IDNeon Posted January 19, 2018 Share Posted January 19, 2018 I can't go into explicit details but would like some feedback on a concept Im working on as part of the security architecture document Ive also created a thread about. The network of compromise represents all the compromised machines in your network. The idea is that if you wipe one compromised machine, the command and control within this network of compromise can recapture the wiped machine. If the command and control machine is wiped, then any other machine in the network of compromise can be promoted to a command and control device. Because the network of compromise may consist of different agents and back ends, you may find some compromised machines, wipe them, but leave others that were not known and then restore the network of compromise. The security architecture I'm currently researching to combat this functionality of the network of compromise are subnets and vlans. Ideally preventing any compromised machine from compromising other machines laterally. Assuming the network/server core which must be visible to all machines, has been secured by other means and won't be laterally compromised. If you can narrow how many machines can be visible latterally, ideally to one machine, then you can wipe all machines that are part of that subnetwork when one of those machines is foundto be compromised. Theoretically this would nuke the entire network of compromise. Doing this will preventthe network from being able to be restored and would return an APT to having to compromise a machine again through whatever other methods which are more difficult than relying upon a command and control and other back doors. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.