Written by Chris Marrison, EMEA Technical Director, Infoblox
With the attack surface, or perimeter, expanding exponentially, and attackers inside the network, the focus should now be on finding and stopping them – concentrating on how data leaves the system – says Chris Marrison
Penetration testing is the practice of examining an IT network to identify vulnerabilities that could be exploited by an attacker seeking to gain access.
Potential entry points can be detected by carrying out ‘white hat’ attacks on externally-facing parts of an organisation’s infrastructure, such as its web servers, email servers, and firewalls.
But these potential entry points are increasing in number as networks expand both in size and complexity.
BYOD, the cloud, and shadow IT are among the recent phenomena that have led to an increase in the number of devices connected to networks, each one using a growing range of business and personal applications.
The addition of so many devices and applications means that network boundaries have expanded to such an extent that they have almost dissolved entirely. Networks are essentially amorphous, and the imminent explosion of devices that the Internet of Things is set to introduce will see networks redefined further still.
As billions of connected devices continue to expand and change the network perimeter however, so the number of potential points of entry for attackers will increase. After all, the more miles of perimeter fencing there are to patrol, and the more potential access points, the more challenging it will be to keep the attackers out.
This being so, one would assume that focusing on penetration testing should be more important than ever. However, this may not necessarily be the case.
Already inside
Every single one of the enterprise networks tested in a recent exercise by Cisco was found to have suspicious traffic going to websites that hosted a form of malware, so it’s not unreasonable for organisations to believe that their network has already been compromised.
And with two thirds of breaches remaining undetected for months, there should be less of a focus on whether a system has been compromised, and more on what to do following that compromise.
With perimeters continuing to grow and shift in space, and with no firewall clearly being 100 percent effective, IT security teams should consider taking a new approach to protecting their network.
Given that malware is likely to be already inside the system, fewer resources should be spent on measures such as penetration testing, and more invested on finding effective methods of monitoring for, rooting out, identifying and taking remedial action against these existing threats.
Once an organisation acknowledges the likelihood of its network being compromised, it’ll be quicker in identifying and isolating the malware within its system.
New threats
Cyber-attacks were once used by hackers as a way of gaining notoriety or prestige, or simply to make a point. To be effective, these attacks tended to be noisy in nature, making them relatively easy to identify and quarantine.
Nowadays however, the prime motive of such attacks tends to be monetary gain. The new, sophisticated breed of advanced persistent threats (APT) are specifically designed to be invisible. Silently entering a network, they remain undetected for days, weeks, and sometimes months at a time, leaching valuable business, personal or financial information.
Connected to an internal system, an organisation’s computers were once protected by a corporate firewall. Today, the freedom offered by increased mobility means that users have continuous access to the Internet across a choice of devices, allowing them to download applications and content wherever and whenever they choose, greatly increasing the risk of their network being compromised.
Often the result of spam or a spear-fishing campaign, end-users may click on an innocuous looking link within an email or document, making a connection with a website from where the main element of an attack will be downloaded.
Indeed, and perhaps surprisingly, the reliance by APTs on this tactic means that almost half of compromised machines are found to have no actual malware on them.
At the heart of the network
Used by nearly all network communication protocols to connect with their destination domains, the Domain Name System, or DNS, is widely considered to be the address book of the Internet.
Similarly, DNS is used by APTs as a way of “calling home” and receiving instructions from their Command and Control servers, downloading additional malware payloads, and stealing sensitive corporate information.
At the heart of the IT network, it’s here in the DNS that APTs can be most effective, one they’ve passed undetected through the perimeter. And it’s here, at what is effectively a choke-point for detecting malware, that IT security teams should focus their attention.
Rather than concentrating exclusively on what’s making its way into the system, organisations should now start looking inward at what’s making its way out.
About the author
Chris Marrison is EMEA Technical Director at Infoblox where he is responsible for the Pre-sales and Professional Services teams across the region. Chris has over 21 years of experience in the IT industry. Prior to joining Infoblox, Chris was responsible for building the core internet services for Virgin.Net, Which Online, and NTLWorld, before moving to a business oriented ISP which specialised in providing value-added services to multi-tenant buildings funded by Canary Wharf Group, British Land and others. Outside of work, Chris enjoys photography, scuba diving, motorcycling and shooting.
