Problem to Solve: What can we do to protect our organization from Hacktivism, specifically in the area of Critical Services?
As we work from the bottom up in creating the strategy, I will admit that this topic may not be extremely “sexy”. But be advised that if these critical services get compromised, you will have a whole lot of a condition I like to call “NETWORK — NO WORKIE”. Of course, this condition is a very technical term that your end users will experience if these critical services are not working properly. This is exactly why I am starting at this level of detail, so that you can consider this idea into your cyber protection plan. Again, my perspective on helping you protect your organization against Hacktivism is to compliment your existing Cyber Security tool sets. The main focus of this series is to “bring all that you have” to the proverbial Cyber table. That being said, your APM NPM tool sets can be leveraged in just that manner. A lot of folks focus their cyber security efforts on firewalls, IPS, IDS, rules, policies, etc., which is an obvious primary focus. As you take a fresh look at all the methods a cyber attacker can use to adversely affect your organization, the task gets daunting. One way that your organization can be affected by an attack is to go after the critical service enablers that allow your network to actually function foundational. Sometimes, these basic fundamentals will get overlooked from a protection perspective. This is a prime example of where you can leverage your existing APM NPM to fill this gap.
DHCP – Dynamic Host Configuration Protocol
Obviously we, in the networking industry, understand that DHCP is the main mechanism that provides a device the ability to request an IP address automatically, and establish network communications. Link to the Wiki definition https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol. I know this seems “so basic” that it doesn’t even need to be discussed. But, if we take a fresh look at it from an attacker’s perspective, it makes you consider just how important this network fundamental protocol IS. When you consider that most of your user devices, computers, tablets, PC’s, virtualized servers, etc., all leverage DHCP to actually get their IP address to access the network, how painful would a DHCP attack be? Yep, just consider how “happy” your users behave when they “cannot get on the network“. Then imagine that scenario happening at a remote location or even company wide due to an attack on your DHCP servers. Not Fun. This is where your APM NPM tools can help your cause.
Why is this Valuable? Obviously, you can use your APM NPM tools to look at basic “up/down” statistics. But more importantly, you can use them to look at your IPV4 / IPV6 status codes that operate inside the protocol itself. Things like requests, responses, and latency are all good statistics to review. I guide my customers to look at failures specifically for Discover, Renew and Request first, and then other types of failures second. Failures in the status codes for “decline” or “no address available” can be an indicator that your DHCP services are being attacked or are failing in general. I also recommend setting up alarms to alert you to changes in DHCP failure behavior.
DNS – Domain Name Service
We know DNS in the real world as resolving names (for instance, www.acme.com) to IP addresses (I.E. 192.168.1.1) for navigating the Internet and Intranet. Link to Wiki definition https://en.wikipedia.org/wiki/Domain_Name_System. Again, a very basic fundamental network protocol, but huge in its value to the organization. In a nutshell, unless your end users know their actual IP addresses for accessing internal resources (ERP, Sharepoint, etc.) or their favorite Internet site (www.facebook.com), then you have frustrated angry users that “believe they cannot get to their information”. Now consider that if an attacker can compromise your internal or external DNS services, they can effectively prevent end users from getting to their data in some cases. Again, you can use your APM NPM tools to keep an eye on this service.
Why is this Valuable? You can use your APM NPM tools to look at basic “up/down” statistics obviously. But you can also us them to look inside the DNS protocol itself for error codes and failures. For example, looking inside the A-AAAA, PTR-NAPTR, SRV records can provide insight to performance of your DNS server(s). Looking at the DNS latency, request load, and failures can all provide information and keep you in front of attacks on your DNS services as a whole. I recommend that customers keep a watch on failures specifically, and create an alarm if failure rates increase in volume. We have seen customer examples where anti-virus had failed, and then experienced odd DNS Requests calling out to the malware home base. Some of these strange DNS requests turned out to be very bad things like Zeus trojan key loggers. Bad Stuff to say the least, but all of this activity was visible through DNS services. These events can be seen as basic “name errors” or significant increases in DNS server requests or failures, which ultimately causes the DNS server to not serve your environment.
LDAP – Lightweight Directory Access Protocol
We know LDAP as the underlying protocol as the basis for most network authentication. Many of you may refer to it as Active Directory possibly, but LDAP is the protocol that makes things run. Link to Wiki definition – https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol. Our users collectively are used to typing in their corporate password on their device in order to access their files, data or systems. Obviously, if they do not get properly authenticated, they do not get access to their requested resource. Now you can see why an attacker would be so interested in affecting your LDAP/AD services. They can disrupt company operations by making authentication inoperable. This has a “double-whammy effect” with the popularity of cloud applications. In many customer environments, they leverage Single Sign-On (SSO) services for cloud application access. The cloud based applications then interacts with your company’s internal authentication service, LDAP. An attack on your authentication services can then impact internal user access, but outside cloud access as well. OUCH !! But again, using your APM NPM tools can help you.
Why is this Valuable? Common theme here, but you can use your APM NPM tools for basic “up/down” statistics. Using the APM NPM tool-sets to look inside the performance of the protocol and service itself is beneficial. LDAP as a protocol has a plethora of status and error codes that you can leverage to determine failures. An increase in the number of authentication failures can be an indicator of an attack in process. We always recommend to customers to keep a close watch on their authentication services for just this reason. Authentication simply just affects so many things.
The last critical service we will cover is RADIUS. Link to the Wiki definition https://en.wikipedia.org/wiki/RADIUS. The use case is basically the same as LDAP for authentication. However, RADIUS is often used for wireless authentication. For customers that have large wireless deployments such as health care organizations or manufacturing plants, an attack on the Radius authentication service can wreak havoc on your users.
Why is this Valuable? Common theme here again, but the value is basically the same as LDAP. The value is in protecting your authentication services.