Create An Effective Breach Defense Strategy with NIST Cybersecurity Architecture

With more users working from home, new daily attacks, and an endless stream of patches and updates, managing misconfigurations is critical to staying protected. That’s why a breach defense strategy is paramount — but how do you know if your tools are protecting you?

Create An Effective Breach Defense Strategy with NIST Cybersecurity Architecture
Create An Effective Breach Defense Strategy with NIST Cybersecurity Architecture. Photo by ThisisEngineering RAEng on Unsplash

One of the best ways to ensure your security operations are working as intended is to use a breach and attack simulation (BAS) solution. You work tirelessly to protect your network, users, and applications. Now you can be sure that no coverage gaps or misconfigurations are leaving you vulnerable.

Read on this article to discover how to reduce your attack surface, fix misconfigurations, and prove that you are more secure today than you were yesterday.

Table of contents

NIST Cybersecurity Architecture
Test Your Production Network
Know Your Enemy
Real-Time Threat Prevention
Conclusion

The creation of a proper breach defense strategy is paramount to every government agency and enterprise. When various entities (like nation-states, terrorist organizations, or individual hackers) can launch a variety of network attacks, Government agencies and businesses must be ready for attacks from these sources that consist of both prolonged and sporadic durations. You need a strong defense — one that you can routinely verify is working effectively.

However, network security is very hard to measure. That’s why SecOps teams are turning to Breach and attack simulation (BAS) solutions to solve this problem. Read on this article to discover how to continuously validate your defenses by measuring the effectiveness of your security tools and assessing the real value of your security solution spending.

When creating a formidable breach defense strategy, the NIST Cybersecurity Framework is a good place to start. While the use of the architecture is mandated for United States federal government agencies, it is also applicable for any private business or other international government networks — as the architecture rests on sound cybersecurity principles.

NIST Cybersecurity Architecture

The NIST cybersecurity architecture has five core functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Identify

The identify function helps develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Key activities include asset management, governance, and risk management. These activities are the foundation of any breach defense solution because you need to know what data and assets you must protect and the capabilities you have to do so.

Protect

The protect function supports the ability to limit or contain the impact of a potential cybersecurity event. This is the critical first line of defense and includes the ability to

  • actively stop attack
  • block incoming and outgoing network communications to hackers
  • perform decryption to analyze incoming IP packets for threats
  • use inline security solutions to perform threat blocking using inline security solutions

Detect

The detect function enables the timely discovery of cybersecurity events. Examples of this category include anomaly and events detection, continuous security monitoring, and other threat detection processes.

BAS solutions are a key and necessary part of this function. BAS lets you respond to a simulated security incident rather than waiting for the real thing. These solutions enable you to tell if your detect and protect functions are working or not. This step includes the data collection process as well as the creation of actionable intelligence. This information forwards security information and event management (SIEM) for better threat correlation and detection. For instance, is the connection from the detection device to the SIEM functioning as designed? This process provides actionable intelligence as to what you can detect versus block.

Respond

The response function supports the ability to contain the impact of a potential cybersecurity incident. This includes communication of incidents to the management team, analysis of the attack vector, mitigation of any damage, and the creation of network improvements to prevent a similar attack in the future. Access to detailed and accurate threat intelligence will be important to the creation of a fix and the timely mitigation of any damage.

Recover

The recover function supports timely recovery to normal operations to reduce the impact of a cybersecurity incident. This process includes recovery planning, architecture and equipment improvements, and communications. A key step during this stage is that you need to thoroughly test any fix before you deploy it into the network. The last thing you want is a self-inflicted loss of service or to advertise that the problem is corrected, when it may not be.

Test Your Production Network

Once you have your security architecture in place, a BAS solution can immediately test your security defenses. This test is an incredibly important activity. Numerous studies about network breaches over the last 10 years have proved one thing for sure — your network will be tested for weakness by a hacker at some point in time. Therefore, either you test it first, or they will test it for you. It is your choice, but the legal and financial consequences should be far less devastating if you test the defenses first.

This means you need a strong defense that goes beyond the standard compliance checkbox. It requires building an offensive strategy that enables you to continuously verify that your security controls are working and optimized for maximum protection. To successfully manage and improve your security posture, you first need to measure it and identify opportunities to improve it. However, measuring your security posture in a production environment has been notoriously difficult. And when you can’t measure security, it becomes harder to manage and improve it.

For instance, can you quickly identify sensors that go dark and fail to report security events to SIEM? Can you tell me if the latest security signature protects as advertised? Can you identify environment drifts between the current state and last week? Are you protected from newly released malware?

Unless you have a Breach and Attack Simulation (BAS) solution, answering these questions is extremely difficult. BAS solutions solve this problem by providing organizations with the evidence needed to measure, manage, and improve their cybersecurity effectiveness.

