I Beat Them to Firing Me! Part Two: Fight Back

How to use network configuration, change, and compliance management (NCCCM) and other monitoring software in response to an actual security breach. If you have not read part one, I would suggest that you give that an overview, so you can understand fully how and why this comes into play. For those that are ready for part two, welcome back!  I'll attempt to share some assessments of an internal sabotage and how to use things like monitoring and management software to see and recovery.  The best way to respond is by thinking ahead, having clear steps to prevent, and halt further damage. Today, we are going to dive into a couple of scenarios, and directly assess ways to be alerted to and address situations that may be taking place within your organization.  Now, should we all live like we have a monkey on our back/shoulder?  No, but it doesn't hurt to have a little healthy "skepticism" about unusual things that are happening around you.  Being aware of your surroundings allows you to fight back and take back control of hiccups along the way. Internal Planning Possible Sabotage: Things to look for visually as well as with monitoring and management software.

• Unusual behavior (after a confrontation or write-up has happened)
  • This can be obviously aggressive, but the one often overlooked is "overly" nice and helpful.
    • Yes, this sound condescending and I understand that concern but think of this as out of character.  They now want to help higher levels with mission critical information or configurations.  They want to "watch" you command line interface to a device.  They are "contributing" to get to know where key points are.  These are things that are outside of their scope.
  • Aggressive well the writing is on the wall at that point and if secretive comes into play then watch out and plan accordingly.
  • Use Real-time change notifications, approval systems, and compliance to help you see changes made, and users added to devices of monitoring management software.
    • Make sure that you have a script to remove access to devices ahead of time.  One that you can fill in the blank for the user ID and take permissions away quickly.
    • Verify you have alerts set up to notify you with quick access to the devices through a management software so you can cancel access levels and revert changes quickly.
• Logon's found in unusual servers by said person
  • Use a Log Event Monitor to help you be alerted with strange behavior to login attempts and places.
  • Know your monitoring software and have quick pages to deny access to accounts quickly
• New Users
  • Use a Log Event Monitor to alert you to new account creations.  You need to know when these were created and had a trail on these to remove.
• Job creation for mass configuration changes
  • Verify through an approval system all changes on your network.  An excellent way to do this is with an NCCCM product and enable the approval system to be fully active.  You will want at least a 2 level approval system to help prevent issues and possible changes.
  • Real-time change notification with segmented emails for critical devices.
  • Backups to be quickly accessible and found in multiple locations to ensure access during a breach.

Internal Execution of Sabotage: Things to do if you find yourself under attack (Network Side)

• First things first
  • Log Event Monitoring - should be alerting you to access violations, additions of accounts, or deleting of accounts
  • TACACS - should be enabled and in full use for auditing within your monitoring and management software choices
  • Real-Time change notifications should be sending emails immediately to the correct people with an escalation of higher up network engineers on your team.
• Now to fight back!
  • If they are opening firewalls to gain access you need to shut these down and stop traffic immediately.  You will need to have a plan on a script for a shut all or use something like Firewall Security Manager or Network Configuration Manager to implement commands from a stored location.
    • Allows time to figure out the user and what is going on while you can have the floodgate closed.
    • Addressed in a security protocol to enable you to have this authority.  Saving you and your company a lot of money when you are trying to prevent a massive break-in.
  • If they are deleting router configs
    • Real-time change notification (RTN) alerts should be sent out to you to bring you up to speed.
      • Use a script to deny access to the user that made the change shown in the RTN email.
      • Revert configurations from within your NCCCM software and get these back online
    • Verify users that have access
      • Use a compliance report to check access levels and remove where needed.
      • CONTINUE to monitor these reports
    • Check your Approval system
      • Verify who has access
      • Change passwords to all monitoring and management software logins.
        • I have had a customer that would set these up to one password for all that he would create if in crisis.  Allowing a quick shutdown of software usage to gain control when an attack was ensuing.
  • Verify critical application status
    • Log event monitor - check logs to see if access has been happening outside of usual
    • NetPath or something similar for pathways to check accessibility or changes
    • NCCCM - Verify all changes that have occurred within the past seven days minimum as this could only be the first wave of intrusion.
    • Network performance monitor to verify any malware or trojans that could be lingering and sending data on your network.
      • Volumes filling up and being alerted to this
      • Interface utilization skyrocketing
      • NetFlow monitor showcasing high amounts of unusual traffic or NO traffic history is essential here.

Security gut check: Things to go over with yourself and team to make sure your security and plans for recovery are current. Pre-Assessment

• understand and know what is critical information within your organization
• Where are your system boundaries
• Pinpoint your security documentation

Assessment

• Setup a meeting with your team over the above pre-assessment
• Review your security information
• Practice scenarios that "could" happen within your networks
• Setup session controls
• Verify maintenance plans
• Ensure mapping of your critical networking connections with critical applications
• Ensure your policies are relevant today as they were when first created
• Verify entry points of concerns
  • Internal/External
• System and Network Exposures

Team Analysis

• Where are your vulnerabilities?
• What are your Countermeasures?
• What is the impact if breached?
• Who can segment and take on sections of security recommendations?

Final

• Implement new security plans as defined and found above.
• Set up a meeting review for at least three months later to make sure all vulnerabilities are known and addressed.
• Verify that the plan is accessible for your team to review so they are aware of actions to take.
• Sign an agreement within your team to follow these protocols.

Well, that is a lot to cover, whew!  Once again everyone's networks and infrastructures are different.  You and I understand that.  The main point is how to use tools to help you stay ahead and be able to fight back with minimal damage.  Having a recovery plan and consistently updating these to new vulnerabilities is vital to stay ahead.  You can shift these and use for outside attacks as well.  Security is a fluid dance and ever changing so don't be stuck sitting on the outside looking in. Thank you, ~Dez~