Last time, I talked about how attackers are at an advantage when it comes to targeted attacks, and how it is important that we accept that fact in order to deal with attacks properly. Here comes the hard part: knowing that attackers have a great level of control, what do we do now?
Remember that even though we’ve come to accept that attackers have greater control, does not mean that we don’t have any of it. We do, and it is important to take note of that because using that control is highly critical in dealing with targeted attacks.
Control the Perimeter
Of course, any form of control can only be truly successful if founded on an awareness of what we truly own. Acquiring a firm grasp of what and who gets access to the network and the level of access that is provided may come at the expense of what most employees see as convenient, but considering the dangers of targeted attacks, it is important to put security first.
Part of identifying the network is also having a deep understanding of it, specifically the operations, processes, events, and behavior we consider normal. Knowledge of what is truly normal and what is not will help identify anomalies better and faster.
Once the network is defined, it is critical to have a means to monitor the network, which means having visibility and control of everything that goes in and out of it. A good example of a technology that can help network administrators do this is DNS Response Policy Zone. DNS RPZ provides a scalable means to manage connections to and from the network. If complemented with a domain name blacklist, it would create a network environment that is significantly safer.
Deploy Inside-Out Protection
Traditional defenses focus on hardening firewalls and keeping bad components out through blacklisting. Now, while this “outside-in” strategy would be effective for dealing with fairly straightforward attacks, it would be utterly unreliable against targeted attacks. Traditional defenses are made for attacks where the form and source are easily recognizable, which is not the case for targeted attacks.
Figure 1. Traditional defense