In our everyday lives we all seem to be continually looking for knowledge or information to help improve a situation, or at least make sure we don’t end up in a bad one. Let’s take for example, traffic. If we live or work in a crowded city with lots of traffic, we are always looking to understand where the traffic jams and accidents are, and discover where the best routes are before we drive home from work so we can avoid getting stuck in traffic. This behavior seems second nature to us. Most of the time, we do it without thinking. Many of us even have alerts set up on our phones to warn us about these things.
While we have this desire for information in our everyday lives, it does not seem to carry over to cybersecurity, either for individuals or organizations. In fact, many organizations have a very limited view of their own environment. They couldn’t tell you what devices or applications they have on their network, or even the topology of the network, let alone external threat actors. They lack Situational Awareness.
The following is a definition I found that the US Army uses to explain situational awareness:
“Knowledge and understanding of the current situation which promotes timely, relevant and accurate assessment of friendly, enemy and other operations within the battle space in order to facilitate decision making”
It’s all about getting the right information in enough time to allow you to make good, educated decisions. Now, if we apply that same idea to cybersecurity, it can be very simply put as:
“At any point in time I understand my priority Risks and Threats”
This means having the right information, pulled from the volumes of information your networks generate, at your fingertips to help you make better decisions about your risks and threats.
As security professionals, we are constantly dealing with many challenges, such as the growing number of compliance regulations, increases in threat volume and sophistication, the large market of vendor solutions, and chronically limited budgets. All these challenges require us to have 100% FOCUS on priority risks and threats. Achieving Cyber Situational Awareness provides that focus.
To start to achieve cyber situational awareness, we need to understand four key areas:
Let’s walk through each area at a high level to determine its objective, and some key pieces of information we will need.
The primary objective here is to understand your organization’s business mission and the processes that exist to enable that mission. You will need to understand things like business priorities, critical business processes, and risk tolerance.
Now if you have ever gone through this exercise before, you know it can get complicated and will take time, but if we simply it, what we really need to understand are the key critical business processes and the assets that those processes travel over. Those assets then become the critical ones you need to pay more attention to. Keep in mind, as you learn about these processes you will also start to understand the type of data the company has. You will then be able to determine which data is sensitive, and which have regulations tied to them that may have additional requirements that need to be met.
A quick example would be if a business leader is talking to you about expense reporting, which is a critical process for him. He explains that a user typically connects over the Internet to the web server to upload expenses. With that information, you now know that the Internet, edge firewall, and web server are in play for this process. That web server needs to talk to the DB server, and the path to get there is through a router, switch, and another edge firewall. Now you know that all those assets are in play as well.
This is a very simplistic example, but this may be how you start, and this will become more in-depth over time. The main thing is you start the process.
I used to do internal penetration testing, and the way we typically broke in was by exploiting an asset the company didn’t even know existed and had not been configured to company standards. We would usually exploit a publicly known vulnerability, which would allow us to receive the admin password to the device - which many times was the same password for the domain admin - and then we would own the network.
So you can see, it’s very important to understand and catalog all the assets on the network. Further, if you don’t know what all your assets are, how can you start to understand the all the vulnerabilities that may exist?
In addition to understand all devices, you need to also know their profiles. What OS and what version is installed? What applications reside on those devices, and what data do they hold? Keep in mind that many exploits are still targeting publicly known vulnerabilities, and many are client-side which affect things like Adobe and java plug-ins on browsers, as well as the browsers themselves, etc. Then ask questions, like, “do you really need 3 different browsers on your device?” Probably not..
Once we have a good idea of the devices we have, we need to also ensure they are configured securely and that publicly known vulnerabilities do not exist. Many solutions are available today that can collect and combine device identification, configurations, installed applications, and vulnerabilities. If you happen to have a solution like this, the next issue may be that you now a lot of vulnerabilities, and many of them are deemed critical. So the question becomes, how to you prioritize all these critical vulnerabilities? This is when knowing your network infrastructure, specifically your topology and data flows, becomes critically important.
All devices are connected, which means we need to understand how they are connected, and to what, on order to determine the full risk of the vulnerability. One quick example is that a single vulnerable device may not seem to matter much at first because it’s just a non-critical device. But when you start to understand where it fits in your network topology, you can see that the device has access to another device that in turn has access to a critical device. Which means the vulnerability now represents a much higher risk than you first thought. So you can see how it’s important to understand your network architecture. Of course, this is becoming increasingly harder to do because of the cloud, data virtualization, expanding numbers remote sites and business partner connections, etc..
Even still, you need to know your topology: How are devices are connected, and how and where and what data flows through your network? This will determine what policies need to be created, such as: How and where is the network segmented? Do you have a flat network, or are you building out internal segmentation to help minimize the impacts from a breach? Segmenting your network using sensors such as NG firewalls can provide you with better control over the flows of your network, as well as give you better visibility.
Another question to ask yourself is, do you know the various attack paths to your data? Do you have the proper security sensors placed in the right locations of your network to identify possible attack attempts on critical data? Ask yourself and others on your team, if you wanted to get in, how would you do it? Make sure you address this question as you build out your network segmentation strategy.
Regarding network segmentation, there are many ways to do it; however a good place to start would be to create various security zones. Below is a simple example you can start with:
Remember, as you create these zones you need to ensure proper management and monitoring within each zone.
The last thing you need to understand are the threat actors that are targeting your organization. What are their capabilities? What are their tactics - meaning how are they breaking in, and what digital dust do they leave behind, such as the IP addresses they communicate with or specific malware they use, etc? Below is a quick general list of threat actor categories, and you most likely need to worry about all of them. The question you have to answer, though, is which of these are the most likely to be focused on stealing the data that resides in your network?
For more information on these actor categories, and threat intelligence in general, please see my previous blog: Threat Intelligence Understanding your Threat Actors 101 Part 1 of 3 https://blog.fortinet.com/2016/04/14/threat-intelligence-understanding-your-threat-actors-101-part-1-of-3
Getting a good understanding of these four key areas will require a combination of solid processes and reliable technology. Of course, there will be many more areas to cover to achieve a mature security program, but these four areas are a good place to start. When you have a good understanding of these areas, you will be able to quickly answer critical questions that, frankly, most companies cannot accurately answer today.
To tie all of this together, let’s look at an example of a new vulnerability to see what specific questions can be answered when you have established situational awareness.
In this example, a new vulnerability has just been publicly released and management wants to know how this affects your organization. Below are some questions you will need to be able to answer when trying to fully understand its affect on the organization.
Your ability to answer the above questions is a good way to gauge what type of situational awareness you currently have. If you can’t answer these questions, you may want to review your technology and processes to determine your gaps and adjust accordingly.
So, in summary, we talked about understanding your business to get a good idea of its critical processes and data, identifying your cyber assets to know what OS and applications are installed, mapping your network architecture to understand your data flows and possible blind spots, and identifying your threat actors to get an idea of how they will try to break in and what digital dust they may leave behind.
Now, if you remember, the first part of the title of this blog is The first step towards change is awareness, which we talked about in detail. But the title also includes, the second is acting on it. It’s one thing to know all of this information, but that knowledge is useless unless you also act on it - and oftentimes, you have to react faster than humanly possible. In some cases you will still have to also react manually, but there are various technologies you can leverage to automate the response to a threat to at least contain the breach, such as implementing advanced sandbox and SIEM technologies. Just remember, to be the most effective, these technologies will have to interact with your other enforcement points. This means looking for holistic solutions or architectures, or solutions with an open ecosystem that allow devices to interact, share intelligence, and respond to threats in a coordinated fashion.