Cyber Disaster Avoidance: Protecting the Internal Network. Introduction. Background on Cyber Disasters Characteristics Internal Threats Explained Threat Sources Threat Detection Cyber Disaster Prevention Active Deception Delaying Attack Deflection. Characteristics of a Cyber Disaster.
Cyber Disaster Avoidance: Protecting the Internal Network
Infected database servers became unusable, as did their data
Computer networks were clogged with infection attempts (DoS)
HIDS & AV
HIDS & AV
…are targets for rapidly propagating threats…
Security exposures that bypass perimeter defenses…
…bringing your network to a halt and creating costly cleanup.
…that take over your network in minutes…
Signature-based Systems – Usually requires prior knowledge of the exploit. Matches network packets against a library of known threats. Not ideally suited to detecting previously unknown threats because of the delay in acquiring and deploying new signatures.
Behavioral/Anomaly-based Systems – Detects threats based on their network behavior. Better suited to detecting previously unknown threats due to lack of dependence on signatures.
“Activate” unused IP address space
Very effective Day-zero threat identification
Use protocol methods to slow or stop an attack
Forcibly redirect attack packet to harmless location
Leverage unused IP address space to create an early warning system of threat activity
Create “Virtual Decoy Devices” with real IP and OS personas to camouflage valuable network resources
1.Bad Guy sends synchronization packet to a virtual decoy
2.Security device sends acknowledgment with Window = 0 and MSS = 10 Limits
3.Bad Guy receives acknowledgement and conforms to limits
Use legitimate protocol parameters to slow or stop an attack
4.Response is ignored, forcing Bad Guy to wait 4 minutes with no response
5.Bad Guy sends TCP Window Probe to see if we’re still there
6.Security device sends acknowledgement (with same limit) and forces another 4 minute wait…
1.Infected Laptop communicates with computer on the network
2.Security device detects behavior and changes MAC address on infected PC
3. All traffic from infected laptop is sent to the security device and examined.
4. The infected laptop is determined to be a malicious threat and is blocked (compartmentalized) from the network
This strategy “compartmentalizes” infected devices, preventing them from communicating on the network.
There are numerous ways for threats to bypass traditional security mechanisms to reach your LAN
Worms and viruses usually meet little resistance once inside a network
The damage potential from these attacks can be very serious
Detecting day-0 RPTs on LANs is best performed using behavioral detection techniques.
There are several ways to defend against these threats, including active deception, protocol-based delay tactics, and attack deflection.
Thank YouIf you would like more information about these technologies, you may download a white paper about this subject from:www.miragenetworks.com