Cyber Hygiene – What’s in your Network?
Written by: Venu Vissamsetty, Vice-President of Security Research – Cyber Hygiene relates to the practice of keeping data safe and secure within an organization’s network. Organizations across the world are moving towards deploying IoT devices, adopting cloud computing as well as growing usage of applications which require additional access controls and password management.
In a recent security incident, attackers gained access to an organization’s network through a compromised external user system and targeted a Raspberry Pi computer that was not authorized to be attached to the network.
The attack highlights the significance of cyber hygiene and best practices to follow. Having good perimeter security is part of good cyber hygiene, but it is not enough, as attackers are resourceful and have proven that they can breach the perimeter and move undetected within networks. As such, cyber hygiene must also occur inside the network.
Attackers, once inside the network, try to move laterally, by exploiting systems using known or 0-day vulnerability or by finding credentials in the systems and using those credentials to move across the network.
The first step of ensuring in-network cyber hygiene is having visibility of all systems and credentials lying around in the network. Organizations can be spread across different locations and getting to know all systems that are connected to the network, credentials on endpoints, or installed applications can be challenging.
The Attivo Networks ThreatDefend™ platform provides tools for cyber hygiene, starting with network visibility, as part of its deception offering. The ThreatDefend platform’s BOTsink appliance provides this visibility across the networks by deploying ThreatDirect™ forwarders across the organization. The ThreatDirect forwarders can be deployed across the networks and in flavors of switches and routers which support application hosting.
The below diagram provides an overview of machines that are connected to the network which customers can view based on Hostname, IP address, MAC address, Vendor, Last Seen, etc. The platform also provides a mechanism to alert on “new endpoints” discovered in networks.
The Attivo solution’s design automatically detects employees connecting unapproved devices in the network and would have immediately alerted on the unauthorized Raspberry Pi connection. With the proliferation of IoT devices being connected, the Attivo solution will also provide visibility of IoT devices present across the network.
As a part of an organization’s cyber hygiene credential scanning, cybersecurity professionals can also use the Attivo ThreatPath™ solution for credential visibility and to see the lateral paths attackers could use to navigate the network. Attacks that involve stolen-credentials are typically hard to detect by existing security solutions, as attackers can use current living-off-the-land tools to move laterally and assume users identify using stolen credentials.
The Attivo ThreatPath solution works by proactively detecting persisted credentials on endpoints that attackers can exploit, including:
- Domain admin and user-cached credentials
- RDP Sessions to high-value servers (Ex: Backup servers, Jump servers, etc.)
- Local admin accounts
- Common passwords detected across systems
- AWS access keys
ThreatPath visibility allows customers to create path rules to high-value assets (Example: SWIFT servers, routers, asset management systems, backup servers, jump servers, domain controllers, etc.) and report on potential paths to these servers, which attackers can exploit. ThreatPath allows users to drill-down and search for queries based on time intervals (Example: Show “Local admin accounts created in the last 7 days”) to discover newly created local admin accounts.
The Attivo ThreatPath solution continuously assesses an organization’s network for lateral paths and serves to eliminate the paths before attackers can exploit. It also reduces overall risk by reducing the overall attack surface.
Collectively, the Attivo ThreatDefend platform serves as a force multiplier to existing internal network vulnerability and risk management tools. By detecting the presence of unauthorized devices connected to production networks and privileged credentials that attackers can exploit to move laterally, organizations gain the visibility required to maintain optimal cyber hygiene.