How to Protect Your Network Perimeter, Both Inside and Out
The concept of ‘defending the perimeter’ has been a cornerstone of security strategies for thousands of years, when communities starting building walls to protect themselves against external attacks. It’s still a basic principle of network security, but a recent report has highlighted just how frequently attacks are able to get through those perimeter defenses.
Fortinet’s Threat Landscape report looked at some 185 million information security incidents, most of which had been able to bypass perimeter protections such as gateways and anti-virus, to infect networks with malware and other agents. Interestingly – and worryingly – many of these malware variants were older and well-known, yet were still able to breach defenses. This is because botnet activity continues to serve as a common method of malware distribution.
The report found especially high volumes of botnet activity involved in distributing Zeus malware (this accounted for 15% of all observed botnet activity), which has been in use since 2013. There was also intensive botnet involvement in spreading several other malware variants.
Botnet distribution of malware is effective because in many cases, organizations already have bot infections on their networks that they don’t know about. These stealthy agents can lie dormant for weeks or months, and then be activated by the criminals controlling them to quietly exfiltrate data, or download other malware onto the network – a method which bypasses conventional network perimeter defenses.
How, then, can organizations stop existing bot infections from creating tunnels around their defenses that allow new attacks to succeed? The answer is to defend both sides of your network perimeter, scrutinizing and filtering the traffic that is hitting it from the inside, as well as from the outside.
Security from the inside out
We posted recently about how even malware which uses advanced obfuscation and evasion techniques to avoid discovery, known as zero-day mutations, can still be detected and nullified using IP address filtering techniques. This is because these malware variants often try to communicate out to external servers to download instructions or further payloads. Those external IP addresses are already known to be malicious, and so traffic to and from the servers can be blocked using ThreatARMOR, Ixia’s Threat Intelligence Gateway.
This same approach is also very effective in nullifying the actions of existing bot infections that are trying to communicate out from the network to their external command and control servers, to conduct malicious activity. When ThreatARMOR sees traffic being sent out to these known-bad IP addresses, the traffic is filtered and blocked automatically at up to 10 GB line speeds, so the bot is cut off from its controller and cannot engage in any further harmful activity. This dramatically reduces organizations’ risk exposure, and stops those bots being harnessed by criminals to launch malware or DDoS attacks, not just against your own networks, but against other organizations too.
Why not find out more about how ThreatARMOR can help to stop malware breaching your network’s perimeter defenses from both sides? Contact us for a demo.