Lock Down Your Wired Network to Mitigate Insider Threat

Here’s a hypothetical scenario that demonstrates how easily malware can spread via open network access.

security post 7 image 1
Aruba

My first post in this series on wired networking explored why open wired ports are a security risk that’s been overlooked for too long and why port-based security is no longer enough. In this second post, I present why organizations must implement stronger pre-connect controls and segmentation on the wired network to mitigate the risk of insider threat. At the same time, they must do so in such a way that it is user friendly and actually reduces the operational burden.

Let's start with the point of physical security and open network ports. One might assume that physical security grants me enough protection to reduce my risk, at least to a level below the cost of mitigating that risk. I raised in the previous article the possibility of social engineering allowing an adversary physical access to the network. You might assume that physical security prevents, for the most part, an adversary from using that as a viable attack vector. But even if we can perfectly solve physical security, that still ignores the insider threat. A simple phishing attack or unpatched Internet of Things (IoT) device puts an attacker on the inside.

Let’s play out a hypothetical scenario:
1. Someone from your organization—an employee, subcontractor, whomever—is targeted by a spearphishing attack when they are not on the corporate network.

  • If you are thinking that person would never click on a malicious link, listen – let’s be honest with ourselves. Even those of us working in the cybersecurity space have all come close to clicking on a link in an email that has looked like a VERY valid email.
  • If you are thinking that your EDR, antivirus, or other host-based tools will prevent the threat if they do click on the link, think again. The bad guys are getting very good at masking their activity as things that are allowed on a host, using normal tools and applications, exploiting unknown vulnerabilities, etc. It’s extremely difficult to keep up. Worse yet, what if the infected device is not a corporate-controlled resource, but is instead a personally-owned device used by a valid employee? Remember, those ports are wide open and there are numerous stories of employees using a device from home on a Saturday for a little BitTorrent activity on the high-speed corporate connection.
  1. The infected device comes in through the front door and is plugged into the wired network. It gets an IP, DNS, and some level of access depending on what port is selected.
  2. Now that the device has access, the malware starts its journey…
  • Let’s find out where I am and what I have access to. Let’s run a couple nmaps, use my local net utilities to do some domain discovery, capture some password hashes – the usual.
  • Since the firewall is a couple L2 hops away, it looks like I have other hosts on this subnet that I could possibly jump to. And without any policy in place to prevent this, that’s very convenient.
  • Looks like the firewall is letting out DNS and HTTP/S. Let’s call home, update on what I am up to, and get some further instructions.
  • Looks like the firewall is also letting me get to some domain services. Thank you firewall.
  • Really interested in the IP cameras on this same subnet that have an unpatched known vulnerability. Let’s install a RAT there, just in case they find me on this user’s laptop.
  • Looks like this user has access to some servers that I can work on getting access to, I will give that a try.
  • Let’s see if we can hit some of the other computers on this subnet. Chances are that if I can’t get access to interesting things from here, those computers may move to other areas that have more access and we can work it from there.
  • Oh no, the “NAC Lite” solution that a vendor sold the organization has kicked in and booted me off the network after fingerprinting me as potentially bad. Good thing my work is already done.

As you can see, the malware has spread, somewhat easily, by being granted relatively open network access. Even if you find the point of initial infection and remove it, it’s too late and the damage is done. This is the unfortunate downside of relying exclusively on post-connect security measures, without pre-connect controls.

Pre-Connection Dynamic Controls Mitigate Insider Threat
In the above scenario, if pre-connect (or at connect time) dynamic controls were in place, each and every user and device connected to the network would be authorized and placed into an appropriate policy, at the edge. This policy would be defined using the concept of least privilege – in other words, give the camera only access to what the camera needs, give the subcontractor only access to what the subcontractor needs, give the phone only access to what the phone needs, and so on.

While the initially infected host might still have been able to connect to the network, its attack surface would have been dramatically reduced. This in turn reduces the spread of the malware, keeping it relatively contained until discovered and removed.

A pre-connect dynamic segmentation model has several other advantages:

  • Tie an identity to each and every connection, making it much easier to trace back the source of an intrusion.
  • Tie a “state” to every connection that can be used to dynamically change/remove the connection status at any point in time.

Okay, I’m sure everyone understands this. None of this is a new or novel idea – as I said before, most of you are likely doing this very thing on the Wi-Fi part of your network.

So, the question becomes, if the risk is known and there is a technical solution to help solve it, then why is that not widely implemented on wired networks? I mentioned in the last article that I hear about operational impact and user impact of implementing this level of dynamic segmentation. But what if we could lower the user and operational impact and costs? If we could, does the risk now rise higher than the mitigation costs, and would we find more organizations implementing stronger pre-connect controls and segmentation on the wired networks?

In my next post, I’ll explore how Aruba is helping customers strengthen pre-connection controls to mitigate insider threat.

Missed the first blog? Read it now: Are You Leaving the Wired Network Door Wide Open?

About the Author

jon green Aruba

Jon Green Blog Contributor

Jon Green is VP and Chief Technologist for Security at Aruba, a Hewlett Packard Enterprise company. He is responsible for providing technology guidance and leadership for all security solutions including...

Full bio

Related: