So Where Do You Begin
For years risk management types of have been preaching the gospel of establishing CMDBs and promoting asset criticality matrices. If you’ve done this and maintain it regularly, you’re ahead of the game. If your organization has not endeavored toward doing so you may wish to reconsider that point as we progress through this blog. Understanding your organizational asset inventory is of paramount importance to all information security professionals especially those tasked with monitoring the enterprise in reactive and proactive scenarios.
Knowing the proverbial lay of the land is key largely due to the fact that first rule of intelligence analysis is being able to ask ourselves what do we know based on the information we have at our disposal? Not being able to answer that question is akin to flying blind and no one wants to go through that type of experience. So understanding what we know unequivocally in the absence of speculation or conjecture is a good thing and should be embraced. How do we get there? We begin by evaluating every piece of technology we have at our disposal for its value in terms of being an intelligence collection agent. This may seem like a daunting task but it’s important nonetheless.
Understanding what is occurring on the host foot print for example of every user in your enterprise will aid in narrowing the gaps of your knowledge as you begin to compare that activity to that which is occurring within systems, servers, infrastructure etc. So understanding what you have to work with as part of your asset inventory becomes increasingly valuable. Network defenses are also huge fonts of intelligence data. Firewall logs tell us who is doing what on a transaction-by-transaction basis via rules. IDS / IPS tell us what if any vulnerabilities are experiencing either anomalous activity on the wire or exploitation. Web and Mail gateways empower us with knowledge related to HTTP and SMTP communications respectively while SIEMs tie this all together in a cohesive package for the analyst to view in a composite form factor. But does this give or provide true visibility into what is occurring within (and outside) our enterprise footprints? The answer may surprise you.
Where we need to begin
No. We need more insight into transaction-oriented communications at the packet level in order to see what is truly occurring on a host-to-host level and host-to-network level. We need to be able to reconstruct sessions based on what we are seeing and make decisions (driven by information security policy) with respect to the results. We also need data to feed platforms powerful enough to collect information security intelligence data to feed these tools and platforms ultimately seeing their value increase and be realized exponentially.
Honeypots for example, are not new but are becoming increasingly viable solutions within network security infrastructure. Why? Because they enable the analyst to see who is coming toward them and what their TTPs might be with respect to malicious code promulgation. Sinkholes are also becoming increasingly viable though there is more complexity involved with them than with traditional honeypots. The point is that without greater insight that can only be derived from a greater vantage point one will struggle with the application of information security intelligence achieving mixed results at best as they struggle to contend with advanced adversaries ready to strike without warning.