Lock Down Your Wired Network to Mitigate Insider Threat

By Jon Green, Chief Security Officer
Share Post

My first post in this series on wired networking explored why open wired ports are a security risk that’s been overlooked for too long and why port-based security is no longer enough. In this second post, I present why organizations must implement stronger pre-connect controls and segmentation on the wired network to mitigate the risk of insider threat, while at the same time doing so in such a way that it is user friendly, and actually reduces the operational burden.

Let's get back to the point of physical security and open network ports. One may assume that the physical security grants me enough protection to reduce my risk, at least to a level below the cost of mitigating that risk. We raised in the previous article the possibility of social engineering allowing an adversary physical access to the network.  You may assume that physical security prevents, for the most part, an adversary from using that as a viable attack vector. But even if we can perfectly solve physical security, that still ignores the insider threat. A simple phishing attack or unpatched IoT device puts an attacker on the inside.

Let’s play out a hypothetical scenario:
1. Someone from your organization, an employee, subcontractor, whomever, is targeted by a spearphishing attack when they are not on the corporate network.

  • If you are thinking that person would never click on a malicious link, listen – let’s be honest with ourselves. Even those of us working in the cybersecurity space have all come close to clicking on a link in an email that has looked like a VERY valid email.
  • If you are thinking that your EDR, antivirus, or other host-based tools will prevent the threat if they do click on the link, think again. The bad guys are getting very good at masking their activity as things that are allowed on a host, using normal tools and applications, exploiting unknown vulnerabilities, etc. It’s extremely difficult to keep up. Worse yet, what if the device infected is not a corporate-controlled resource, but is instead a personally-owned device being brought in by a valid employee? Remember, those ports are wide open and there are numerous stories of employees bringing a device from home on a Saturday for a little BitTorrent activity on the high-speed corporate connection.

2. The infected device comes in through the front door and is plugged into the wired network. It gets an IP, DNS, and some level of access depending on what port it was plugged in on.

3. Now that the device has access, the malware starts its journey…

  • Let’s find out where I am and what I have access to. Let’s run a couple nmaps, use my local net utilities to do some domain discovery, capture some password hashes – the usual.
  • Since the firewall is a couple L2 hops away, it looks like I have other hosts on this subnet that I could possibly jump to. And without any policy in place to prevent this, that’s very convenient.
  • Looks like the firewall is letting out DNS and HTTP/S. Let’s call home, update on what I am up to, and get some further instructions.
  • Looks like the firewall is also letting me get to some domain services, thank you firewall.
  • Really interested in the IP cameras on this same subnet that have an unpatched known vulnerability. Let’s install a RAT there, just in case they find me on this user’s laptop.
  • Looks like this user has access to some servers that I can work on getting access to, I will give that a try.
  • Let’s see if we can hit some of the other computers on this subnet. Chances are that if I can’t get access to interesting things from here, those computers may move to other areas that have more access and we can work it from there.
  • Oh no, the “NAC Lite” solution that a vendor sold the organization has kicked in and booted me off the network after it fingerprinted me as something potentially bad. Good thing my work is already done.

As you can see, the malware has spread, somewhat easily, by being granted relatively open network access. Even if you find the point of initial infection and remove it, it’s too late and the damage is done. This is the unfortunate downside of post-connect security measures being relied upon exclusively, without pre-connect controls.

Pre-Connection Dynamic Controls Mitigate Insider Threat
In the above scenario, if pre-connect (or at connect time) dynamic controls were in place, each and every user and device connected to the network would be authorized and placed into an appropriate policy, at the edge. This policy would be defined using the concept of least privilege – in other words, give the camera only access to what the camera needs, give the subcontractor only access to what the subcontractor needs, give the phone only access to what the phone needs, and so on.

While the initially infected host may still have been able to connect to the network, its attack surface would have been dramatically reduced, thus reducing the spread of the malware, keeping it relatively contained until it was found and removed. The other advantage of a pre-connect dynamic segmentation model are:

  • Tie an identity to each and every connection thereby making it much easier to trace back the source of an intrusion.
  • Tie a “state” to every connection that can be used to dynamically change/remove the connection status at any point in time.

Okay, I’m sure everyone understands this. None of this is a new or novel idea – as I said before, most of you are likely doing this very thing on the Wi-Fi part of the network. So, the question becomes, if the risk is known and there is a technical solution to help solve it, then why is that solution not widely implemented on wired networks?  I brought up in the last article that I hear about operational and user impacts of implementing this level of dynamic segmentation.  But what if we could lower the user and operational impact and costs? If one could, does the risk now rise higher than the mitigation costs and would we find more organizations implementing stronger pre-connect controls and segmentation on the wired networks?

In my next post, I’ll explore how Aruba is helping customers strengthen pre-connection controls to mitigate insider threat.

Missed the first blog? Read it now: Are You Leaving the Wired Network Door Wide Open?