A popular—and especially evil—attack technique is the distraction attack. That is often done with a D-DOS attack and while everyone is furiously fighting to keep the site up, the attacker quietly steals the payroll files, which were the actual target all along. But for enterprise CISOs today dealing with the COVID-fueled new attack surface, there may be little need for an attacker distraction: the new networks provide more than ample distractions of their own.
It’s actually part-distraction and part-obscuring as the new networks deliver so much noise that finding the one attack that merits worrying (the signal, if you will) is difficult and takes time. And during a major active attack, every second counts, which is why today’s networks are so much more dangerous than what enterprises dealt with way back in January 2020.
These network changes are on top of long-endured security nightmares: too many tools, siloed environments, and cybersecurity staffing shortages. But the new environment makes these challenges far worse. How many of those tools are optimized—or even appropriate—for today’s threat landscape? We still have siloed environments, but an additional 100,000 remote sites (coupled with a lot more cloud along with more IoT) is creating far more silos, more places where legitimate data can hide and cyberattackers can lurk. As for those staffing shortages, some CISOs are now longing for the days of last year. With COVID’s economic impact, enterprises are losing revenue and many have had to impose cost cuts on all departments, including security. This is at a time when the area that CISOs need to protect is an order of magnitude larger and more complex.
When there is an attack in today’s environments—typically every other minute—it takes the SOC team a long time to figure out which part of the network is being attacked. In these situations where split-second decisions are needed, such delays can prove disastrous.
To negate this problem, SOCs need visibility that extends well beyond the campus network (public cloud, IoT, roaming users, branch offices, etc.) along with the context to see through distractions and zero in on the most critical attack. That network context is essential for efficient defense and must include correlation criticality of the compromised asset, location of the asset, audit trail, and history of destinations accessed. These key datasets are needed to make threat intelligence actionable. Data overload is the cyberattacker’s friend and the enemy of the SOC and the CISO. Today’s typical threat intelligence on its own is insufficient for effective threat investigation. CISOs and SOC teams need an automated way to gather context around threat indicators to enable linkages and appropriate event prioritization.
One often overlooked tool is DNS data and all of its analytical components. Anything that connects to the server needs an IP address and that is a goldmine of actionable information. The next step of that journey would be levering DDI data more, most likely via AI’s Machine Learning. The data is the same as is available today, but ML would allow for far faster analysis—which could make the difference between identifying an attacker before any data is accessed or stolen and discovering the attacker’s true path and point of origin ten minutes too late to negate the attack.
The DDI platform has constant—and complete—visibility of all devices touching the network because, clearly, any time a device joins a network, the first thing it will do is to request an IP address from the DHCP server, which then delivers that IP address to the device.
DHCP Discovery is much more effective than traditional network scanning techniques, which can be disruptive and need scheduling. That in turn means that such network scanning data is often out-of-date. Also, DHCP discovery is far more comprehensive, feeding into the IPAM database full characteristics of the device (type of device, OS, version) based on the initial DHCP request, along with username, switch port, access point, physical location, MAC Address, current IP/historical IPs and locations and other user details. Using DHCP is a much better way to do discovery when compared to traditional network scanning techniques.
Typically, when working without the kind of detailed device inventory that DNS analysis delivers, security analysts have to manually investigate each incident based on an IP address, reviewing the logs from the firewall, server, network devices and security tools logs, trying to figure out an attack pattern and then dumping all of that raw data into a SIEM or SOAR platform. Not only does this take far more time than a SOC security analyst can justify during a live attack, but they are doing it without the critical context for prioritizing responses and deciding immediate next steps.
Another massive problem with the typical approach to threat intel feeds is that enterprises leverage so many different threat feeds in different parts of their security infrastructure – like their NGFWs, DLP, Endpoint, IPS etc.—that the target is more obfuscated, not less. Each tool is working off a different source of truth, which leads to conflicts and duplicate alerts going into the SIEM. That forces the SIEM to try and track events based upon separate uncorrelated vendor threat feeds and the Ops team doesn’t know what feed is trustworthy and what is not.
There is also a lack of flexibility when trying to put the right intel in the right platform. For example, phishing specific IoCs should be added to an email gateway. Aggregating those IoCs across multiple vendors puts the onus on the security operations person to do that, including ensuring that it is in a format the receiving platform can consume. This adds manual overhead.
Today’s global networks are only going to get more complicated in the coming months, with no return to pre-COVID networks expected—ever. Isn’t it time you rethought your defense strategy, leveraging DNS as far as you can?
