Insufficient Internal Network Monitoring in Cybersecurity
This article is part of a series where we look at a recent NSA/CISA Joint Cybersecurity Advisory on the top cybersecurity issues identified during red/blue team exercises operated by these organizations. In this article, you will find a more in-depth look at the specific issue, with real-world scenarios where it is applicable, as well as mitigation strategies that can be adopted to limit or overcome it. This expands on the information provided by the NSA/CISA report.
Effective internal network monitoring is crucial for detecting and mitigating cyber threats. Insufficient monitoring can leave organizations vulnerable to undetected adversarial compromises. This chapter explores the implications of inadequate network monitoring and provides strategies for enhancing monitoring capabilities.
The Problem with Insufficient Monitoring
Limitations in Host and Network Sensor Configurations
Many organizations fail to optimally configure host and network sensors for traffic collection and end-host logging. This inadequacy can lead to undetected adversarial compromise and limits the capability to collect traffic data necessary for establishing a security baseline and detecting anomalies.
Challenges with Host-Based Monitoring Only
Relying solely on host-based monitoring can be insufficient, as this approach informs about adverse activities on individual hosts but not about activities traversing between hosts. For example, an organization with host-based monitoring could identify infected hosts but not the source of the infection, hindering efforts to prevent future lateral movements and infections.
Additionally, a lack of proper monitoring correlation between hosts makes it difficult to understand patterns – either pre or post exploitation – which leads to inefficiencies and potential oversights when attempting to rectify the situation.
Failure in Detecting Lateral Movement and Command and Control Activities
Organizations with insufficient network monitoring might fail to detect lateral movement and command and control activities within their networks. Even mature cybersecurity postures can be compromised if network monitoring is not comprehensive, as demonstrated by assessment teams gaining deep access without triggering security responses.
Establish a Baseline of Applications and Services
Regularly audit the access and use of applications and services, especially for administrative activities. This practice helps in understanding normal network behavior, thus making it easier to spot anomalies.
Implement Comprehensive Network Monitoring
Combine host-based monitoring with network monitoring to gain a full view of the cybersecurity landscape. This combination allows for the detection of malicious activities both on individual hosts and as they move across the network.
Regular Audits of Network Traffic
Conduct routine audits of network traffic and patterns to identify unusual activities or unauthorized access attempts. This proactive approach aids in early detection and response to potential threats.
Use of Advanced Analytical Tools
Employ advanced analytical tools and algorithms to analyze network traffic for patterns indicative of cyber threats. Machine learning techniques can be particularly effective in detecting sophisticated attacks that might evade traditional monitoring methods.
Train Staff on Network Monitoring Practices
Ensure that IT staff are well trained in network monitoring practices and aware of the latest cyber threats. Regular training sessions can help in keeping the team updated on new technologies and attack vectors.
Create Incident Response Plans
Develop and regularly update incident response plans that include procedures for responding to anomalies detected through network monitoring. These plans should involve both technical responses and communication strategies.
Enforce Adequate Segregation of Hosts
If there is no reason for two hosts to communicate, then moving each to separate network segments should be considered. While not a monitoring policy per se, this at least attempts to reduce visibility and exposure for threat actors.
Change Block Rules to Block-and-Log
Identify and investigate blocked attempts to communicate between separate systems. Simply blocking the connection can keep probing attempts undetected for long periods of time.
By understanding the gaps in current monitoring practices and implementing these mitigation strategies, organizations can significantly enhance their ability to detect and respond to cyber threats.