Countering network resident threats in government networks

The federal government owns, operates and uses some of the largest networks in the world, with millions of users distributed across thousands of locations. Due to their size and age, these networks host an exceptionally diverse set of systems and applications. Even when removing sensitive and classified networks from consideration, the remaining networks provide data and services upon which hundreds of millions of citizens and other constituents depend.

Because of this richness of systems, data and bandwidth, intruders of all varieties target federal networks. These threat actors possess a wide range of threat capabilities, beginning with the nuisance of denial-of-service attacks, continuing through the pain of ransomware and peaking with espionage, theft and computer network attack (CNA). Federal defenders struggle to balance their responsibilities against the resources allocated to protect their environments.

A certain class of threat actor is attracted to the federal environment. These are “network resident threats” – intruders who use and abuse networks for a sustained period of time. NRTs may or may not be so-called “advanced persistent threats,” sentient threat actors, not mindless code, who can operate in the full spectrum of computer intrusion and are formally tasked to accomplish a mission. APTs may or may not use a network to accomplish their goal. For example, an APT might try to insert human operatives into target organizations as a newly hired software engineer. Unless and until those operatives decide to use or abuse their network access, they are invisible to network security products.

Typically APT groups will gain access to a target network and establish mechanisms by which they can maintain remote access on demand. These so-called “persistence” measures explain the “P” in “APT.” (“P” also refers to the tendency of these groups to adopt a variety of methods to achieve their mission.) FireEye’s Mandiant division recently released the 2020 edition of its M-Trends report, which noted that the so-called “dwell time” for incident response activities was 56 days in 2019. This means that 56 days elapsed between the time a threat actor first achieved access and when that access was detected by internal or external incident responders. As the vast majority of these APT groups use network infrastructure to retain access to target data, they perfectly fit the description of a network resident threat.

Criminal groups, insider threats or other undesirable actors may also use and abuse the network to achieve their goals. While it is possible for criminal groups to perform close-access operations, such as tampering with hardware in point-of-sale devices, criminals prefer to compromise targets remotely. This preserves their ability to manage multiple criminal engagements while protecting their personnel and business models.

Malicious insiders may even make use of the network over prolonged periods of time. While insiders may evade network detection by carrying copies of documents on portable hard drives, they run the risk of being caught with such devices on their persons. Many choose to transmit stolen data digitally. For example, an engineer at one of the nation’s largest industrial firms was recently prosecuted for stealing files and emailing some of them from his corporate account to a personal email account. The act of acquiring those files usually takes place over a period of time and requires moving documents from a central server to the perpetrator’s workstation -- other aspects of network resident threat behavior.

Once it becomes clear that network resident threats represent a credible element of the risk equation to government network defenders, the question of how to deal with them naturally arises. If one accepts that “prevention eventually fails,” then the rapidity and accuracy of detection and response measures come to the forefront. Detection and response rely on four key elements: third-party sources, network data, application/infrastructure data and endpoint data. Of these, the network is the least common denominator and the only source that is common to all network resident threats. While one should never neglect the value of the other three forms of data, it is imperative to include network data when defending any government environment.

Network security monitoring is an operational and tactical method for incident detection and response. NSM relies on four data types to provide defenders with the information they need:  full content, extracted content, transaction data and alert data. Using these data types, agencies can record, extract, summarize and judge traffic, or essentially content.

Network defenders in the Air Force developed NSM in the late 1980s and throughout the 1990s to cope with the same problems facing modern government networks -- size, user account, diversity, remote access and target-rich data. Because Air Force networks were constantly attacked by a variety of threat actors, defenders realized they could only prevent a certain number of those intrusions. In order to win, defenders had to rapidly detect and respond to the attacks that started to achieve an intruder’s goal. If the defenders could stop and remove intruders before they could accomplish his mission, then the defenders won. This metric, rather than meaningless counts of packets stopped by network firewalls, reflected operational realities and impacts.

When considering ways to gain better network visibility and thereby identify and counter network resident threats, government enterprise defenders would benefit from keeping the principles and data types of NSM in mind. Although defenders have to plan for and wrestle with many sorts of intruders on a daily basis, there are proven ways to frustrate and ultimately defeat adversaries that operate as network resident threats.