Network security is high on the list of things to be aware of maintained by network managers and IT Heads. The potential business risk of a network security event could be at the least a bit of an inconvenience, and at worst a business-threatening event.
Sometimes the objective of a networking event is to be as visible as possible, and other times to surreptitiously steal information without being detected. A vital part of Network Security is, therefore, to be aware of any threats to the network, in short look for signs that the network has been compromised.
The first step is to understand what you are looking for and where to find it. The second step is to have the best tools available to assist in the monitoring and detection process. Finally, and probably it shouldn’t be last, educate the users in what a malware attack looks like, what not to do, and what to do if they think that they are having a malware event.
With the modern fad of inventing acronyms for everything, this has become the modern Network Detection and Response, “NDR” environment. It has evolved from what is now a specific sub-set, endpoint security “EDR”.
To be a wee bit more specific, the NDR/EDR environment focusses on discovering malware on the network and associated systems and sometimes starting a counterattack against it. The objective of the counterattack is to limit the damage that the attack causes and to repair any damage that has already happened.
Some network detection is already carried out by inbuilt functions in network performance monitors, but that is not their primary function. There now exist specialised NDR/EDR suppliers that can provide specific tools to help in discovering network threats.
How they work is to that when is discovers a threat is to apply analysis and mitigation processes to deal with the threat. It first identifies the type of threat and then sets up a counterattack to try to stop the attack and clear it off the network.
The NDR/EDR environment continually monitors the network, nowadays using AI and machine learning to record information about uncovered threats. This improves detection rates and speeds up setting up the counterattack.
Here are 5 signs of what to look for in the NDR/EDR environment.
User Initiated Exploits
The FBI has estimated that the bulk of network events are initiated by the action or inaction of users. For example, most phishing attacks are initiated by users clicking on an embedded link in an email.
The easiest way to detect an attempted phishing attack is to identify the target website as being a naughty one, probably already on a list. The process can be automated by using software that compares the target website with the list, and either warn the user that the site is compromised or simply blocks the access request.
An indicator of a malware attack is a significant increase in support requests around malfunctioning desktop systems, all of which exhibit the same failure characteristics.
Business Systems Attacks
The reason that hackers attack business systems is to steal information they can later sell on or use to extract money themselves. They will attempt to find users login credentials so that they can enter the systems.
An indicator of this type of attack is a marked increase in the number of failed logon attempts as they use brute force to find passwords out.
Timing, also called Zero-Day Attacks.
This type of attack depends on the time lag between the exploit being initiated and the target noticing that it is under attack. The only way around this one is to reduce the time lag by using NDR/EDR to bring earlier alerts.
Denial of Service as DOS or DDOS
DOS and DDOS attacks are designed to overwhelm systems by the sheer volume of network traffic preventing the processing of normal network requests. The intention is to cripple the systems and disrupt normal operations. In some cases, for example, on-line sales, this could be fatal to a business.
The first step is for the NDR/EDR system to register the increase in requests of a particular type and thereafter to block them before they flood the network.
It might be thought the network security is aimed at incoming threats only. However, Information can be stolen and systems compromised by exporting information. The use of black-lists to identify phishing attacks is commonplace, but less so is the use of online storage like DropBox or OneDrive to export information.
The NDR/EDR environment can be configured to block access to online commercial data stores.
Why would you consider an NDR/EDR environment to counter these threats? Aren’t your existing firewalls and perimeter security tools enough? The answer is no.
Cyber threats are continually evolving, and that’s why you need NDR/EDR.
The AI and learning capabilities of NDR/EDR are an essential tool in your armoury.