optistream show case SERIES

DEFEND AGAINST IN-DEPTH INFILTRATION

TL; DR

  • Robust network segmentation provides a solid security foundation, but it does not protect you from in-depth attacks (a.k.a "lateral movement")
  • Optistream provides the automated audit "in-depth infiltration" to simulate the behavior of an attacker once inside your IS, in search of your most valuable assets
  • These audit results are consolidated into business-focused KPIs so that you can monitor in detail the progress of your security efforts in the face of in-depth attacks

TL; DR

  • Robust network segmentation provides a solid security foundation, but it does not protect you from in-depth attacks (a.k.a "lateral movement")
  • Optistream provides the automated audit "in-depth infiltration" to simulate the behavior of an attacker once inside your IS, in search of your most valuable assets
  • These audit results are consolidated into business-focused KPIs so that you can monitor in detail the progress of your security efforts in the face of in-depth attacks

Part 1: Hybrid-network digital twin in a blink
Part 3: coming soon
Part 4: coming soon

In-depth attacks

In Part 1, we introduced the digital twin, our interactive map, and demonstrated how it can be manipulated using Optistream's remediation studio. We showed that it is possible to test existing filtering rules in your hybrid infrastructure (both on-premises and cloud), and automate this process using the Security Policies module.

These filtering rules ensure the security of your network flows and regulate interactions between various zones (e.g. VLANs, AWS/GCP VPCs, Azure VNets, etc.). They form the foundation of your network segmentation.

Setting up rules allows you to compartmentalize and secure your infrastructure by isolating zones, but it does not make you impervious to in-depth attacks. In fact, despite the implementation of filtering rules, it is still possible for an attacker to reach certain zones by pivoting and exploiting some of these rules: this is lateral movement.

In this new article, we explore the capabilities of our solution for detecting attack paths deep within your hybrid infrastructure through automatic audits.

The remediation studio then enables you to apply the appropriate modifications to counter these types of attacks. Additionally, our KPIs allow you to monitor the gradual effectiveness of your incremental remediations on your business processes.

Flat model x segmented network

Network segmentation employs a physical and/or logical breakdown of the different network zones. This segmentation is incomplete without the implementation of suitable firewall rules, such as Cisco ACLs, FortiGate, AWS Security Groups, etc. Without these rules, it becomes possible to access all your assets from various points within your network or cloud environment – this is the flat model.

It is therefore essential to put in place robust segmentation and limit flows to what is strictly necessary in order to strengthen the security of your infrastructure and contain any security incidents[1].

Figh against lateral movement

Once an attacker has gained initial access to your information system, he will inevitably seek to gain access to your company's most sensitive assets and data.

To this end, the attacker will enumerate the network paths that can be taken in order to bounce around and bypass your filtering rules. He will have to move from zone to zone within your infrastructure (pivoting), exploiting certain permissive rules until he reaches your crown jewels.

These permissive rules that the attacker takes advantage of may be the result of oversights (e.g. during migrations, changes to network architecture), unexpected side-effects (network navigation capacity greater than the initial need), or may be legitimate and meet certain specific needs (e.g. internal network reachable from the DMZ via jump host or Bastion). That's why it's vital to be aware of this in order to anticipate the impact of a compromise.

Optistream addresses these issues by providing a specialized automatic audit known as in-depth infiltration (IDI). This analysis simulates attackers' behaviors to detect all potential compromise paths at the earliest stages.

In-depth infiltration audit

The challenge lies in assessing the potential for attackers to access your critical assets from the exposed surface of your information system (IS). The attack surface is defined by the assets you expose to the Internet, such as EC2 instances, web servers hosted in a DMZ, or employee workstations with Internet access.

Within your digital twin, two types of nodes are configured:

The audit will therefore be able to quickly and exhaustively test all the network paths that can be leveraged by an attacker from a potentially compromised exposed node to a high value asset.

Our algorithms have been developed to establish a score based on the type of flow opened between each intermediate hop, inspired by techniques commonly used by attackers (MITRE ATT&CK TA0008[2]). This makes it possible to discover the most relevant attack paths in the context of a deep infiltration, enabling you to prioritize your security efforts on the most critical paths, establish new remediation scenarios and re-evaluate them.

Example 1 - From DMZ to OT

In the following example, the Optistream user wants to assess the risk associated with the exposure of services hosted within a DMZ and asks himself the following question:

If my website is breached, how much damage can be done? How far can the attacker navigate within my network?

This seemingly simple question is not so easy to answer.

In this fictitious scenario, the user wants to ensure that his OT zone (SCADA & ICS) cannot be accessed from his DMZ in the event of a compromise. The traceroute functionality (presented in our previous article) effectively shows that there is no direct route to reach it (routing-level check). However, the IDI audit reveals that by using several hops, an attacker who has compromised the company's web server (e.g. MONSITE.COM) is likely to reach these assets.

Lateral movement attack path detection

Although these critical assets appeared to be protected at first glance, this analysis shows that they are not protected against in-depth attacks.

The IDI audit identified an initial authorized flow from the DMZ to the internal network (WWW-PREPROD machine in the PREPROD zone) via the SSH protocol. The revealed attack path also shows the possibility for the attacker to reach his target by moving from zone to zone (Business then SCADA) until reaching the industrial control systems. The "Weakspot/path" view details the open services that the attacker can use between each hop to laterally move.

The audit shows that if the company's web server were compromised, an attacker could deeply break into the organization and access its most sensitive data by using lateral movement through internal hops.

Example 2 - Discover your contagious nodes

The IDI audit also reveals the "contagious nodes" of your IS: the assets that will have the greatest impact on your infrastructure in the event of a breach.

In order to identify these precise assets, Optistream combines several heuristics that determine:

Discovering your contagious nodes

It is through your contagious nodes that an attacker will have the greatest chance of reaching your critical assets. They therefore require increased security and supervision to monitor and counter lateral movements within your IS in order to contain attacks.

Optistream automatically targets these weaknesses and helps you to remedy them quickly.

Business-driven risk monitoring

The audit results assess the porosity of your IS segmentation and are consolidated using business-focused KPIs.

These indicators give you an instant, global view of the business processes most at risk from in-depth attacks. This enables you to focus and prioritize your security efforts within your roadmap.

From a longer-term perspective, our overall score and its history are valuable indicators for monitoring your progress in your IS security project.

Global view per business domain and process

In our next article

Part 3 of our article series will showcase the capabilities of Optistream in addressing these challenges specifically within a cloud environment. We will explore how to:

Part 3: coming soon

Links

[1] Optistream - Zero Trust x Segmentation
[2] https://attack.mitre.org/tactics/TA0008/