Network of Compromise

[IDNeon]

I can't go into explicit details but would like some feedback on a concept Im working on as part of the security architecture document Ive also created a thread about.

The network of compromise represents all the compromised machines in your network. The idea is that if you wipe one compromised machine, the command and control within this network of compromise can recapture the wiped machine. If the command and control machine is wiped, then any other machine in the network of compromise can be promoted to a command and control device.

Because the network of compromise may consist of different agents and back ends, you may find some compromised machines, wipe them, but leave others that were not known and then restore the network of compromise.

The security architecture I'm currently researching to combat this functionality of the network of compromise are subnets and vlans.

Ideally preventing any compromised machine from compromising other machines laterally. Assuming the network/server core which must be visible to all machines, has been secured by other means and won't be laterally compromised.

If you can narrow how many machines can be visible latterally, ideally to one machine, then you can wipe all machines that are part of that subnetwork when one of those machines is foundto be compromised.

Theoretically this would nuke the entire network of compromise.

Doing this will preventthe network from being able to be restored and would return an APT to having to compromise a machine again through whatever other methods which are more difficult than relying upon a command and control and other back doors.

[IDNeon]

There's a question in there somewhere for anyone interested in discussing.

This isn't really a thread about networking.

The question is based on the assumptions of APT activity within a compromised network does the remediation logically address the issue such that the defender can say they have effectively wiped out the network of compromise such that an attacker has to essentially start over from scratch.

I think the methodology is on the right track and believe that subnetting and disabling certain services, remote features, etc, will box in the attacker so that their lateral movement is hindered significantly.

Also is "network of compromise" a reasonable and effective way of defining attacker activity such that it can be effectively targeted.

Afterall language precedes action and if the activity is not accurately defined then the action to remediate it will be the wrong action.

Edited January 19, 2018 by IDNeon

[Forkish]

Your defined principles amongst the discoverable makes me think of ‘compromising subnet’ or ‘concurrent-vexworking’. All of which need work.

Edited January 21, 2018 by Spoonish

[digininja]

If you are able to lock the network servers down to a point you are sure they can't be compromised, why not do the same to the clients. That should probably be easier as servers generally have to expose more services than clients to do their job.

Segmentation is the base of a lot of hardening guides, is a good idea and is nothing new. I think the concept you are going for is the same as client isolation on a wireless network where devices are not allowed to talk to each other, only the AP and devices on the other side of it.

If you subnet down to small groups or teams then that helps isolate them in the event of a compromise but as a lot of compromises bounce from workstation to server and the servers would need to have access to other groups, the network could still be traversed it would just be harder. More choke points introduce more chance of detection so that is a positive.

[IDNeon]

On 1/19/2018 at 1:10 AM, digininja said:

If you are able to lock the network servers down to a point you are sure they can't be compromised, why not do the same to the clients. That should probably be easier as servers generally have to expose more services than clients to do their job.

Segmentation is the base of a lot of hardening guides, is a good idea and is nothing new. I think the concept you are going for is the same as client isolation on a wireless network where devices are not allowed to talk to each other, only the AP and devices on the other side of it.

If you subnet down to small groups or teams then that helps isolate them in the event of a compromise but as a lot of compromises bounce from workstation to server and the servers would need to have access to other groups, the network could still be traversed it would just be harder. More choke points introduce more chance of detection so that is a positive.

I want to respond to you more in full but I am headed to a meeting so in brief first just soI remember to respond. 

The answer to your question lies in the nature of infiltration. 

It is harder to "land" on a server than to land on an end point and it is easier to "lock down" a server or other endpoints from lateral extension.

It is extremely difficult to prevent endpoints from being "landing pads" or points of infiltration due to their use by lay-persons without security focus, and the latitude given them by your own policies which may or may not be enforced by rules or actual technical controls.

Just because a policy exists that users will not use company property for web browsing doesn't mean they won't.  And doesnt mean youve locked down webtraffic which is actually more difficult in practice than in theory  especially with Windows10 almost mandating the existence of Edge and IE11 and some port 80 and 443 external traffic needing to be allowed for most businesses.

[digininja]

So is your idea the same as wireless client isolation or something different?

And you could argue that locking down a workstation is easier than a server as a server by definition has to have open services while a workstation can have all listening services disabled. The most common way to do lateral migration is through SMB which should never be needed on workstations as they don't need to offer network shares. It is very rarely disabled though.

