Using East-West Network Visibility to Detect Threats in Later Stages of MITRE ATT&CK

COMMENTARY

The Cybersecurity and Infrastructure Security Agency (CISA) calls "insufficient internal network monitoring" one of 10 most common network misconfigurations. Indeed, network analysis and visibility (NAV) remains a perennial challenge. As the boundaries around the traditional network disappear and the active threat landscape becomes more complex, enterprises need new methods and solutions to defend their performance, security, and continuity.

That's where the MITRE ATT&CK framework comes in. The adversary tactics and techniques it collects help us understand and combat cyber threats, such as ransomware, as well as advanced persistent threats (APTs) that seek to inflict potentially devastating damage on an enterprise. By looking for known tactics and techniques of known APT groups, cybersecurity teams can thwart threats before they turn into successful attacks.

Once ransomware is detected, it's normally way too late to prevent damage. This underscores the need for complete and continuous monitoring of the network, an understanding of preventative strategies, and uninhibited visibility capabilities to detect anomalies that not only encompass "north-south" traffic between the data center and clients, but "east-west" traffic between servers as well.

Understand the Threat Landscape and Your Network

While complete network visibility is the end goal, that's easier said than done. Organizations require holistic visibility across the service delivery ecosystem. Monitoring network activity for tracking and trending traffic and application utilization is essential. In addition, you must go beyond enterprisewide visibility to implement a broad-based performance and availability strategy that encompasses not only the headquarters, remote offices, and private data centers, but also colocation centers, contact centers, public clouds, and software-as-a-service (SaaS) environments.

In addition, maintaining high-performing digital services across increasingly distributed hybrid cloud environments is crucial for enterprise IT organizations. With a more distributed environment comes new challenges in providing customers and the hybrid workforce with safe, secure access to and availability of business applications and services. In some cases, managing quality performance in the wake of traffic growth across SD-WAN links, crucial Internet circuits, VPN gateways, and hybrid clouds has moved from an operational challenge to a business-critical priority.

For example, many companies today permanently moved thousands of employees to work-from-home and hybrid-cloud environments during and after the pandemic. As companies transitioned to hybrid workforce and zero-trust models, NetOps teams realized that they needed better tools to identify whether SD-WAN bandwidth could adequately handle spikes in remote network traffic related to thousands of remote users. At the same time, SecOps teams needed this same level of visibility to detect threats and confirm their zero-trust network policies were working as designed.

Ultimately, by understanding the threat landscape of the network in this instance, IT management can better understand and identify where "crown jewels," such as key servers, applications, and databases, reside. That way, when threats do occur, anomalous behavior is clearer to NetOps and SecOps teams.

In today's expanded service edge environments, visualizing the remote end user experience in the context of multitier network and vendor environments is essential to quickly isolate problems and provide visibility across all stages of MITRE ATT&CK.

Ensure Network Visibility Is Both Internal and External

IT teams need end-to-end visibility throughout their entire enterprise networks, from SD-WAN and remote offices, to hybrid/multicloud environments, to co-los and data centers. When there is a lack of visibility, SecOps teams do not have adequate insight into all stages of MITRE ATT&CK.

A modern zero-trust environment assumes that the network has already been breached. That is, the initial phases of MITRE ATT&CK — reconnaissance, resource development, and initial access — have already happened. North-south network visibility alone is inadequate to track the internal movement of the attacker, which is now progressing through later MITRE ATT&CK phases of execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and collection.

To catch intrusions at these stages, SecOps teams need east-west traffic visibility. With this level of visibility into server-server communication, SecOps teams can detect anomalous traffic behaviors concerning their crown-jewel servers. In the event of a ransomware attack, many of the MITRE ATT&CK tactics and techniques precede the actual exfiltrating and encrypting of data.

Attacks of this nature underscore the need for complete, continuous monitoring of the network, an understanding of preventative strategies, and uninhibited visibility capabilities in order to detect anomalies that encompass traffic flowing from every direction. By using both internal-facing and external-facing solutions, IT, NetOps, and SecOps teams can implement best-of-both-worlds performance monitoring.

Leveraging data derived from both forms of network packet traffic helps to address hard‑to-isolate issues across hybrid and remote environments. The combination of north-south and east-west network visibility is required for the last phases of MITRE ATT&CK — command and control, exfiltration, and impact.