In any battle, having proper line of sight over the battlefield can often be the deciding factor between victory and defeat. The same holds true for cyber battles. Regular readers of this blog will already know the importance of gaining and maintaining terrain visibility, which is perhaps the single most decisive advantage an organization can hold. Despite that, visibility remains one of the most pressing challenges for organizations today, being identified as a leading challenge by 53% of respondents in our latest State of Threat Detection Report. In today’s blog, we will address how organizations can use network traffic analysis and strategic placement of those sensors to regain the tactical and strategic visibility advantage.
Cyber Key Terrain
In real world battlefield scenarios, the United States Army evaluates terrain according to the OAKOC (or alternatively, OCOKA) framework – an acronym standing for Observation and Fields of Fire; Avenues of Approach; Key and Decisive Terrain; Obstacles; and Cover and Concealment. These are all considerations that are just as relevant to cyber terrain as real-world terrain, but the first concept we would like to focus on here is “key terrain.” Key terrain is defined as any terrain that would cede a major advantage to either combatant if it fell under their control.
In his Naval postgraduate thesis examining the concept of key terrain and how it applies to cyberspace, Nicholas T. Pantin writes, “when taking the concept of key terrain and applying it to cyberspace, there are notable uses and benefits to its application. Looking at the topology of a network, there will always be certain cyber elements that, when controlled, will allow for an advantage to friendly maneuverability or halting of enemy maneuverability.” The first goal for organizations, then, should be to identify and seize key terrain. This is primarily done by surveying the cyber terrain using network and endpoint sensors.
Scouting the Adversary
Network traffic analysis (NTA) sensors are essentially your scouts on the cyber battlefield. Just like scouts, each sensor has its own unique vantage point. While no single scout can see the entire battlefield from their individual vantage point (Observation and Fields of Fire), together they provide reports that give you a complete picture of the terrain you are fighting on. The goal is to position your scouts in a way that maximizes visibility while minimizing any overlap in their lines of sight. This helps to cut down on the amount of redundant information reported, while ensuring you still retain total command over your cyber terrain. While no strategy will be able to perfectly achieve this goal, this is the ideal that we strive for when considering sensor placement.
So, what are NTA sensors? These sensors are the components that monitor your network for activities that may indicate advanced threats, malware, and data theft. Sensors analyze network traffic, cloud traffic, web traffic and email traffic, and deliver alerts and session data or logs. Sensors report network alerts and network metadata to your on-premises Network Enterprise appliances or to the remote Network Cloud. Your configuration will depend on your environment. However, in either instance, sensors are only as useful as their positioning.
Out-Positioning the Adversary
The first problem for many organizations is an awareness problem. Simply put, many organizations are not aware that their sensors are improperly or inefficiently deployed because they do not have a full understanding of how to act on the network traffic being collected. In order to gain more immediately actionable reports, organizations will have to give careful consideration to their sensor placement strategy. In many cases today, overlapping and duplicative sensors have resulted in a deluge of alerts – many either redundant or false positives. As a result, analysts are overburdened and fatigued, and organizations struggle to respond to incidents decisively with strained resources. On the other hand, some sensors may be improperly placed, and their line of sight is blocked by Obstacles within the network, or by adversary Cover and Concealment. Either of these scenarios result in blind spots that the attacker will leverage to their advantage.
To counteract this, organizations need to revisit their sensor placement. To do this effectively, organizations should focus on identifying attackers’ Avenues of Approach throughout the network – asking themselves:
- Where do I currently have visibility? (i.e., where do I have Observation and Fields of Fire)?
- Where can the adversary launch malware attacks from? (i.e., where are their Avenues of Approach)?
- Where is the network/endpoint segmented off (i.e, where do Obstacles exist)?
- Where do we already have protection from attacks (i.e., where is our existing Cover)?
This can be accomplished by focusing on assets that need to be protected. Therefore, proper sensor placement is ultimately derived from an understanding of the location of key assets (crown jewels), asset placement, paths to and from assets, ingress and egress paths, vulnerable hosts, and those hosts that are within proximity. The key terrain doctrine provides you guidance on how to conduct activities, protect, and defend your organization’s crown jewels. If visibility is minimal around and near and surrounding devices, will be difficult to determine how a campaign will be run against those items/elements. By understanding how these assets are positioned, you gain an understanding of attacker objectives, which then illuminates sensor placement.