005. SECURITY MONITORING OPERATIONAL CHALLENGES
There are several security monitoring operational challenges, including encryption, network address translation (NAT), time synchronization, Tor, and peer-to peer communications. This article covers these operational challenges in brief.
SECURITY MONITORING AND ENCRYPTION
Encryption has great benefits for security and privacy, but the world of incident response and forensics can present several challenges. Even law enforcement agencies have been fascinated with the dual-use nature of encryption.
When protecting information and communications, encryption has numerous benefits for everyone from governments and militaries to corporations and individuals. On the other hand, those same mechanisms can be used by threat actors as a method of evasion and obfuscation.
Historically, even governments have tried to regulate the use and exportation of encryption technologies. A good example is the Wassenaar Arrangement, which is a multinational agreement with the goal of regulating the export of technologies like encryption. Other examples include events around law enforcement agencies such as the U.S. Federal Bureau of Investigation (FBI) trying to force vendors to leave certain investigative techniques in their software and devices. Another example is the alleged U. S. National Security Agency (NSA) backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) that allows cleartext extraction of any algorithm seeded by this pseudorandom number generator.
SECURITY MONITORING AND NETWORK ADDRESS TRANSLATION
Layer 3 devices, such as routers and firewalls, can perform network address translation (NAT). The router or firewall “translates” the “internal” host’s private (or real) IP addresses to a publicly routable (or mapped) address. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range.
This enables a network professional to use any IP address space as the internal network. A best practice is to use the address spaces that are reserved for private use (see RFC 1918, “Address Allocation for Private Internets”).
Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host.
NAT can present a challenge when performing security monitoring and analyzing logs, NetFlow, and other data, because device IP addresses can be seen in the logs as the “translated” IP address versus the “real” IP address. In the case of port address translation (PAT), this could become even more problematic because many different hosts can be translated to a single address, making the correlation almost impossible to achieve.
Security products, such as the Cisco Lancope Stealthwatch system, provide features that can be used to correlate and “map” translated IP addresses with NetFlow. This feature in the Cisco Lancope Stealthwatch system is called NAT stitching. This accelerates incident response tasks and eases continuous security monitoring operations.
DNS TUNNELING AND OTHER EXFILTRATION METHODS
Threat actors have been using many different nontraditional techniques to steal data from corporate networks without being detected. For example, they have been sending stolen credit card data, intellectual property, and confidential documents over DNS using tunneling. As you probably know, DNS is a protocol that enables systems to resolve domain names (for example, cisco.com) into IP addresses (for example, 22.214.171.124).
DNS is not intended for a command channel or even tunneling. However, attackers have developed software that enables tunneling over DNS. These threat actors like to use protocols that traditionally are not designed for data transfer, because they are less inspected in terms of security monitoring. Undetected DNS tunneling (otherwise known as DNS exfiltration) represents a significant risk to any organization.
In many cases, malware can use Base64 encoding to put sensitive data (such as credit card numbers, PII, and so on) in the payload of DNS packets to cyber criminals. The following are some examples of encoding methods that could be used by attackers:
1. Base64 encoding
2. Binary (8-bit) encoding
3. NetBIOS encoding
4. Hex encoding
SECURITY MONITORING AND TOR
Many people use tools such as Tor for privacy. Tor is a free tool that enables its users to surf the Web anonymously. Tor works by “routing” IP traffic through a free, worldwide network consisting of thousands of Tor relays. Then it constantly changes the way it routes traffic in order to obscure a user’s location from anyone monitoring the network.
The use of Tor also makes security monitoring and incident response more difficult, because it’s hard to attribute and trace back the traffic to the user. Different types of malware are known to use Tor to cover their tracks. This “onion routing” is accomplished by encrypting the application layer of a communication protocol stack that’s “nested” just like the layers of an onion.
The Tor client encrypts the data multiple times and sends it through a “network or circuit” that includes randomly selected Tor relays. Each of the relays decrypts “a layer of the onion” to reveal only the next relay so that the remaining encrypted data can be routed on to it.