By Carolyn Crandall, Chief Deception Officer, Attivo Networks
One of the most popular targets for attackers, cybercriminals, and other bad actors is east/west network traffic. This is network traffic that originates from one internal host or network segment, and whose destination is another internal host or network segment.
North/south traffic, on the other hand, moves from an internal network out to the Internet. North/south is where organizations have historically invested, and includes security controls such as firewalls, intrusion detection/prevention systems, and proxies.
Ensuring good threat detection for east/west—or lateral—traffic has never been more important for organizations. The ability to move undetected through the network is key for successful ransomware attacks, and detecting that movement is increasingly critical as damaging and sophisticated ransomware becomes more pervasive.
Companies can choose from several methods to address the challenge of protecting lateral traffic, but each of these has limitations that ultimately make them ineffective at detecting lateral movement. One emerging method—threat deception—uses new technology and a different approach that delivers the comprehensive protection organizations need to efficiently monitor east/west network traffic.
Before exploring this new approach that centers on concealment, fakes, and misdirections, let’s take a look at the other options.
Logging at the endpoint
With this approach, organizations use technology such as security information and event management (SIEM) logging to aggregate
and monitor endpoint logs to look for suspicious behavior that might indicate a security incident.
Upside: This is a native capability in all modern operating systems, making it readily available.
Downside: The storage and analysis of log data is a big challenge. Security teams need to pull audit logs from a large number of systems used throughout the organization and then bring that into a SIEM platform. The volume of data can be enormous, especially for large enterprises. Because of the strain, companies can’t rely on SIEM only. They need to leverage a big data analytics platform, which does not work well as an alerting system.
Monitoring agents at every endpoint
This involves deploying agents such as endpoint detection and response (EDR) tools that can log network connections.
Upside: Many EDR products have this function, and using behavioral detection provides insights that include forensics and supporting information for root cause analysis and threat hunting.
Downside: As with logging at the endpoint, storage and analytics at scale is a challenge. Companies need to install agents at every endpoint, and while EDR agents work well for real-time detection, managing the large and growing volume of alerts generated can be overwhelming for cybersecurity teams. The filtering process needed is labor-intensive and time-consuming. Often, manual analysis is required to identify issues, and there can be long delays in addressing genuine threats.
Deploying NetFlow collection at core routers and switches
NetFlow, a network protocol developed by Cisco to collect and monitor network traffic flow data generated by NetFlow-enabled routers and switches, analyzes network traffic flow and volume to determine where the traffic is originating, where it’s going, and how much traffic is being generated.
Upside: NetFlow, now a de facto industry standard, is supported by platforms from several leading network equipment providers, so it is built into most core routers and switches.
Downside: NetFlow is known to affect the performance of the devices where it is enabled, such as routers and switches. This can have a detrimental impact on network performance, which can be a problem for companies trying to keep up with growing volumes of data and demand for higher network speeds.
Implementing a dedicated monitoring network
With this method, organizations aggregate network traffic to one location via tap and span ports or inline proxies and monitor the traffic.
Upside: This provides a dedicated function for continuous visibility to the overall performance of the network and allows organizations to observe all traffic traveling, as well as monitor every connected device and their performance metrics. It is typically simple to manage and operate.
Downside: Scaling of this method is problematic. Increasing internal bandwidth can quickly overwhelm the aggregator, causing loss of monitoring or dropped packets, and there can be network performance issues.
Deploying an internal firewall
Using this tactic, companies leverage their legacy firewalls to segment and monitor the network and then look at the connection logs.
Upside: Many organizations can use older firewalls that they had decommissioned when they updated their infrastructure with Web application firewalls. They’ve already made the investment in these products, so there’s no new purchase cost. They can redeploy the equipment internally to meet their needs.
Downside: This deployment does result in extra infrastructure to maintain and new rules sets to manage. There are scaling issues with logging and analysis. Companies must also deal with the same issues as they do when pulling data from a lot of locations on the network.
Using an internal intrusion detection and prevention system (IDPS)
IDPS is a network security tool that monitors network and system activities and detects possible intrusions. Organizations can deploy IDPS inside their networks and monitor east-west traffic.
Upside: Many organizations are already doing this and can use decommissioned systems or Linux systems for simple IDPS functions.
Downside: Signature-based detection can miss threats. In addition, organizations can have deployment issues, such as failing to have sufficient sensors to provide the required visibility.
Implementing network traffic analysis
This is where organizations collect network traffic and analyze it to look for potential threats.
Upside: Network traffic analysis is a dedicated function that has useful capabilities for internal threat detection and analysis.
Downside: This tends to be an inefficient method for organizations. Data storage and analysis at scale is problematic. For many companies, it’s a challenge to tune systems, and there are visibility issues.
Leveraging the deception approach
Deception and data concealment technology is an emerging category of cybersecurity, with products that can prevent, detect, analyze, and defend against advanced attacks by hiding and denying access to data. Deception uses misdirections to lead attackers away from production assets, and a variety of decoys placed at the network and endpoint level to identify threats. The technology takes a proactive approach to security by aiming to deceive attackers, control their path, and then defeat them.
Upside: These tools do not rely on signatures, network traffic capture, or behavioral analysis. There is no need to collect logs or for traffic storage, log aggregation, analysis, or creating rules. Alerts are based upon engagement or detection of unauthorized activity, which removes false-positives and includes threat intelligence for actionable incident response.
These solutions can identify threats starting at the endpoint, targeting Active Directory, and through the network, as they attempt to move laterally and escalate privileges. From the network side, decoys can detect suspicious or malicious connection attempts from another internal host. From the endpoint, local deception functions can identify inbound or outbound connection attempts to non-existent ports and services as suspicious or malicious. This is important because it prevents an attacker from fingerprinting a system and targeting vulnerable services.
Downside: Misperception may be the biggest challenge for this technology. There remains a limiting association with legacy honeypots, and some believe it is only for organizations with mature security operations. Not all deception technology providers offer products that can achieve all of the capabilities, and as such, cybersecurity teams will need to be careful in their solution selection.
Conclusion—Aiming for Efficiency and Effectiveness
Many of the options for east/west threat detection clearly provide efficiencies for organizations. They can choose to implement one or more tools they already have in place and know how to use them, so there’s no extra cost. Why invest in something new when you can get by with the old?
Unfortunately, organizations that rely on less-than-ideal solutions will come to the realization that convenience does not always equate to effectiveness. Many of these methods are not inherently designed to detect all the various types of attacks.
With security technology based on both prevention and detection, organizations have an opportunity to get the best of both worlds—efficiency with effectiveness—and protect themselves and their business partners from the latest threats.
About the Author
Carolyn Crandall is the Chief Deception Officer and CMO at Attivo Networks, the leader in deception for cybersecurity threat detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of taking companies from pre-IPO through to multi-billion-dollar sales and held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate.
Carolyn is recognized as a global thought leader in technology trends and for building strategies that connect technology with customers to solve difficult operational, digitalization, and security challenges. Her current focus is on breach risk mitigation by teaching organizations how to shift from a prevention-based cybersecurity infrastructure to one of an active security defense based on the adoption of deception technology.
Carolyn is an active evangelist, blogger, byline contributor, and speaker on industry trends and security innovation. She’s received many industry recognitions including a Top 100 Women in Cybersecurity 2020 and Top 25 Women in Cybersecurity 2019 by Cyber Defense Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, a Women of the Channel (11 consecutive years) and a Power 100 member (10 consecutive years) by CRN.
Carolyn serves as an Advisory Board Member for the Santa Clara University Executive MBA program and co-authored the e-book Deception-based Threat Detection, Shifting Power to the Defenders.