by John Walsh, Chief Strategy and Technology Officer, BlackRidge Technology
The inconvenient truth is that our current cybersecurity tools and methods are not a match for today’s sophisticated attackers who will target any exposed surface looking for vulnerabilities. Attackers need to only succeed once, while defenders must successfully protect their systems every time against all possible threats. Even the most security-conscious organizations aren't immune to breaches, no matter how good they are at detecting and mitigating vulnerabilities. Making matters worse is that digital businesses and cyber-physical control systems require broad network connectivity and more interconnections than ever before, further exposing the network infrastructure to attacks.
Network infrastructure devices provide ideal targets for sophisticated attackers, given all corporate, partner, customer, and increasingly Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) communications traverse corporate networks. These network devices include routers, switches, firewalls and other security devices, and network management systems. Once installed, these devices are often not maintained as well as servers and desktop are, from changing default settings to patching and hardening them. An attacker who gains control of critical network devices can control corporate access and data center server traffic, move laterally inside clouds and data centers, and exfiltrate data with little risk of being detected.
Recognizing the ongoing threat to network infrastructure devices as described in Technical Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors, the Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC) published a Security Tip (ST18-001) Securing Network Infrastructure Devices to provide recommendations on improving the security of network infrastructure devices. The security tip reviews the security threats with network devices and recommends that network operations teams implement the following to better secure their network infrastructure:
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications.
- Harden network devices.
- Secure access to infrastructure devices.
- Perform Out-of-Band network management.
- Validate integrity of hardware and software.
There are many approaches to implementing these recommendations that provide different levels of assurance along with associated complexity to implement and maintain them. The next sections provide a high assurance approach to addressing the first, second and fourth items above.
Segment and Segregate Networks and Functions
The NCCIC Security Tip states that “Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders can extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders if they have gained a foothold somewhere inside the network.”
Network segmentation is a security and compliance best practice that is increasingly difficult to implement and maintain in corporate and critical infrastructure environments. Common approaches to segmentation rely on network topology and addresses, such as using VLANs and restricting communications through firewalls and access control lists. The administrative overhead of implementing and maintaining the configuration changes needed can be large, and these address-based approaches are still not secure (e.g., addresses cannot be authenticated), nor are they extensible to cloud environments.
A high assurance approach to network segmentation is to apply identity-based access controls at the transport or network session layer to dynamically control access to network infrastructure devices, including servers. Network security policies based on authenticable identity can provide least privilege (or super white listing) access control to network resources, with the access control now separated from the network design (topology and addresses). Identity-based network segmentation is then more intuitive and responsive, with access policies that are more automated, maintainable and auditable, since they are derived from your existing identity access policies. This reduces the complexity, management overhead, and inflexibility associated with current network access and segmentation techniques.
Limit Unnecessary Lateral Communications
Per the Security Tip, allowing unfiltered lateral or peer-to-peer communications allows an intruder to spread malware and create backdoors throughout the network, helping to maintain persistence within the network and hinder defenders’ efforts to contain and eradicate the intruder. Implementing a network segmentation solution can prevent lateral movement and defeat ransomware attacks. Implementing an identity-based network solution is a higher assurance approach that creates a higher level of trust and is more maintainable as networks evolve to interconnect IT, OT and cloud systems.
Secure Access to Infrastructure Devices
Further the Security Tip advises that limiting administrative access to infrastructure devices is crucial because intruders can compromise and exploit these devices to move laterally, expand access, and take full control of a network. Restricting administrative or management plane access to network infrastructure devices can be similarly accomplished with identity-based access controls at the transport layer. Access can be granted on a fine grained, per identity basis, allowing users administrative access to only specific network resources, with logging of access attempts and policy actions.
High Assurance Network Security
BlackRidge Transport Access Control (TAC) is an identity-based network security solution that delivers a high assurance and resilient approach to securing network infrastructure devices. BlackRidge TAC non-interactively authenticates identity and applies security policies to the first packet of a TCP/IP connection, controlling the visibility of and access to network resources at the earliest possible time. BlackRidge’s identity-based transport access controls are independent of network topology and addresses, with policy actions including traffic blocking, redirecting or forwarding; with actions logged along with identity attribution information for enhanced monitoring and adaptive response by SIEM systems, and for audit and compliance functions.
Please contact us to learn more about how BlackRidge can enable you to deliver more secure and resilient business services in today’s rapidly evolving IT, OT, and cyber threat environments.