[BreachExchange] Why resilience should be central to cybersecurity

Tue Jun 13 20:02:35 EDT 2017

https://www.digitalhealth.net/2017/06/resilience-central-cybersecurity/

In the aftermath of the ransomware attack, NHS trusts have been encouraged
to focus their efforts on preventing future such incidents. Sensible
advice, argues Mark Jackson, but insufficient in itself – organisations
should be making cyber resilience central to their security approach.

The disruption caused by the recent outbreak of the WannaCry ransomware
raised questions as to how attacks can be prevented in the future. With
debate primarily centred on patching and the removal of legacy operating
systems, it would be easy to assume that prevention is not only achievable
but relatively simple to accomplish.

Unfortunately, the reality is somewhat different. While most of the advice
currently offered is valid – and should be implemented as soon as possible
– it avoids addressing a much more fundamental point. When it comes to the
health of your IT infrastructure, prevention doesn’t always lead to cure.

A preventative strategy is predicated on the assumption that a combined set
of security solutions will be able to block an attack before it causes
damage or loss. However, in the real world, IT estates are complex and have
evolved over time, meaning this assumption is outdated and fundamentally
flawed.

The need for cyber resilience

If prevention isn’t the answer, what is? NHS trusts should shift their
focus to increasing cyber resilience. That is to say organisations should
accept that, at some point, a breach will happen and focus on developing
capabilities to rapidly identify and contain the threat, such that targeted
remediation action can be taken and any disruption minimised.

When faced with an outbreak like WannaCry, the network may not be the
natural place to turn, but it is the primary means by which malware will
propagate and can therefore play a vital role during the incident response
process. The network is ubiquitous and it is this unique characteristic
that makes it perfectly placed to deliver two important tools that can be
leveraged in the face of a cyber incident: visibility and control.

Go with the flow

Most current network devices, and many older generation ones, have in-built
capabilities to generate something called a flow record. The best analogy
for a flow record is a telephone bill which details all the calls made on a
given line and records their duration. A flow record delivers that same
insight but for network-level conversations.

Flow record generation should be enabled as widely as possible and the
resulting data sent to a centralised flow collector – there are open source
options for this, such as ntopng or FlowViewer. This network telemetry data
can then be easily queried and, depending on the collection tool, be used
to train behaviour-based algorithms that will automatically alert if
unusual patterns of network activity are seen.

Putting flow collection into the context of the WannaCry outbreak, we first
need to examine one of the indicators of compromise (IoCs) associated with
the malware. In the early hours of the outbreak, it was known that WannaCry
spread using the Microsoft SMB (Server Message Block) protocol.
Furthermore, this propagation traffic targeted internet IP addresses that
were randomly generated. With flow data to hand, a simple query could have
been run to show all clients generating SMB traffic where the destination
IP address was outside of the trust’s address space. This would quickly
have identified exactly which devices were likely to be infected.

Minimise the disruption

Once a malware outbreak has been identified, the next step is to isolate
the outbreak to minimise the disruption to the wider environment. Again,
the network has a role to play here.

It has been widely reported that many NHS organisations resorted to
switching systems off or disconnecting parts of their network in an effort
to prevent the WannaCry malware from spreading. This approach likely caused
greater disruption to service and could have been avoided if containment
actions were targeted and enforced through network segmentation techniques.

Network segmentation isn’t a new concept. It is simply the ability to split
a single physical network into distinct logical zones. For example,
segmentation might be performed based on physical location (all of the
devices on the fourth floor), or by function (all of the pathology systems).

Unfortunately, these segments are not often seen as a security control and
so all traffic is free to flow unchecked across all zones.

Again, in the context of the WannaCry outbreak, with segmentation in place,
access-control policies could have been deployed at segment boundary points
to block the traffic associated with the spread of the malware. Having flow
records enabled, it would have been possible to identify flows into and out
of these segments, and to highlight expected – and unexpected – flows
between groups of devices.

Building enforcement policies between the segments to limit traffic flows
to only those identified will  greatly increase cyber resilience. Trusts
should start with relatively open policies to avoid accidental service
disruption, but can strengthen them over time.

In short, improvements in visibility and control can often be achieved
through simple configuration of existing network assets. By narrowing the
focus to preventing an outbreak, an IT security investment strategy becomes
akin to simply building a higher wall. This is not the answer. History
continues to demonstrate that our adversaries are highly skilled at
building longer ladders. Through the use of the network to improve
visibility and control, however, NHS organisations can reduce the impact of
future cyber incidents through more rapid identification and containment of
the threat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170613/054fe09d/attachment.html>