Network Security

Patrolling every packet & process for signs of compromise

As we covered in a previous post, once a threat actor gains access to an environment, the attack is just beginning. As surveys have shown, attackers remain within organizations for two to three weeks before they are detected.

This post details exactly what technologies you need to have in place to detect these telltale signs within your organization, especially within east-west (internal) traffic and within a multi-cloud environment.

Lack of visibility

It's important to understand that today's complex multi-cloud environments make it too easy for security teams to lose visibility into attack patterns and traffic. And security teams need visibility across physical, virtualized, and containerized cloud workloads. Those workloads can be on-premises, native cloud, or managed public and private cloud.

To effectively stop attacks, enterprises need to be able to analyze security incidents at the hypervisor level. Consider the typical situation with an enterprise being breached by a maliciously crafted email being clicked on by someone on the network. The VMware NSX Sandbox was previously placed in strategic locations within the network. The NSX Sandbox is critical when it comes to the detection of malicious artifacts and identifying them as attackers attempt to deploy them throughout the organization. These artifacts can be from ransomware to remote access Trojans, droppers, and VB scripts.

Hypervisor-based defense

VMWare NSX can see all this activity because it integrated the sandbox capability into guest introspection within the hypervisor itself. Even over encrypted traffic, every payload artifact that flows through the hypervisor will be inspected by the NSX Sandbox. This allows defenders to discern everything from an OS, CPU, and memory perspective.

That means security teams can see what the threat actors are attempting to do, such as evading detection through virtualization evasion. Another thing they'll do is try to evade sandbox detection by timing their code to execute at a time after it's likely passed through the sandbox. Fortunately, AI analysis can detect such code, even if it's never been seen before. And when the system identifies a new attack, it can capture packets (PCAP) so that indicators of compromise can be created to look for in the future.

It's important to note that a complete system emulated sandbox can examine not just how malicious artifacts interact with the OS but also volatile memory and the CPU, which can spot things like using memory to encrypt itself or a file.

That enables VMware NSX to identify malware that doesn't interact directly with the OS and malware that has never been seen before.

Another way VMware detects malware is by how it communicates. That's by relying on an intrusion detection/prevention system that spots threat actor communications, whether it's over an obfuscated channel, DNS tunneling, or beaconing activity using standard tools such as Cobalt Strike. Defenders need to detect these capabilities and those beaconing activities moving outbound and within an organization, in addition to when data is being exfiltrated.

While some organizations may still be running flat networks or networks that aren't segmented, it's important that networks are segmented so that once an attacker does make their way into the environment, they don't have free reign everywhere and that their activity is limited to smaller network segments. Within these segmented network architectures, any intrusion detection/prevention system must be able to identify malicious behavior within those separate network segments.

Another important capability is effective anomaly detection down at the hypervisor level so things like threat actor lateral movement can be spotted. Understanding baseline traffic to detect these types of anomalies within your organization is essential here.

With effective network traffic analysis, defenders can understand what is expected vs. what is an anomaly, such as a suspicious user or a process or some type of lateral movement that's going on within that organization, whether over RDP or SMB or even SSH -- all indicators of compromise.

Finally, it's essential to consider how defenders respond when identifying abnormal activity. With these capabilities in hand and identifying indicators of compromise, defenders can search for and destroy these threats. With the ability to patrol every packet and process for signs of compromise, security teams will be able to disrupt these attacks before they can do real damage.

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.