Problem to Solve: What can we do to protect our
organization from Hacktivism, specifically in the area
of protecting our Critical Application Services?

Have your business critical application services ever become “unavailable”? We have all had this happen at one point or another. Usually, your end users and executive management are “less than thrilled” when this type of disaster happens. Especially when you consider that the bad guys want to take your business services “down”, and there are multiple roads to get there.

The assumption for the rest of this article is that you probably have security tools already covered on some of your critical infrastructure links. As we build the overall defense strategy, our goal is to extend complimentary functionality for the existing security tool sets, but …. do it from an APM NPM perspective.

So where are you likely to get attacked specifically for your critical application services? Let’s review what most customers view as “business critical systems”.

Enterprise Resource Planning (ERP) Solution

Every company has an ERP solution that is the overarching system that helps manage company resources. These areas include production, materials planning, finance, HR, payroll, inventory, etc. There are many fine ERP solutions available such as SAP, Oracle, JD Edwards, just to name a few. When these types of ERP solutions become unavailable, your executive management will be keenly aware of it, usually because company money is potentially being lost. So guess what, the hackers, hacktivists and threat actors all know how important your ERP system is to company productivity and revenue. Yes, that makes ERP an obvious target. If your ERP solution is compromised or not available, then the company productivity and revenue will suffer, and that has a tangible cost to it. The challenge with ERP solutions is usually the complexity of the architecture.

Email Services

It seems that everyone on the planet now understands what an email actually represents. In general, it doesn’t seem all that particularly interesting or complex from a personal email perspective. However, many companies RELY on email communications in their business, and that makes Email a critical business service. “Business critical” includes things such as order/appointment confirmations, direct customer interaction, legal documents, presentations, outbound marketing communications, lead generation, etc. Email is important to business communications, and as such makes it a target for hacktivists. If the bad guys can take down your email services, then they have accomplished a goal of disrupting services, communications and costing your company productivity and dollars.

Voice Services

Even in today’s digital age, good old “person to person” phone discussions are still a very popular communication method. Most companies have opted to convert traditional analog voice services to run over digital IP infrastructure, and realize the large cost savings. Voice over IP (VoIP) has indeed become mainstream in its technology adoption and has become a critical business service. The expectation for dial tone, availability, and quality remains high for customer call centers, team conference calls, executive meetings, etc. Now that VoIP services run over the same network infrastructure as traditional data applications, there is a higher probability that services could be attacked from the outside hackers.  The bad guys know that they can disrupt internal company operations as well as affect external customer interaction, by adversely affecting the VoIP services.  This causes your company to lose productivity, revenue and customer satisfaction.

Big Data, Internet of Things, and Cloud

Many companies are now in process of leveraging Big Data, Internet of Things (IoT) and Cloud technologies into their business strategy. There are tremendous opportunities for cost reductions, proactive trend identification, production data accuracy, proactive customer notifications, etc. As these technologies increase in their value to businesses, it elevates them into critical business services. The availability of data collection, link bandwidth, security and accessibility become high priority items. That being said, the hacktivists are aware of the business criticality as well, and will very likely to create attack strategies on these types of services.

What Can You Do?
When you look at these types of critical business services, it feels a little daunting from the perspective of how can we protect these services from the bad guys. So what can you really do in terms of protection?  My continued recommendation is to “bring all that you have to the table” when it comes to cyber security. Insights into these particular services can be made available via your APM / NPM tool sets.

1. Give Cyber Security Team Access – If your cyber team does not have access to your APM / NPM solution, you should grant access and encourage them to login immediately. We often find that there are significant use cases, workflows, data and intelligence that “could” have been used by Cyber teams previously. Useful security information can include basic traffic flow statistics, application metrics, basic IP host information, error codes, failures as well as packet capture evidence. The real value is to make the cyber teams aware of the additional information that they can leverage for gathering evidence, war rooms, denial of service remediation, setting firewall policy, etc. See this article to see more detail – http://problemsolverblog.czekaj.org/cybersecurity/hey-security-teams-dont-forget-look-apm-npm-tools/
   
2. Alert on Anomalies – Hopefully, this type of functionality was already configured and running in your APM / NPM solution. If not currently configured, set it up immediately and here is why. Think of it as if you had “two hats” on from an alarming perspective. One hat for performance issues, and the other hat for cyber related issues. They can obviously be the same alarm, but a metric such as an increase in TCP RESETs will be viewed with a different perspective from a Network / Application Engineer vs. a Security Engineer. The Network Engineer perspective of TCP RESETS might lead to a determination of a potential server issue, while a Security Engineer might view the same information as a potential BOT NET attack. Either way, the same anomaly could be viewed by two different departments in a different light. The benefit to your company is having different sets of eyes on the anomaly which can help reduce the time to re-mediate such an event.
3. Visibility into Virtual Server Environment Traffic – I find this topic to be one of the most interesting for Cyber related functionality. The reason is that most security infrastructures and solutions have a “North South” view of network traffic. They have visibility into Firewalls, DMZ’s, Internet Links, etc. as an example. In today’s highly virtualized server world, there is a heavy amount of traffic that goes “East West” (meaning virtualized server to virtualized server within a physical server blade). The virtualized server infrastructure usually does not have much security visibility available to it natively. If your APM / NPM solution is deployed to monitor the “East West” network and application traffic for performance use cases, then opening up that traffic set to the Cyber Security teams only helps to extend security visibility.  
4. Keep a Close Eye on Service Enablers – DHCP, DNS, LDAP and RADIUS are problems commonly shared between APM / NPM and Security solutions. I always recommend to extend a view of these critical services to the security team. My opinion is that it is always better to have two sets of eyes on critical infrastructure services, and these services affect both performance groups and security groups.
5. Send APM / NPM anomalies to the Security SIEM – After configuring the alarms, I would also recommend sending anomaly alarms to the security team’s SIEM solution as well. The idea is to let the distinct teams, event tools and event correlation solutions have access to the information. Having the Security team be “in the know” to potential application anomalies may sometimes yield a bigger picture into a Security event. 

Continue on to the next article in the series, Protect Critical Unified Communications (Hacktisvm #4) http://problemsolverblog.czekaj.org/troubleshooting/protect-critical-unified-communications-hacktivism-part-4/