to adjust accordingly. Solutions like that provided by software-defined perimeter (SDP) technology, originally created by the Department of Defense, is designed to protect against these types of intrusions. Here’s how:
The adversaries used legitimate user credentials to access private networks. We know that a firewall alone won’t stop these attacks. It doesn’t matter how big the vault door is, if the user has the right key, a firewall will let them in.
So, we need a new way to confidently identify and authenticate users. SDP goes beyond user credentials. It looks at the context in which the user is attempting to connect in order to validate that the user is who he/she claims to be.
There are many factors that can be used to define the context. For example, you can look at the IP address, operating system, location, the time of day, and the presence or absence of antivirus software on the connecting device. The more factors you consider, the more confidently you can determine whether the access attempt is being made by a legitimate user.
The other common theme we see in the nation-state and other attacks is the ability for attackers to move laterally across the network. This is possible, in part, because traditional security tools like firewalls, network access control, and VPNs allow over-privileged access to resources. Networks also tend to be “flat” and have insufficient segmentation. So, once attackers infiltrate the network, they can move about, completely unfettered.
An SDP helps prevent “users” from moving laterally across the network by limiting their access. SDP operates off the premise that network access should be proportional to the security context the user presents at the time they’re trying to connect. Each user’s access entitlements are dynamically altered based on identity, device, network, and application sensitivity.
In addition, resources are only revealed on a need-to-know basis. As a result, users can only see the resources that they need during that session. By aligning network access with application access, users remain fully productive, while the attack surface area is dramatically reduced. (Attackers can’t attack what they can’t see.)
Finally, the Technical Alert highlights that the adversaries are leveraging third parties to get to their target. We’ve seen this before in the private sector. Third-party connections are a threat vector and organizations require an effective and manageable way to secure those connections. SDP allows you to grant access to only those systems and services that third parties need access to. Nothing more, nothing less.
The lesson we should all take away from the DHS and FBI’s Technical Alert is that traditional network security tools cannot prevent attackers from infiltrating the network. If they’re not working for our government and the organizations managing our critical infrastructure, then they aren’t working for you. But there’s no reason to continue to let these attacks come through unfettered. SDP technologies can help stop these attacks today.
About the Author
Leo is responsible for oversight of Cyxtera’s global information security operations, product security, compliance, risk management, business continuity, and disaster recovery. Mr. Taddeo also provides deep domain insight into the techniques, tactics, and procedures used by cybercriminals, to help Cyxtera continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.
Mr. Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.