How to Fight Off Attacks from Inside the Network

As a foundational element of enterprise security, most IT managers strive to keep all bad guys out of their networks. Unfortunately, today’s rapidly evolving threat landscape makes a truly impenetrable defense impossible. Luckily, companies can still turn the tables on hackers even after they’ve breached initial lines of defense.

Rather than exclusively focus on keeping hackers out of networks, companies must also prepare to defend valuable assets from the inside. A formidable “Plan B” can help mitigate damage from external attacks and force hackers out of the network faster.

To get started, here’s a plan for digging in and fighting off hackers from inside the network. 

1. Start with Network Segmentation

While attacks vary, every attacker follows a basic strategy to move laterally and escalate privilege. If IT managers can stop a hacker’s lateral movement, they can slow down the attack. Many enterprise networks survive as the great-grandchild of some original 10-megabit-per-second hub, updated and upgraded over the years, but without a security redesign. For these, network segmentation creates internal barriers to disrupt attacks.

For the safest segmentation, start with a clean slate: What would the network look like if it were built from scratch? Features such as management and control systems separated by access control lists, internal firewalls between parts of the data center, and unified threat management tools such as intrusion prevention and web application firewalls moved closer to servers, all offer good places to start. First, prepare a design. Then determine how to migrate there, one step at a time. Next, build a long-term plan and work toward it constantly.

2. Evolve Your Log Capture Strategy

After a breach has been detected, first responders and cleanup crews rely heavily on logs to determine what happened and where to focus their efforts. Without a complete set of logs (and tools to search them), it can be impossible to determine what happened, and cleanup costs and outages can spiral out of control quickly. Move logs to a separate system, because many hackers clear out logs as they sneak through a network.

But capturing logs in an enormous syslog server is no longer good enough. Businesses need security information and event management (SIEM) tools to quickly search through all security-related logs, organize them and answer questions about what happened. The SIEM market has expanded tremendously, and available tools exist at every price point.

However, it’s not enough to simply buy and install a SIEM system. Businesses must ensure that all critical security logs (Windows, Unix, network and security devices) are sent and that the configured SIEM tool parses and organizes the logs. SIEM investments become wasteful without proper configuration. Also, make sure the entire IT team knows the importance of the SIEM system and integrates log management into every system installation to maintain effective security monitoring.

3. Put Alerts and Limits in Place

Attackers work from a position of ignorance about a network, which means they will blunder around searching and scanning to find the weakest links. It’s good to block this kind of behavior, but detecting internal scans and break-in attempts will alert administrators instantly to suspicious activity.

IT managers can detect scans using tools such as honeypots. A honeypot open to the Internet won’t reveal anything new because everyone faces constant attack. But a honeypot inside the firewall should remain untouched; if someone does scan it, or try to break into it, the alarm bells should ring loud and clear.

Even without a honeypot, security admins can see attackers by their actions. For example, 10 login failures on an internal server says nothing; a hundred login failures is a sign that someone inside the server is trying to guess passwords. Figure out how to detect scanners (a SIEM tool can help with this) and investigate every incident.

4. Address Legacy Issues Head On

Old systems, unpatched tools, and servers installed before security became a priority allow attackers to escalate privileges. Windows networks prove particularly vulnerable due to Microsoft’s unfixable “pass the hash” vulnerability (any privileged access on a single system, no matter how remote can turn into more privileged access within the same domain). A business cannot adopt an attitude of simply putting more security into newer systems. They must go back and clean up old problems as well.

Vulnerability analyzers offer a great way to identify old systems that represent a stepping stone for attackers, and every security manager should make cleaning up vulnerabilities a priority, either by patching, upgrading or installing per-system firewalls to isolate weak servers. It’s also good strategy to simply step back and rethink business processes.