The Secret to Full Network Visibility

When it comes to finding and responding to threats in your network, visibility is everything.

"Location, Location, Location!"

When it comes to finding and responding to threats in your network, visibility is everything.

In the simplest terms, you can’t defend what you can’t see. This is especially true for modern attacks that unfold over time, involve multiple stages, and leverage various technologies as they progress from initial access to impact.

While standard defenses such as endpoint detection and response (EDR), email security gateways (ESG), and next-generation firewalls (NGFW) are necessary components of a successful cybersecurity program, they leave gaps in visibility that can only be filled by monitoring activity at the communication level. This is achieved by placing sensors strategically throughout an organization’s network to capture and record traffic for analysis.

Given the complexity of modern IT infrastructure, sensor placement should be considered carefully and is the reason for this blog. So, for network threat hunting platforms like PacketWatch, there are only three things that need attention when planning your deployment: location, location, location.

Location (#1) – Ingress/Egress Traffic

The first location to look for threats is the edge of your network, where traffic enters (ingress) and exits (egress) your organization. This is the security boundary between the public internet and your private intranet.

Today, most organizations have multiple ingress and egress points, so it is extremely important to map out your entire IT infrastructure during the planning process. This includes both on-premises and cloud resources.

Although these networks may be distributed geographically, they are often interconnected through encrypted communication channels called Virtual Private Networks (VPNs).

Using these same channels, an attacker who gains initial access through one set of ingress/egress points can move laterally to another network and start using a different set of ingress/egress points to perform additional activities (e.g., ingress tool transfer and data exfiltration).

Most attacks are conducted remotely. As such, an attacker must maintain command and control (C2) of compromised assets by communicating over the Internet. Therefore, anywhere workstations, servers, etc. can communicate directly with the public internet needs to be monitored independently with a dedicated sensor.

This is the only way to ensure you’ve got an opportunity to detect and respond at every stage of an attack, regardless of where it originated. It also guarantees that time-sensitive information is available during an investigation where network forensics is necessary to put all the pieces together.

Unfortunately, there are a lot of tactics, techniques, and procedures (TTPs) cyber criminals can use to infiltrate a network and get a foothold within an organization. From exploiting vulnerable Internet-facing services to carrying out sophisticated social engineering campaigns, it is no longer a question of whether an adversary will breach your perimeter or not. It is about the size of the impact when that day comes to pass.

While traditional approaches to network security end at the gateway or endpoint, modern solutions like PacketWatch go deeper by capturing, recording, and analyzing internal communications as well. In doing so, we drive detection to earlier stages of the infection chain, mitigating threats, and reducing impact or avoiding it altogether.

Location (#2) – Intra-VLAN Traffic

Once an attacker has obtained initial access to the network, they will shift their focus to post-exploitation activities.

This includes local system and network discovery, privilege escalation, and lateral movement. All of these occur within the perimeter of a network and typically start in the local subnet where the attacker first establishes a presence. In technical terms, this location is called a virtual local area network (VLAN).

An organization can have dozens of VLANs, each of which may serve specific purposes. Communication between endpoints belonging to the same VLAN is referred to as “intra-vlan” traffic and is only visible within the layer 2 (access layer) switch positioned between those endpoints.

As a result, sensors must be deployed at these deeper layers of the network hierarchy to ensure early-stage activity can be detected and responded to before the attacker has an opportunity to break out.

Using the compromised endpoint, the attacker will acquire, assess, and exploit additional targets within the local subnet if possible. To acquire targets, several techniques can be used, including generating Address Resolution Protocol (ARP) and/or the Internet Control Message Protocol (ICMP) requests.

Without visibility into this traffic, an attacker would be able to operate freely within a single VLAN without the fear of detection. Only when they have exhausted all local targets and/or fail to achieve their mission objective will they begin to expand their search outward to other VLANs.

When this happens, traffic generated by the compromised endpoint is sent upstream and routed to the intended destination through a layer 3 (core/distribution) switch.

Location (#3) – Inter-VLAN Traffic

Very rarely will an attacker get so lucky and land in a pot of gold upon initial access. Regardless of whether they broke in through the front door or duped some poor victim into downloading and executing malicious code, they will almost certainly have to move between subnets (VLANs) at some point.

As previously discussed, communication between two endpoints on the same subnet is called intra-vlan traffic, so it only makes sense that communication between two endpoints on different subnets is called inter-vlan traffic.

Depending on the network design, inter-vlan traffic could be visible on a router, core switch, or distribution switch. In any case, this is the third and final location that needs to be considered when deploying network threat hunting platforms like PacketWatch.

From this vantage point, you can see all traffic between every endpoint that communicates across VLAN boundaries.

Conclusion

Regardless of industry, sector, or subsector, all modern networks are constructed in a similar fashion. As a result, deploying network threat hunting platforms like PacketWatch can be a straightforward process.

It begins by identifying how an intruder could enter and exit, the enclaves in which they may operate undetected, and the movements they must make to achieve their objectives.

This also provides significant insight into endpoints within a network that are unable to host traditional endpoint detection tools – things like IoT and OT networks, phones, printers, and other places attackers are known to hide.

With this knowledge, any organization can identify visibility gaps, deploy sensors to the appropriate locations, and begin securing their network from the access layer to the internet.

If you would like to see what we see on a network, request a demonstration of PacketWatch in action.

Brandon Trent has spent his career working for MSPs delivering Information Technology and Cybersecurity solutions to organizations in a wide variety of industries, sectors, and subsectors. Using his knowledge and expertise of networks and systems, he now works as an intrusion detection analyst and network threat hunter at PacketWatch. When he’s not on the front lines, he’s working with the software development team on the next generation of network security solutions.

Todd Welfelt has an Information Technology career spanning more than 25 years. He has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the needs of compliance frameworks, as well as provide real-world risk reduction.