With the Equifax breach at the top of everyone’s agenda right now, some of you may be wondering what type of controls are available for us to use to detect and fight phishing, social engineering and certain types of malware. This email is an attempt to clarify some of the terminology that we use and to describe in simple terms some of the tools that are available to us by our partner manufacturers.
Phishing – A form of social engineering or fraud committed over email. Its main purpose is to fool you into clicking on a malicious link and to re-direct you to a malicious site for the purpose of downloading a malware payload to your machine.
C2 Server – A Command and Control Server, often an unknowing machine that can be anywhere on the Internet that itself is infected with malware that causes it to respond to remote Bots and communicate pre-programmed instructions that are delivered to it often indirectly through other Bots to cover direct tracks to an attacker (Thief or Hacker).
Bot – A piece of software designed for performing certain tasks. Sometimes the task is malicious and delivered to your systems through phishing or other malware such as Trojans. Malicious Bots once downloaded onto your system lay dormant for a pre-programmed amount of time. When the Bot awakes, it will attempt to connect with a C2 Server for further instructions. Once a Bot establishes a connection with a C2 Server, it then becomes part of a BotNet which can contain thousands or hundreds of thousands of computers.
If your network lacks certain security measures, Bots will go undetected, waking periodically for brief periods to avoid detection while acting on remote commands received. Bots often hide pieces of their code in certain areas of your operating systems to remain persistent and are not always cleaned by removal tools. Commands from C2 servers can direct the Bot to detect, traverse and infect other machines on your local network expanding the BotNet.
The malware variants that can be delivered to BotNet members are endless and nearly impossible to detect without the right security tools. Like all malware, Bots evolve and some have already been detected that need no command from a C2 Server to perform their tasks. Because of their level of sophistication, it is widely believed that this latest class of Bots are sponsored by Nation States.
What are some of those measures?
Firewalls – These can be Software (running on local machines) or Hardware-based tools that when configured correctly, can detect and prevent Bots from making connections to C2 Servers or vice versa. Firewalls are best used to protect entire networks or network segments, but can be loaded on a single machine though software and configured to protect a single high-value system.
There are several approaches to this. Certain types of Firewalls are better suited for different roles, and there are newer classes of firewalls that are needed to detect advanced persistent Bots that can live on your network for long periods of time undetected if these types of tools are not used. Certain tools and brands are better than others, and costs can vary greatly for these tools.
Secure Architecture Design – Our Centre Premier vCIO or ARTIS™ Services can assess and provide sound and expert advice on the most secure and cost-effective design of your network. Good choices made at this early stage often serve to minimize impact when faced with certain types of attacks. Proper siting of the equipment that houses your critical data, ensuring the proper level of redundancy and resiliency considerations for the level of resource availability required and segregation, isolation of your most critical resources are all controls that can remove an attacker’s opportunity to do harm to your network.
Anti-Virus Tools – These tools can often detect phishing but are mainly designed to locate and eradicate Trojans, worms, viruses, all forms of Malware on devices such as Servers, Workstations, Laptops, Tablets or Smart Phones. Certain AV Tools are better than others and cost does not always indicate effectiveness. Some free tools are very capable but mainly designed for a single device and not for enterprise use like the tools that we use. All of these types of tools are software or firmware-based and when deployed the initial software release is referred to as Scan Engine, The Scan Engine is then loaded with Pattern-Definition Files that must be continuously updated or downloaded from a server that is fed updates from a manufacturer. Definition files are often changed several times a day by Anti-Virus Researchers.
Scan Engines do not change as often because doing so is disruptive, dependent on hardware and network resources and often requiring multiple reboots. But pattern files can be uploaded and applied while devices are running and do not require downtime. At some point, the Scan Engine must be upgraded to add additional features to be able to keep up with the evolution of Malware. Often an entire tool must be replaced because other newer products on the market can do a better job at protecting systems from the current threats. This is where the value in using the services of a Value-Added Partner best come into play. As your provider, it is our job to constantly stay abreast of the threat environment and ensure that we are using and maintaining the best tools for the job.
DNS and IP Layer, Intelligent Proxy and C2 Blocking Tools – These tools are designed to be deployed on your network, assess and analyze global internet traffic patterns, proxy name resolution requests and watch for connection attempts to a previously unknown URLs that software on a device on your network is trying to make (Like Bot to C2). These tools are very successful at thwarting Ransomware Attacks. (Example: Cisco Umbrella)
Distributed Denial of Service Tools – These types of tools are designed to detect Denial of Service Attacks and to mitigate the loss of availability to your resources that occurs when these attacks go unchecked.
Cloud-Based Cybersecurity Operations Center (C-SOC) Monitoring Tool - As part of our Centre Premier Services, utilizing advanced local network traffic sensors, we can provide 24x7x365 monitoring of all of the traffic in your network by Security Engineers who are contracted by 5-minute SLA to alert and assist our Centre Assist Team to provide resolution of security incidents.
Encryption Tools – These tools are successful if all other defenses fail and the attackers do get through to devices or volumes containing your sensitive data.
Backup and Replication Tools – If all other defenses fail and data is maliciously encrypted or locked up as in a ransomware attack, then often this tool is what prevents data or business loss.
Data Security Behavior-Based Tools – These tools concentrate on locating, classifying, alerting, reporting and providing a forensic audit trail of changes made to the repositories holding your data.
External Vulnerability Scanning and Penetration Testing Tools – These tools are used to scan and actually test the devices on your network to ensure that weaknesses have been mitigated.
Anti-Phishing or Security Awareness Training – These tools are education-based and designed to be presented to your employees to raise their level of cybersecurity threat awareness. They are not meant to make them experts, but only to train them to recognize when they are being conned by a Phishing or a Social Engineering Attack. Many experts believe that these types of tools have the best return for the cost because they are designed to change the behavior of a Human, always your greatest threat.
Policies and Procedural Tools – These are all forms of governance and are merely deterrent types of controls. Many organizations do not have these unless they need to comply with a statute or regulation because of the type of data that they work with. If you need help establishing an Information Security Program based on IT Risk with Policies and Procedures to address a compliance need, we can build this for you.
There are other tools that we use that are not listed here.
No matter what tool is used, a threat actor attacking you or your network will succeed if all three of the following are present:
- The threat actor has the CAPABILITY to exploit a vulnerability.
- The threat actor has the OPPORTUNITY to exploit a vulnerability.
- The threat actor has the INTENT to exploit a vulnerability.
We can layer your defenses to counter capabilities by staying vigilant and constantly monitoring and providing you with the best tools for your defenses, and we can limit the opportunities that the bad guys look for by making sure we identify and mitigate weaknesses in the controls that we recommend and deploy. There isn’t much that we can do to thwart the intent of an attacker, but they have to have the other two to succeed. Service Providers and Customers must continuously work together to mitigate risks as the threat environment is constantly evolving.
Please reach out for more information.