Detecting Cyber Threats for East/West and North/South Traffic
If you think about it, every cyber-attack needs to start somewhere. Usually, adversaries want to penetrate legitimate digital infrastructures of the enterprises that might have some sensitive information that the attackers are eager to steal. In this regard, North-South and East-West traffic are the most common pathways that the malware wants to go. Threats can potentially hide anywhere – in the incoming traffic, outgoing (in later stages of the attack), and the traffic that never leaves the boundaries of the system.
Hence, it’s crucially important to set up the proper cyber defense strategy for all kinds of traffic that the enterprise deals with. Let’s review the most popular security techniques for both kinds of traffic that have already proven their effectiveness.
North-South
Traffic that provides communication of the organization’s network with outside sources is traditionally viewed as more dangerous. Attackers try to infiltrate the system in the first place so they would try to look for all sorts of methods for stealthily bypassing security controls like firewalls and antiviruses. That’s why North-South traffic should be thoroughly monitored around the clock, every day.
Another challenge is to maintain the utmost visibility of the whole network in near to real-time conditions. Lots of businesses employ a hybrid infrastructure with unique architectures for each, comprising a mix of on-premise, cloud, and SaaS solutions. Software that helps to organize the monitoring and analytics of such vast amounts of data is usually a SIEM or SOAR, sometimes combined with NDR, and EDR/XDR solutions.
Preventing the intrusion through Noth-South traffic is crucial for the normal operation of the company and avoiding Initial Access attacks (see TA0001 tactic in MITRE ATT&CK framework). Detection of new incoming threats plays a vital role in this case. That’s why organizations are increasingly adopting a collaborative approach, leveraging the benefits of MITRE ATT&CK mapping at SOC Prime’s Detection as Code platform that supplies new Sigma-based detections on a continuous basis, made by renowned cybersecurity experts. Additionally, there’s a possibility of instantly converting any kind of query or API request into a vendor-specific format by using Uncoder.IO, a free translation engine.
Of course, adequate filtering and segmentation of traffic should occur on a physical level with the help of firewalls. They could be both hardware and software solutions, and alternatively, VM environments. Sometimes all of these options work simultaneously if the digital infrastructure of the company is quite big. A correct configuration might mean a lot for the North-South traffic security that’s why many organizations are considering software-defined networking (SDN) that enables policy-based firewall operation, as well as deep packet inspection.
East-West
East-West kind of traffic could be even more difficult to protect than North-West. The problem is that, by default, the traffic within the system is more trusted that the inbound and outbound traffic. Even equipment like firewalls may automatically pass the trusted packets of data without inspecting them. Efficiently protecting East-West traffic is crucial because in most cases, it comprises the lion’s share of the total traffic generated by an organization.
To boot, the most popular cyberattack vectors imply that the attackers are highly interested in moving laterally within the network and quietly maintaining persistence if it’s an information-stealing malware or ransomware. After that, they usually like to raise privileges. One way of doing that is by breaching the personal accounts of employees and acting on their behalf. So, let’s suppose an attacker acts from a legitimate account. In this case, it is much more difficult to recognize malicious behavior. And while it goes unnoticed, the system will automatically allow this kind of traffic because, technically, it is generated by a trusted source.
To avoid any suspicious behavior inside the network infrastructure, it is possible to apply techniques on a network architecture level. For example, micro-segmentation allows setting up specific rules for accepting or denying traffic for each server, virtual environment, network, database, or storage. Policy-based automation is also a good idea, plus it can help to reduce the application deployment time down to minutes.
Intrusion detection and prevention systems (IDS/IPS) are also used quite often, along with SIEMs to monitor the traffic and apply proactive defense by threat hunting (applying search queries adjusted to certain attack patterns). If the automatic remediation techniques are tied to alerts generated by threat detection algorithms, then the majority of suspicious behavior can be automatically blocked and reported. Honeypots and sandboxing also help with advanced analytics of the possible attacks as well as timely prevention.
If all of the above is handled right, the only probable threat that is harder to control is the insider threat. That’s why it is useful to apply cryptography algorithms based on a zero-trust approach that prevents non-legitimate access to sensitive information. Along with that, it is necessary to leverage behavior-based detections that focus on the potentially suspicious sequences of actions within the network rather than some attack artifacts supplied by threat intelligence feeds.