A SANS Institute webcast about Russian cyberattack escalations in Ukraine presented a couple of takeaways. The first: Don’t panic. Too often with security issues we think the worse; we may overreact and make the situation worse. Instead, focus on the basics. The second is that we need to pay more attention to network traffic.
Take care of security basics first
When reviewing your network for potential cyber threats, don’t make things worse by making misconfigurations that will create more problems. Spend time on the basics and on other projects that you probably should have worked on earlier.
Documentation and planning are what you need to be doing now, not making changes and configuration adjustments. Slow down and review plans rather than make dramatic changes. Configuration changes often introduce side effects that make you think an attack is underway from external sources. A website is offline. Immediately we think of a cyberattack, but the root cause is often Domain Name Service (DNS) misconfigurations or core infrastructure issues.
Take the time to review and consider targeted entry points. Learn the lessons from the Maersk ransomware attacks that started from the Ukraine. Review what business-to-business entry points come from weak links. Review all virtual private network (VPN) connections to your network and where they come from. Remember, their security impacts your security. Add two-factor authentication to these connections where appropriate and consider if you need to make temporary adjustments in who connects to your network during this time.
I usually recommend holding off on patching until we know of any side-effects, but depending on your risk level you may want to test for updates on an accelerated basis and deploy sooner than normal. I also recommend reviewing the commonly attacked vulnerabilities and ensure that you have patched your network for them.
Last, but certainly not least, don’t become a source of funding for attackers. Ensure that you can recover from a ransomware attack and do not pay ransom to attackers. Having an offline backup should be a priority to ensure that you can recover in any situation.
Monitor network traffic for anomalies
SANS recommended that you review what resources you have in place to monitor network traffic to see who might be inside your network. Specifically, review NetFlow, a commonly used network protocol created by Cisco that collects active IP network traffic as it flows in or out of an interface. It tracks point of origin, destination, volume and paths on the network.
First look to your edge devices, your firewalls and other devices that control the network traffic flow in and out of your network. Even a small firm’s firewall can probably support this level of investigation. Start by pulling out your firewall manual and review if you can enable logging of NetFlow traffic. It’s not enough to enable it; you need to log it so that you can go back and investigate malicious traffic after the fact.
NetFlow isn’t just about malicious traffic. It’s also a means to reduce bottlenecks and optimize bandwidth utilization. NetFlow traffic can’t be used for just a single session; it provides more information when it’s accumulated. Enabling NetFlow analysis and storing it so that you can later review for patterns is key. Use resources such Splunk to store and to further analyze the information that you receive from your network. You can also use cloud storage such as Azure Sentinel to store and review NetFlow information.
Other options for monitoring network traffic
Other platforms perform similar functions and might provide as much or more information than NetFlow. For those of you with a Microsoft 365 E5 license or a Microsoft Defender for Business (currently in public preview), the Advanced Threat Protection console provides similar information regarding the interaction of events on your workstations and servers.
Layering on Defender for Cloud Applications can also track the flows through SaaS and other cloud platforms. Defender for Endpoint can allow you to review source IP, destination IP, and the source port and destination port. It also exposes the process information as well as web URL involved in the interaction. Put resources in understanding what is your normal network traffic and the external IP addresses that you need to trust to do business.
Copyright © 2022 IDG Communications, Inc.
