With the threat of cyberattacks on the rise worldwide, hardening your organization’s network perimeter has never been more critical. Many organizations have begun to focus more on actively securing and monitoring their externally facing assets to fend off cyberattacks from enemy nation-state actors and cyber criminals. By implementing the four best practices listed below, you can protect against attacks that could seriously impact your organization’s mission.
Step 1: Create and maintain an up-to-date asset inventory
Creating and maintaining an easy-to-use asset inventory is crucial to having a good security posture. Without the support of an inventory system, companies can’t know what hosts are on their network or what software they are running. This can lead to a massive influx of shadow IT on your network. In addition, your organization cannot quickly identify critical infrastructure or hosts that could potentially be targeted during a cyberattack.
The key to maintaining an inventory system is its ease of use. If system owners in your organization can’t easily interface with your inventory solution, they’ll circumvent it. When determining the proper inventory solution, keep the acronym CRUD in mind. A well-constructed central inventory solution should give system owners the ability to:
- Create inventory records for newly onboarded systems
- Read records to determine both asset location and ownership
- Update records when asset ownership changes
- Delete records once an asset has been decommissioned.
More often than not, system owners need to access more than one inventory record at a time. Being able to access multiple records at once improves the system owner’s user experience with the inventory system. This increases use and decreases the risk of a system owner introducing shadow IT within the organization’s network environment.
Step 2: Take a proactive approach to system hardening
Too often, network and system administrators take a reactive approach when configuring or patching their systems. In reality, this system management method promotes complacency and introduces unnecessary risk to the entire organization. Instead of installing the latest batch of Windows patches at the most inopportune time, system owners can take simple steps toward proactive system hardening.
When configuring network-connected services, best vendor practices should always be followed. The right time to ensure that your Redis database cluster is not exposed to the internet is not in the middle of a cyberattack. If vendor best practices cannot be implemented, secondary controls should be established to supplement the potential gap in security. This helps ensure that unsecured network services aren’t exposed to the internet and then forgotten, giving bad actors prime targets to exploit.
Application developers often spin up a network of systems for testing that mimic the production environment in which an application will run. Too often, developers use these assets briefly and then leave them running and ultimately forgotten. Over time, both the applications and the operating system running on these assets become outdated. This, in turn, makes them easy targets.
When setting up a development environment, clear expectations should govern the lifecycle of the systems within it. If possible, automation should aid in the tear-down process of the development systems. This could involve sending batch remote calls to a group of assets to automate system shutdown. A more passive approach implements automated alerts for system owners, notifying them that their assets should be shut down immediately.
Regardless of the steps taken, tearing down unnecessary development environments can reduce an organization’s attack surface. These environments may only contain test data but can provide a foothold in a network where more sensitive data can be exfiltrated.
Step 3: Install EDR on all network-connected assets
Whether a system is externally facing or not, installing an endpoint detection and response (EDR) agent on organizationally managed systems is an absolute must. If configured correctly, EDR agents can alert an organization’s security operations center (SOC) within seconds of system compromise. SOC analysts can then use the agent to isolate suspicious systems on the network and prevent lateral movement. Most agents are also intelligent enough to alert about other types of activity, such as the installation of potentially unwanted programs, suspicious network traffic and agent tampering.
EDR agents can also be a source of vulnerability data. Most EDR vendors provide the capability of detecting and reporting vulnerabilities at both the operating system and application levels. System owners can also add metadata to EDR agents, representing asset ownership and the system’s location within an organization. This metadata often serves as supplementary information within the organization’s asset inventory.
Step 4: Utilize an attack surface management tool
One of the best ways to assist with hardening your organization’s network perimeter is to use attack surface management (ASM) tools. These tools have no inside knowledge of your network. They can therefore provide you with a bad actor’s perspective of your network perimeter, allowing you to concentrate your remediation efforts on high-impact findings.
The suggestions in this article offer ways to configure or harden the systems on your network. However, ASM tooling takes a more active approach. ASM regularly scans your network perimeter to discover and report any vulnerabilities and misconfigurations. These tools allow you to audit your network in (near) real-time to validate the changes you’re making to remediate issues on your network perimeter.
An added benefit of using ASM tools is that they often assist in identifying externally facing shadow IT. Many ASM frameworks crawl the internet weekly, indexing assets based on IP registrar and domain information. Analysts can then use the output of these crawlers to determine which assets may not be in any corporate inventory and therefore are likely to be unmanaged and possibly vulnerable or misconfigured. Crawlers often extract useful metadata from the services running on the discovered assets, such as owning organization, owner email address, hostname and system username information. Such metadata can be useful in determining the specific team or internal organization to which an asset belongs.
Start hardening your network perimeter now
While no single solution allows an organization to fix every issue on their network perimeter, companies can look retrospectively at their current processes and adjust them to fit today’s threat landscape. Bad actors will attempt to gain a foothold on your network, and constant vigilance is necessary to fend them off. System owners and security teams must take a proactive approach to hardening their network perimeter. Otherwise, their efforts will fall short and bad actors will jeopardize your company’s reputation and revenue.
Automation Engineer, IBM CISO SOC