How to Respond to a Network Device Security Breach
Network devices provide the transit between your users/customers and the services they require. As a result, these devices are often exposed to your users and customers, and – depending on the placement of those devices within your infrastructure – potentially to anyone on the internet as well. If compromised, such devices will allow a hacker to gain a critical foothold from which to further survey your infrastructure, snoop on data transiting the device, and potentially exfiltrate business data.
For these reasons, it is essential for companies to have a detailed corporate security policy which defines, among many things, an incident response team, and a plan for maintaining network device security for that team to follow. This blog post outlines both proactive and reactive measures that should be included in that plan – the proactive measures will help you monitor for a security breach while the reactive measures should be taken during and after a breach in the unfortunate event one does occur.
Proactive Measures
Hearing from your customers, the media or some other entity outside of your organization – aside from a SOC service provider – is never a good way to discover that you have had a security breach. By executing proactive security measures, you can limit your exposure to potential breaches and position yourself to identify breaches more quickly if and when they do occur. The following are some of the most essential measures a company should take to position itself in a proactive security stance:
Configure Network Device Management Functions
First and foremost, it is essential to ensure that your network devices are configured in a secure manner. As with any topic around security, the conversation around configuring network device management access can be quite extensive, so we encourage you to check out our separate post on that subject – “Five Best Practices for Securing Network Device Management Functions From a Senior Engineer” – for a deeper dive.
Identify Necessary Security Monitoring Products
After you have secured your network device management access, thorough research should be conducted to identify a suite of security monitoring products that can be used to improve your security posture. A comprehensive defense approach should always be considered instead of relying solely on a single security platform. Products to consider for your security suite include next-generation firewalls, intrusion detection/prevention monitoring, malware and virus detection/scanning, and vulnerability scanners.
It is important to ensure that the cost of each security product under consideration is justified by the monetary and business value of the information that might be compromised should that product not be utilized. It does not make sense to spend a significant amount of your IT budget on high-end security products to protect information that would cause low reputational impact and minimal financial loss.
Subscribe to Security Advisory Disclosure Notifications
Another proactive measure involves subscribing to security advisory disclosure notifications. Network equipment manufacturers often send email notifications when new security advisories are identified on their products and also typically provide portals where customers can check for new advisories. Industry-specific security groups and government agencies also provide notification services and portals through which you can learn of notifications.
Implement a Regular OS Patching Policy
Maintaining a regular and frequent OS patching policy is another effective proactive measure that you can take to secure your network devices. Once a security advisory is released to the public, hackers will quickly latch on to newly identified vulnerabilities and begin scanning for equipment that is affected. By having a well-defined patching policy and change management procedure in place, you can narrow the time between when the advisory announcement is made and when your devices are no longer affected.
However, depending on the position of a device within your network, it may be necessary to consider the device compromised following a security advisory for the device regardless of how quickly it was patched. As a result, additional, reactive measures may be necessary to restore the security of that device. Such measures are outlined in the next section of this post.
While all these proactive measures are important, it’s also important to remember that no system is 100% effective in preventing a security breach. This is where reactive measures come in to play: to limit exposure once a compromised system is identified.
Reactive Measures
Once you have been made aware of a potential security breach, you must execute reactive measures in response. At this point, the focus is on identifying the scope of the breach so that you can effectively contain and remediate it.
Identify the Scope of the Breach
Indicators of compromise (IOC) are often released by network equipment vendors as well as vendors of security monitoring products in the form of threat signatures. IOC can include – but are not limited to – the following:
- Specific output and logs to review on the network device
- Reviewing of network behavior that was logged by security monitoring tools
- Other artifacts observed on the network device such as system files having been modified
By reviewing the security advisory to identify products that have the potential to be compromised (e.g., based on version of software, specific configuration elements, etc.) as well as any confirmed IOC, you will have a better understanding of the scope of the breach.
Contain the Breach
Once you understand the scope of a breach, you can take appropriate action to block any further negative impact from that breach by:
- Configuring the affected network device to limit its access within the network
- Updating security policies to eliminate any exposure to other network devices or services, and also to contain the affected network device
- Completely isolating the affected network device if necessary by disabling all connections going to the network device to avoid further damage
Preservation of information is critical for security incident analysis, but certain reactive measures may cause you to lose this information if you have not already saved it. Network vendors often release security incident response guides that outline forensic procedures to follow. It is important to retain the information gathered on a secure system, and also to have the data backed up elsewhere. Analysis of that data should only be performed on copies of copies to avoid information being overwritten or lost.
Remediate the Breach
Finally, once the breach has been contained, decisions can be made on long-term remediation efforts such as:
- Reinstalling the OS on the network device
- Reconfiguring any local credentials, secrets and/or keys as these may no longer be trustworthy
- Further review of the network to identify any areas with weak security (e.g., OS patches that the vendor released post-advisory announcement, further review/restriction on firewall rules, etc.)
This blog post was authored by Brian Yaklin, a senior member of Optanix’s route/switch engineering team. It is part of a series of posts by Optanix engineers focusing on the importance of security in the IT management space.