Enhancing Network Security – The Impact of Insufficient Internal Network Monitoring: Effective network monitoring is a cornerstone of cybersecurity. Inadequate monitoring configurations can lead to undetected threats, potentially compromising an organization’s security.
This news item delves into the significance of proper network monitoring and its impact on cybersecurity as released by CISA and NCA.
Key Takeaways to Enhancing Network Security – The Impact of Insufficient Internal Network Monitoring:
Table of Contents
- Inadequate Monitoring Risks: Organizations with insufficient network monitoring face challenges in detecting and responding to adversarial compromise, leaving them vulnerable to threats.
- Real-World Examples: Real-world instances highlight the consequences of insufficient monitoring, including the inability to identify the source of infections and persistent access by malicious actors.
- CISA Recommendations: The Cybersecurity and Infrastructure Security Agency (CISA) provides actionable recommendations for improving network monitoring and security posture.
The Importance of Network Monitoring
Effective network monitoring is a critical aspect of cybersecurity. It involves configuring host and network sensors for traffic collection and end-host logging. When done correctly, it enables organizations to detect and respond to anomalous activities promptly.
However, some organizations fall short in optimizing their monitoring configurations, which can have severe consequences.
Risks of Insufficient Monitoring
Insufficient monitoring configurations can leave organizations blind to adversarial compromise. This limitation can hinder the timely detection of anomalous activities and the source of security breaches. Real-world examples illustrate the potential risks:
Example 1: Identifying Infected Hosts
In one scenario, an organization had host-based monitoring but lacked network monitoring. While host-based monitoring could identify infected hosts, it couldn’t pinpoint the source of the infection.
This limitation prevented the organization from effectively stopping further lateral movement and infections.
Example 2: Persistent Access by Malicious Actors
In another instance, a mature organization with a robust cyber posture failed to detect lateral movement, persistence, and command and control (C2) activity by an assessment team.
Despite the team’s attempts to trigger a security response, the organization remained unaware of the threat.
CISA Recommendations for Improved Security
The Cybersecurity and Infrastructure Security Agency (CISA) recognizes the importance of proactive measures to enhance network security. They have provided the following recommendations:
- Establish a Security Baseline: Begin by defining a baseline of normal network activity. Tune network and host-based appliances to detect anomalous behavior effectively.
- Regular Assessments: Conduct routine assessments to ensure that security procedures are well-defined and can be followed by security staff and end-users.
- Phishing-Resistant MFA: Implement phishing-resistant multi-factor authentication (MFA) to the greatest extent possible. MFA can significantly enhance account security.
Real-World Red Team Assessment
In 2022, CISA conducted a red team assessment (RTA) in collaboration with a critical infrastructure organization with multiple sites. The assessment demonstrated the potential risks of insufficient monitoring as the red team gained persistent access and moved laterally across the organization.
While multifactor authentication (MFA) prevented access to one system, the organization failed to detect the red team’s activity.
Proactive Security Measures
CISA’s release of this advisory highlights the importance of collecting and monitoring logs for unusual activity. Continuous testing and exercises are essential, regardless of an organization’s cyber posture maturity.
Critical infrastructure organizations are encouraged to apply the recommendations in the Mitigations section to enhance their security processes, procedures, and overall threat detection and mitigation capabilities.
Mitigating Insufficient Internal Network Monitoring: Recommendations
To effectively mitigate the risks associated with insufficient internal network monitoring, network defenders should consider implementing the following recommendations:
Recommendations for Network Defenders:
- Establish Baselines and Regularly Audit Access:
- Begin by establishing a baseline of applications and services within your network. Regularly audit the access and usage of these applications, especially focusing on administrative activities. For example, administrators should routinely review access lists and permissions for all web applications and services.
- Be vigilant in identifying suspicious accounts, investigate them thoroughly, and promptly remove accounts and credentials that are no longer necessary, such as those belonging to former staff members.
- Baseline Normal Network Activity:
- Create a baseline that accurately represents your organization’s normal traffic activity, network performance, host application activity, and user behavior. Deviations from this baseline should be investigated promptly.
- Use Auditing Tools for Detection:
- Implement auditing tools capable of detecting instances of privilege and service abuse within your enterprise systems. When such opportunities are identified, take corrective actions promptly.
- Leverage Security Information and Event Management (SIEM):
- Consider implementing a Security Information and Event Management (SIEM) system. A SIEM system provides comprehensive log aggregation, correlation, querying, visualization, and alerting capabilities. It can collect data from various sources, including network endpoints, logging systems, endpoint and detection response (EDR) systems, and intrusion detection systems (IDS).
By implementing these recommendations, network defenders can significantly enhance their organization’s internal network monitoring capabilities, leading to improved security and a more proactive approach to threat detection and response.
About the Cybersecurity and Infrastructure Security Agency (CISA): CISA is a federal agency dedicated to enhancing the nation’s cybersecurity and infrastructure resilience. They provide guidance and support to organizations to protect against cyber threats and ensure the security and integrity of critical infrastructure.
