Understanding How Your Networked Enterprise Behaves Under a Cyber Attack
Posted October 22, 2019
What are Cyber Attacks?
A cyber attack is a deliberate attempt, using malicious software, to degrade or disable the target network’s operations or to steal or corrupt sensitive data. No organization is safe from cyber attacks on its infrastructure. Former Cisco CEO John Chambers once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.” Many large organizations have recently been the victims of cyber attacks, including large scale data breaches at Equifax and Target, the NotPetya global ransomware outbreak, the denial of service (DOS) attack against GitHub, and the Crash Override and Triton attacks which targeted infrastructure in Ukraine and the Middle East. As cyber attacks increase in frequency and sophistication, so does the cost to organizations in dealing with their consequences.
Enterprise networks are increasing in complexity, deploying new and legacy systems and applications and, increasingly, cloud-based solutions. This poses new challenges in ensuring the network’s cybersecurity: simply building a firewall around the on-site network may no longer be enough. To ensure that the network continues to provide services even when under cyber attack, it is critical to understand how it behaves under different types of cyber attacks and to pro-actively prepare counter-measures.
Understanding Network Behavior Under Cyber Attack
Using live networks to understand how cyber attacks impact the network’s operation is resource-intensive, difficult, and, in many cases, impractical. Network simulation using a network digital twin offers a zero-risk, low cost alternative for studying network behavior under a comprehensive set of cyber attacks.
To see how network simulation can be used to study network behavior under attack, consider a ransomware attack (such as the recent WannaCry attack on UK’s National Health System) on an enterprise in which an attacker ‘locks’ up data on the organization’s server and demands money to unlock it. This attack may consist of a series of individual attacks, carried over a number of days or even weeks, by which the attacker incrementally gains unauthorized control over elements of the victim network. The attacker may gain a toe-hold into the network by requesting and being granted a guest login account into the system. Using the guest login account, the attacker can probe the network by launching a series of port scan attacks. From the information obtained from these attacks, the attacker can make an educated guess about the services that are running on the computers within the network. Many vulnerabilities associated with different services are known and documented, for example, in the National Vulnerability Database. For each identified vulnerability, the database lists the pre-requisites for an attack to succeed, the impact of the attack on the confidentiality, integrity, and availability of the victim resources, and the action which is performed if the attack succeeds. Armed with this knowledge and the information obtained from scan attacks, the attacker can attempt to gain additional account privileges. Once the attacker has the required privileges, he can gain access to the database server and encrypt the data, which now becomes inaccessible to the company.
Cyber attacks on military networks can have even more catastrophic impacts. For example, an attacker may use a jamming attack to downgrade the quality of vital communications, leading to missed communications and/or communication delays, adversely impacting the mission outcome.
Analyzing Cyber Resilience Using Simulation
To assess the resilience of a network against attacks such as the ransomware attack described above, a simulation model can be used which accurately models the network devices (routers, servers, and hosts) and their vulnerabilities, cyber attacks (port scanning and vulnerability exploitation) and defense mechanisms (firewalls, AVS, and IDS).
The network simulations can be used to investigate how the network responds to different attacks:
- While a simulation is running, real-time visualization can be used to gain valuable insight into the network dynamics, including how malware spreads within the network. These include:
- The hop-by-hop path taken by an attack packet from an attacker to a victim.
- Key statistics which are updated dynamically, including memory and CPU utilization at devices (which are often impacted by cyber attacks).
- Cyber assurance state of a node in the network, i.e., whether the node has been compromised and the degree to which it is compromised.
- Post-simulation, statistical data collected during the simulation (for example, number of suspicious traffic packets, number of packets blocked at a firewall, number of services compromised, etc.) can be analyzed to help identify potential issues and the effectiveness of counter-measures.
- Effectiveness of mitigation strategies: The models can be used to run multiple what-if scenarios with different network configurations and attack patterns to assess the effectiveness of different counter-measures.