Figure 1 shows the process to follow when conducting a security threat analysis. Your BAS solution should perform the following tasks:

  • Assess the security of your production network.
  • Identify potential problems, gaps, and environmental drift.
  • Recommend specific remediation actions to close any identified gaps.
  • Generate alerts that can pass on to your SIEM solution to close the validation loop from both prevention and alerting perspectives.
Figure 1. Overview of a BAS solution
Figure 1. Overview of a BAS solution

Assess

During the testing phase, the BAS solution attacks the network to determine weaknesses. Keysight’s Threat Simulator is designed to be safely used with production networks. Threat Simulator never interacts with your production servers or other equipment. Instead, it uses isolated software endpoints across your network to safely exercise your live security defenses.

During the test effort, Threat Simulator automatically scans your perimeter defenses, web application firewall (WAF), and web policy engines to identify any vulnerabilities. A malware and attack simulator then connects to the software endpoints to test your security infrastructure by emulating the entire cyber-attack kill chain — phishing, user behavior, malware transmission, infection, command and control, and lateral movement.

The threat simulator allows you to analyze the detection and blocking capabilities of your entire security array. It will quantify your exposure to specific threat vectors, delineate attacks that got through and provide step-by-step instructions for remediating any gaps found.

Also, the threat simulator should have the ability to validate your web-based infrastructure, including AWS and Azure deployed services. It also performs policy testing for different types of user policy controls (gambling, shopping, and more).

Identify

Once weaknesses are determined, you can analyze to see what is really a problem and what might just be a testing anomaly. Most threat simulator solutions are implemented in software with software as a service (SaaS) management. An intuitive dashboard shows vulnerabilities, audit status, and security measurements over time (Figure 2).

Figure 2. Example of a BAS dashboard
Figure 2. Example of a BAS dashboard

Security operations center (SOC) teams should run assessments both on a fixed schedule and automatically when a change occurs. For example, a security policy, new malware release, and more. This tool gives you visibility to which attacks you’re vulnerable to, how to address them, and what steps to take if your existing solutions cannot block them.

Alert

Via integration, real threats, and information from the simulation can pass to a SIEM for analysis. This process allows your SIEM to analyze the detection and blocking capabilities of your entire security array and quantifies your exposure to specific threat vectors. This gives your SOC team visibility to what an actual attack looks like so they can understand how to recognize a real one in the future. Most teams only get to see and identify the traces of an actual attack that has already breached their defenses.

The threat simulator should provide specific recommendations on how to optimally configure your existing security products to improve your security without increasing equipment expenditures. It will also identify gaps in your coverage which your current products can’t block.

The recommendations include detailed instructions in clear, easy-to-follow instructions on how to better configure your security products to close the noted security gaps. A good threat simulator solution automatically reassesses your environment, so you are continuously aware of your security effectiveness even when the environment or threat landscape changes.

Know Your Enemy

A successful breach defense strategy also involves subscribing to a threat intelligence feed that gives you clear and understandable information about security attacks — how do they function and how do they move within the network.

A proper threat intelligence feed should include a continuously updated database of malicious threats. This correlated data for each threat is summarized as a “rap sheet.” Figure 3 is an example of a rap sheet.

Figure 3. Rap sheet example for malware
Figure 3. Rap sheet example for malware

Research

When it comes to threat intelligence feeds, the right research is crucial. For example, Keysight’s Threat Intelligence solution is an always-on database of real-world threats backed by Keysight’s ATI Research Center. All Keysight database sites have 100% proof of recent malicious activity. SOC teams can access the entire database to research threats and understand the evidence of malicious activity, including automated SIEM access.

Understand

For any threat intelligence feed, the research needs to be clearly and easily understandable. This allows the SOC team to recognize and determine whether the threat is malware, a botnet, hijacked IP, phishing activity, or some other exploit. If suspicious activity correlates to a particular site, it’s helpful to understand the observed malicious activity. Is it a botnet controller? A phishing site? Is it distributing malware? Is it trying to exploit vulnerable IoT devices?

Insight into the recorded history of a site’s malicious activity helps to provide context to understand what malicious actions a given site may be undertaking on your network. Beware of “IP reputation” feeds with confidence scores, as they can complicate decision-making with uncertainty. Ideally, you want information such as the last scan date, extended DNS information, and screenshots.

Once you have the correct data, you have actionable information. This lets you indirectly or directly take action on the data. One example of indirect action is that most next-generation firewalls (NGFW) can import a limited amount of threat intelligence information to conduct automated blocking of malicious, exploit, and botnet sites based upon that data.

Direct activities include

  • detecting and stopping IoT attacks
  • tagging suspicious or rogue applications and monitoring for unusual activity
  • tracking traffic to or from unauthorized geographies
  • tracking questionable file transfers and brute-force attacks

Real-Time Threat Prevention

A formidable breach defense strategy triad can block as many threats from getting into the network as possible. This includes malware, viruses, worms, Trojans, and other attacks. The most important activity you can perform is to reduce your attack surface. If you limit the amount of malicious traffic coming into your network, you automatically limit your threat landscape.

The most common approach against this threat is to deploy a firewall. This is correct. You will want to configure a firewall and its ports to block all known and unwanted traffic. Unfortunately, bad actors understand how firewalls work — it is a well-known technology deployed for years.