[IDNeon]

Ok got a moment actually so to respond more to the other particulars of the above quote. The AP is a good analog where the server core should be the channel of communication between endpoints. Endpoints should not be able to communicate laterally outside of their allowed permissions to the server core..

Ideally the subnetting is for internal use to nuke these networks of compromise. 

The general assumption is the controls are effective. Thus you prevent lateral extension into the server core by other means alluded to in the "Security Architecture" thread. 

And you prevent lateral extension to other endpoints by proven subnetting/networking/and System Admin techniques. 

For instance you can get so granular that each user has an assigned workstation and can only log into that workstation by logon policy (system admin).

Or you can create ACLs that allow traffic between endpointand server. But does not route to other endpoint subnets. (Network).

Just as examples.

These controls assume effectiveness (can be proven by investigation).

And so compartmentalize the possible network of compromise so you can "nuke" it and replace the endpoints with clean images. Whether thru virtualization or thru sysprepped images or whatever your means of image deployment. 

Network of Compromise attempts to define what is reasonable to assume. So that your investigation is not the bottleneck to a likely definitive outcome (wiping all compromised machines).

Investigating what is ACTUALLY compromised can be more time consuming. And should be given less criticality by this methodology.

I guess it's a "shoot first ask questions later" approach where you "nuke" a whole subnet and then check to confirm no more activity can be detected outside that.

[IDNeon]

1 minute ago, digininja said:

So is your idea the same as wireless client isolation or something different?

And you could argue that locking down a workstation is easier than a server as a server by definition has to have open services while a workstation can have all listening services disabled. The most common way to do lateral migration is through SMB which should never be needed on workstations as they don't need to offer network shares. It is very rarely disabled though.

Disabling what you can for hardened OS per best practice to endpoints should always be a must. The general assumption is best practice technical controls will be applied. This more deals with what should the network look like (while security architecture deals with what should the whole IT infrastructure look like and why).

It is apt to say this would be analog to wireless client isolation.

But the reason is administrative.

You want to be able to know what the attacker knows as soon as possible.

It is not because such isolation is inherently more secure to exploit. That is not true.

Does that make sense?

Basically by subdividing endpoints. Instituting best practices. And controlling admin-credentials to better isolate the server core from things such as pass the hash....what you do by implementing this is give you better counter-intel allowing faster more defenitive response while actual intelligence gathering takes more time.

[digininja]

Your initial idea was about segmentation, you are now talking about controlling admin creds and monitoring logs, I'm missing the bit that is novel.

[IDNeon]

Just now, digininja said:

Your initial idea was about segmentation, you are now talking about controlling admin creds and monitoring logs, I'm missing the bit that is novel.

That's all in another thread. And this was a spinoff of that more along the lines of testing the concept of "network of compromise".

The main point here which I hope hasnt been lost is that I think it's possible to box in an attacker into a smaller and smaller box which provides you faster counter intel.

What this thread is not intended to do is to explain a sure-proof means of preventing exploits by network segmentation alone.

So this thread starts with some initial assumptions that including other technical controls will effectively compartmentalize a smaller and smaller group of endpoints and all networked devices into effectively segmented networks.

So when compromise is detected within that network the entire network can be wiped and restored efficiently.

If the idea of using the term "network of compromise" made sense. Then I am willing to discuss more about how to effectively box in an attacker into those networks. So they are more tightly restricted in lateral movement from where they first infiltrate.

But such a scale of conversation will naturally lead to quite a lot of tangents because there's a lot of areas that need to be covered to really start to box in a persistent attacker.

As you've noted.

[IDNeon]

Oh and the "novel" portion is the terminology. I thought I explained in the beginning of the thread that I was asking about verbage to explain what is generally discussed in seminars on findings about APTs and their operations.

I tried to illustrate such an instance, where the lecturers about such an APT had described a network of compromise, but had failed to give it a name. And had described the futiluty of wiping the device discovered to be compromised because the rest of the compromised devices would restore whatever device they wanted to that network of compromise. 

The idea then was to box in that network so all suspected compromised decices could be wiped too.

So the novel characteristic is to define this compromised network. And wipe it all based on reasonable assumption rather than actionable intelligence.