Mandiant recently released an interesting report on APT1, the supposed Chinese Army hackers that are behind most of the serious digital attacks being conducted these days. The reason I bring this up is that, even before the Mandiant report, I had been getting questions regarding how the PCI DSS, ISO 27K, HIPAA and other standards could possibly block or even alert an organization that they are under such an attack or have been compromised by advanced persistent threat (APT). I will use the APT acronym in this post to indicate any sophisticated attacker, not just those that follow the methods used by APT to compromise a network.
It fascinates me how many organizations jump through hoops to tightly control and monitor their inbound network traffic from the Internet, business partners and any other untrusted network. Yet the same organization does nothing about the outbound side of the equation. It is the age old belief that all internal traffic can be trusted because it is from the inside of the network.
It is this trust factor that APT relies upon in their ability to compromise your network. Because you have tightly controlled your inbound traffic, APT relies on social engineering to gain access to the internal network. Once inside, since most organizations do nothing to control or monitor their outbound traffic, it is a relatively simple task to connect from the inside of a network to any external IP address and set up a communications link.
Even when organizations are controlling and managing their outbound traffic, it is still easy to connect using ports 80 (HTTP) or 443 (HTTPS). In this day and age, it is virtually impossible to be in business without allowing ports 80 and 443 outbound. Attackers know this and use this fact against a target in order to gain a way out.
So what can you do to minimize this risk?
- Tighten you inbound traffic from the Internet and business partners. I consistently find that organizations allow traffic from countries where they have no business relationships. As a result, these IP addresses can be use to launch denial of service and hack attacks. If you do not limit where inbound traffic can come from, you are only asking for a denial of service attack or worse.
- Control what external IP addresses and URLs your internal network can connect. While a lot of organizations today use overseas business partners, is that any reason to let your internal network connect to any IP address? No. This is typically set up by a network engineer that does not want to be bothered by a lot of service requests to allow IP addresses or URLs. However today’s sophisticated network attacks are only stopped if you control what IP addresses or URLs your users can connect. Yes, this potentially creates a pain in the rear issue when someone needs to access something you have blocked. But would you rather stop a breach or let it go unchecked until you accidentally trip over it?
- Control your outbound ports with the same exuberance that you use on your inbound traffic. If all you need from your internal network outbound are ports 80 and 443, then those should be the only ports allowed out on your firewall.
- Monitor your outbound network traffic for “anomalies.” The biggest anomaly you should be looking for is encrypted traffic over any port other than 443 (HTTPS). The reason is that any application using anything other than 443 for encrypted communications is likely an attacker trying to obfuscate the fact that they have compromised your network. After all, your firewall and IDS/IPS cannot read the packets encapsulated in the encrypted stream, so the attacker effectively blinds them to what is actually going on. Encrypted traffic that does use 443 hopefully will get blocked by your white or black list of IP addresses and URLs.
- Analyze the log data generated from your firewalls and IDS/IPS looking for potential APT attacks. Are there consistent indications that devices are trying to connect to blocked IP addresses or URLs? Do those incidents occur after hours or when the user is not in the office? These are examples of conditions that should be flagged and investigated to ensure that something bad is not occurring.
Remember, security is not perfect. What these controls do is make it more difficult for APT to successfully compromise your network. However, if APT puts their mind to it, there is likely a way to successfully compromise your network but it will take a significant amount of work. In the end, I would like to assume that since there are many more targets easier to get at that APT will go after the easy targets and leave your organization alone, at least for the time being.