Building a Hacker-Resilient Network

By Davey Winder

 

Speaking in 2012, the then-director of the FBI, Robert Mueller, said “There are only two types of companies: those that have been hacked, and those that will be.” Not much has changed in the six years following, apart from perhaps the second type now being, “…those who don’t know they have been.” What we do know today is there will never be 100% guaranteed network security, and there is no secret risk-extermination policy to share. This means ensuring your network is hacker-resilient is not an optional goal.

What do we mean by hacker resilience?

network_management.jpgWhat we mean is a cybersecurity-resilient approach to network management. That may sound like a simple objective to achieve, but given the average enterprise network includes both hardware and software prone to vulnerabilities that can be exploited—along with human beings that can also be exploited—it’s harder than you might think. As soon as you step back and contemplate the scale of the attack surface within most organizations, you start to understand the scale of the task involved in defending it. Not least as the bad guys would appear to have the upper hand in terms of both threat evolution and the windows of opportunity to execute those threats.

Resilience, then, is an abstract concept. Think of cyber-resilience—making your network resilient to attack—as the process of closing as many of those windows of opportunity as possible and bolting them firmly shut afterwards. Sure, as Mueller’s quote reminds us, those windows may get smashed and grant access to an attacker; but applying the resilience concept at least means you are aware of the intruder and have a plan to kick him out again.

To achieve a state of network resilience, there are several best-practice network management strategies that must come into play. However, before even perusing what these are, there’s one truth that must be front and center of your secure thinking: A cyber-resilient network security posture cannot be built on a foundation of prevention alone. True resilience means understanding that incident response must be part of the process. Given that most people within the cyber-security industry now accept that Robert Mueller was right back in 2012, dealing with those hackers that have already compromised network defences is equally as important as building barricades to try and keep others out. The name of this game is damage limitation, to minimize the impact on the business.

Where to begin with network resilience?

incident_response.jpgLet’s start by ensuring your organization has a workable incident-management framework, signed off by those at the top and understood by all relevant staff. What does an incident-management framework look like? That will vary from enterprise to enterprise, but all should come complete with a baseline plan that dictates the ‘who, what, and how’ regarding access to first responders, threat data, and the investigative tools needed for an effective response. That plan needs to be drawn up with the engagement of all impacted departments within the organization, from the board through to IT, and don’t forget legal and marketing teams! It also needs to be tested and updated on a regular basis to ensure it works–and keeps working.

Of course, there is more to being hacker-resilient than just shutting the proverbial door after the insecurity horse has bolted. A good mantra for resilience might be ‘identify, respond, recover,’ and while incident response covers the last two items, preventative security solutions can be used for the first and second in equal measure. This means deploying such things as network segregation, so hackers cannot traverse sideways from a breach point to where the money is, figuratively speaking, in one painless bound. To do this, you must be able to identify what data is most valuable, both to the business and the potential intruder, and then move that somewhere out of easy reach (read our blog on defending your “Crown Jewels” for more on this).

Internal firewalling can act as the bouncers between these network segments, to keep the hackers out. Network visibility is equally important, which means not only knowing what your data is and where it is stored, but also what a normal traffic pattern of packets moving in and out the network looks like. This baseline normality image can be used by an intrusion prevention system (IPS) to spot traffic anomalies and react in real time according to policy (to understand more about IPS, read this blog). The ability to identify both internal and external indicators of compromise cannot be overstated, and knowing what good looks like is the best way of spotting what’s bad.

Add in vulnerability scanning and patch management, and you are almost done… almost, but not quite: Don’t forget the human factor. With the insider threat—whether malicious or benign—a major cause of network compromise, no look at hacker-resilience would be complete without mentioning network security awareness training. If everyone in the organization is aware of what the social engineering risk looks and feels like, your network resilience will be bolstered as a result. You can’t expect to stop every single attack from being successful, but applying resilience to your network can help swing the odds back in your favor.

 

Additional reading:

 

Davey has been writing about IT security for more than two decades, and is a three times winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious ‘Enigma’ award for his ‘lifetime contribution’ to information security journalism in 2011. 

You can follow Davey on Twitter at @happygeek