The development of increasingly powerful and sophisticated IT security tools to defend against cyberattacks can be described as an arms race—with public and private sector organizations of all types acquiring the latest tools and technology, each being promoted as the most effective new weapon against cyber threats.
Ironically, more and more IT experts and security leaders are recognizing that one of the most mature IT management technologies around—one that was not designed primarily for IT security work—is an essential tool for defending against cyber threats.
I’m referring to network infrastructure management tools, also known as network visibility tools.
Today’s advanced IT security technologies are very good and have come a long way in the last 15 years. They can handle huge amounts of data, apply AI and ML analytics, automate formerly manual processes to make IT security teams more effective and efficient, and they can claim to protect against a very high percentage of attempted attacks hitting networks. So, let’s acknowledge they may be stopping 99.5% or even 99.9% of attacks. However, it’s the remaining 0.5% or even 0.001% of the threats that can cause the most damage and cost the most money.
When every one of an organization’s IT security layers and tools have failed, and the organization’s leaders are dealing with a ransomware or malware attack or have a threat actor inside your network, what do you do then?
For organizations of all sizes, but especially state and local government agencies, to prevent these select, advanced, sophisticated attacks, defenders must think differently, even creatively. Because when facing sophisticated threat actors or a knowledgeable insider that knows an organization’s blind spots, all the automated technology in the world can’t stop every one of those threats.
The best defense against these types of adversaries is a curious, determined human being armed with complete visibility into your network environment. Those are the people who you want on your threat hunting team—people who are suspicious of everything, who don’t accept anything on trust, who want to see for themselves and who keep pushing to get to the most granular, detailed level of every aspect of your IT environment.
That’s when the value of network visibility and network management tools becomes crystal clear, especially the tools that use full fidelity monitoring (not sampling). When your threat hunters can see every single component on your network—every server, laptop, desktop, router, firewall, switch, port, every packet of data, all the details of traffic flow, and more—it allows your team to determine where, when, and how the threat actors got in. Armed with these network visibility tools, your team can look at every point on the network and confirm whether it should or shouldn’t be there, identifying new and unknown devices, ultimately closing and eliminating network blind spots that threat actors thrive on.
For example, the 2020 SUNBURST cyberattack that compromised countless government agencies and private organizations by embedding malware in a legitimate software update is a case in point showing how a sophisticated cyber threat can evade traditional IT security tools. The malware was designed in an extremely sophisticated way with many features designed to evade detection, including tactics that made its communications and traffic appear benign. For example, by using in-country command and control servers, the SUNBURST malware left victim organizations unable to determine if traffic was leaving their secure environments and connecting to a known country that was a haven for cyber threat actors.
This approach eliminated a condition that would have been a clear red flag. The attack was only discovered when another security company found one of its security tools stolen and posted on the dark web. That company began investigating and not only discovered the SUNBURST attack, but an even longer attack called SUPERNOVA that had been evading detection for over two years!
Another example that exemplifies the need for active threat hunting with network visibility comes from one of our own government customers. In this case, the customer was leveraging our Rivebed NetProfiler and Riverbed NetIM network visibility tools which uncovered a significant vulnerability that was hiding within plain sight.
Using our tools, the IT team monitoring the network environment noticed a new, unknown, device and upon further investigation discovered they were not able to log in to the device. This and other characteristics raised suspicions that it might be malicious. They were able to quickly zero in on the device’s physical location, which was a cubicle in their own offices. The unauthorized computer had been put in place by several corrupt employees that were exfiltrating data for financial gain.
The insiders in this case had enough knowledge of our customer’s network environment that they were able to place the rogue computer on the network in a place where it would have access to data in an East-West fashion, ensuring that its communications never had to cross a security boundary. There was a good chance this threat could have remained in place for months or even years. But in this case, by having excellent network visibility, the threat was discovered quickly and shut down within hours.
More security layers are a good thing. By all means, I’m a fan of continuing to add more sophistication to IT security tools. But it is valuable to remember that you can’t successfully defend your network, if you can’t see every part of your network. Yes, network visibility tools have been around for years, and they have many benefits that aren’t related strictly to IT security (like performance and bandwidth optimization, operational troubleshooting, end-user experience improvements, etc.) but network visibility tools are absolutely invaluable as part of a comprehensive IT security approach.
That’s probably why the federal Cybersecurity and Infrastructure Security Agency (CISA) has included using network visibility in their Ransomware Guide Best Practices, which states:
“Develop and regularly update a comprehensive network diagram that describes systems and data flows within your organization’s network. This is useful in steady state and can help incident responders understand where to focus their efforts. The diagram should include depictions of covered major networks, any specific IP addressing schemes, and the general network topology (including network connections, interdependencies, and access granted to third parties or MSPs).”
That’s great advice, but no easy task if you’re not using Riverbed’s network visibility tools. Riverbed’s solutions get the job done and are the ones you want to place your bets on to truly protect your network environment.