It’s always DNS. That’s what the famous internet meme popular among sysadmins says anyway. It’s funny because while clearly, every network issue doesn’t resolve to some funky DNS issue, too many network admins have banged their heads against their keyboard for hours only to find out that the culprit was indeed some DNS issue.
Yes, it might not always be DNS, but when it comes to cyberattacks, it is too often the network.
Example: In the SolarWinds Supply Chain Attack of 2020, malicious software was able to communicate back to the attacker’s servers, unfamiliar domains, and IP addresses that were not detected before the damage was done.
In 2022, an attacker was able to steal $235,000 in cryptocurrency by employing a BGP hijack against Celer Bridge. This attack highlighted universal problems that aren’t restricted to cryptocurrencies and should serve as a cautionary tale for any organization that conducts business on the internet.
Here is some data that is scaring the pants off of CIOs right now.
- The average cost of a data breach globally is $4.35 million, or $165/record. In the US, the price of a breach rises 2x to $9.44 million.
- After an initial compromise, it only takes threat actors 84 minutes on average to pivot deeper into your network. Responding faster to an initial penetration is essential to prevent a minor breach from becoming a multi-million liability.
- And yet, it takes 277 days to identify and contain a breach on average. That is almost nine months! The bulk of that time is on the identification side, with the average breach taking 207 days to identify.
Let me be clear. In the face of a sufficiently determined attacker, almost any organization is at risk. However, with the proper framework, many of the network-related exploits that we all read about on Reddit, StackOverflow, or the New York Times can be prevented, or their effects can be significantly reduced.
Network security triad: Prevent, detect, respond
I believe the key to better network security can be summed up with the triad of Prevent, Detect, and Respond.
This triad acknowledges that while an ounce of prevention is worth a pound of cure, sometimes an attack slips through the cracks. In these cases, it is how you respond that separates an average Tuesday from a multi-million dollar headline-making attack.
I sum up the organization network security triad as such:
- Prevent: Reduce the likelihood of a full-blown attack before it happens
- Detect: Mitigate attacks faster when they do occur
- Respond: Data-driven mitigation efforts and forensics to obtain a deep understanding of what happened so you can prevent future attacks.
Each of these topics is worth an entire article or even an O’Reilly Book itself. But to give you an idea of how to use the framework, I’ll give you a few questions to ask your network team to determine your level of organization maturity in each area:
- Does our network monitoring include only IP, port, and protocol tracking? Or are we able to enrich these elements with custom data sources?
- Is all network data automatically compared against active threat feeds?
- Do we have a process in place to monitor and enforce network policy?
- How do we tell the difference between “normal” traffic and an anomaly?
- Is our network monitoring toolkit integrated with our SIEM system?
- Is our network monitoring toolkit integrated with our DDOS mitigation provider?
- Is our network monitoring set up to automatically leverage network-based mitigation solutions like RTBH or Flowspec?
- At what granularity does our network forensics operate? How long is network data stored?
- If we find an asset has been compromised, how easy is it for us to visualize the blast radius of the event? Can we easily see every network transaction that asset made over a given period?
There is no single correct answer to any of these questions. However, with answers in hand, you will be able to get a sense of how mature your organization is on its network security journey.
This article could easily have been titled “An ounce of prevention is worth a pound of cure.” If the average breach takes nine months to detect and costs nearly $5 million, it is worth asking, “Is my organization doing enough to prevent breaches in the first place?”
While the ultimate solutions can look very different, through the combined efforts of prevention, detection, and response strategies, organizations can not only defend against cyber threats but also build resilience and adaptability into their digital infrastructure. Why? Because it’s always the network.