Most successful bad actors have adapted and changed their tactics to

  • enlist an address for a specific period
  • use IP addresses from different countries
  • create different variations of the malware
  • change their business model to sell malware to other bad actors on the dark web rather than engaging in hacking activities

To combat this newest version of the threat landscape, you need a solution that automatically updates with the latest threat information, like known bad IP addresses. This is the role that a threat intelligence gateway can perform. While almost no one can discover bad IP addresses instantly, there are companies like Keysight that focus on scouring the internet for bad actors and documenting the IP addresses.

This process allows for the distribution of the information quickly to threat intelligence gateways (Figure 4) to block incoming and outgoing traffic to the known bad IP addresses.

Figure 4. Example of a threat intelligence gateway dashboard
Figure 4. Example of a threat intelligence gateway dashboard

IT security teams currently try to sift through the mountains of SIEM alerts, firewall logs, and IPS alarms to find and stop malware infections, ransomware, and data breaches before they wreak havoc — a time-intensive task. But the Ponemon Institute has documented that the nonstop flood of alerts means that only 29% of security alerts go through the analysis. Vital clues and malicious threats sneak by.

Inspect

The first thing a threat intelligence gateway will do is inspect the incoming or outgoing addresses for IP packet data. This means deploying a solution that is capable of handling billions of sites with no performance impact. The threat intelligence gateway must perform at full line-rate.

Next-generation firewalls are great at Deep Packet Inspection (DPI) and threat detection, but they are not optimal for massive-scale blocking of malicious, hijacked, and untrusted IP addresses. Even if they block the potentially tens of millions of IP addresses required — assuming you were blocking phishing sites and hijacked IP’s.

A threat intelligence gateway complements next-generation firewalls by offloading massive-scale blocking. This blocking allocates resources to content inspection, user policies, virtual private network (VPN) termination, and other features while generating fewer security alerts. This process makes your security operations more efficient by eliminating up to 80% of SIEM alerts once the threat intelligence gateway starts blocking malicious traffic.

Of course, there are many ways to get malware into a network — thumb drives and bring your own device (BYOD) are prominently in the threat list. However, most malware starts with a small “loader” component that wakes up, registers with a botnet controller, and downloads additional code and information. The controller sites are often used across multiple botnets — having a threat intelligence gateway that blocks connections can protect you from breaches — even if live malware enters your network.

This includes outgoing communications such as command and control back to the hacker or the exfiltration of actual network data. Even if the malware is active, catching the threat in time may mean that no exfiltration to the network data — no breach occurred. An alert can let you know about the infected systems.

It is also important that the solution has a dashboard that provides an intuitive, onscreen display of blocked sites, countries of origin, and statistics. The dashboard allows you to see what is happening within the gateway, and the attack method impacting your network.

Recognize

The next step is to analyze the data collected. You can choose two different modes — report-only or blocking mode for otherwise unrecognized threats. You can then compare the suspect IP addresses to the rap sheet data for matches. Blacklist or white list strategies enable blocking for countries and other IP addresses as well.

The dashboard will deliver on-screen proof of malicious activity for any blocked sites and the performance of the threat intelligence solution. Data matching applied to individual rap sheets can generate detailed information, enabling information to pass to the SIEM for integrated and correlated analysis (Figure 5). It’s often a best practice to simply ignore blocked inbound attack attempts. Once they’re blocked, no further action is necessary while analyzing and responding to outbound connection attempts to botnet controllers.

Figure 5. Rap sheet example for known bad IP address
Figure 5. Rap sheet example for known bad IP address

Block

A key step in the process is to block all incoming or outgoing traffic to known bad IP addresses. This means blocking connections from known malicious IP addresses and untrusted countries while preventing phishing replies and botnet connections.

A threat intelligence solution provides remediation and optimizes security in ways traditional tools cannot. The blocking function has a phenomenal impact on the rest of the network. By reducing this malicious traffic, up to 80% of SIEM alerts are eliminated, which in turn reduces “alert fatigue” for SIEM and security tools.

Conclusion

Breach defense solutions are a critical component of any cybersecurity architecture, whether you have a legacy architecture or have redesigned your network around the NIST cybersecurity architecture. The all-important key is to put the proper solution in place that can collect actionable intelligence, provide accurate analysis of that intelligence, and then help you act upon the intelligence.

Keep the following functions in mind when deploying the three breach defense components:

  • Choose a breach and attack simulation solution to continuously test your defenses and provides the evidence needed to measure, manage, and improve your cybersecurity effectiveness.
  • Implement a threat intelligence feed that provides you a detailed insight into active threats that may attack your network so that you can recognize and respond accordingly.
  • Apply a threat intelligence gateway that is actively blocking communications to known bad IP addresses — whether the communication is incoming or outgoing.

These three functions will enable your SOC to respond appropriately to security attacks and identify any security breaches. In the end, a proper BAS solution allows you to go beyond the instrumentation level to provide remediation steps that improve the cybersecurity effectiveness of your organization to help offset security engineer skillset shortages.

Source: Keysight Technologies