Know Your Network, Know Your Adversary

Tips and takeaways from an AFCEA Breakfast with DISA.

ExtraHop was out in force Thursday morning as a sponsor of the AFCEA Washington DC Chapter's Monthly Breakfast Program. This week's panel was comprised of the top leadership from DISA, who discussed some major changes occurring within the IT infrastructure of the agency.

Knowing Our Adversary

This phrase from Alfred Rivera, Director at DISA's Development and Business Center, perfectly crystalized the greatest challenge of any cybersecurity effort. Without knowing precisely what techniques and technologies are in use by our adversaries, how can we defend against them? Without knowing precisely what is occurring on a network in real time, how can we truly know our adversary?

These questions are even more critical today. The majority of enterprise environments are far more dynamic and complex than they used to be. Gone are the days of static datacenters where physical servers were purchased and deployed to provide a new service. Nowadays, services are provided by dynamically provisioned virtual servers and, increasingly, by micro-service container architectures like Docker and Kubernetes which span physical and public/private clouds. It is far easier for adversaries to operate in such architectures, where threat vectors can be implemented on transient entities like a containerized application or virtual servers within distributed architectures that are likely not monitored as closely as they should be.

Traditional monitoring fails in this type of architecture. If a micro-service is instantiated, executes its malicious payload, and vanishes in a few milliseconds, system log monitoring may be of limited value since the malicious containerized application certainly won't be logging anything. If the payload acts in the east-west direction (server to server, without traversing a perimeter), intrusion detection systems are blind to it, since they wont intercept this traffic.

Conversely, a threat actor on a network monitored by ExtraHop has nowhere to hide. From the first packet on the wire, new or existing assets are automatically discovered and tracked, and every network transaction they perform is analyzed down to the protocol level. These transactions are discovered and analyzed both in the north-south (ingress/egress) and server-east-west (server-to-server) directions. Regardless of what type of asset initiates the traffic, physical, virtual, or containerized, they use the network to reach their targets, a network that is being monitored in real time at line speed by ExtraHop.

This strong visibility posture lends itself to numerous specific security use cases, including cyber-hunting and continuous monitoring requirement of the DoD Information Assurance Risk Management Framework (DIARMF), as well as any process that relies upon a zero trust/knowledge model because of ExtraHop's automatic asset/transaction discovery functionality.

Farewell, DECC

Well, not the enterprise data centers themselves, but farewell to the term "DECC", and any inconsistencies between them, according to David Bennett, the Director of the DISA Center for Operations. He outlined a sweeping change in both policies and implementation strategies to reduce and eventually eliminate stovepipe solutions, point tools, and DECC-specific implementations. These will be phased out in favor of a unified and consistent services delivery platform across all of DISA, with a strong emphasis on the elimination of "single-use boxes," according to Bennett.

Additionally, he outlined an FY17 goal to bring 50 DoD components into DISA, including the COCOMs. As new components and applications are migrated into this environment, it will be critical to fully understand each application's architecture, behavior and dependencies. As in the security use cases discussed earlier, ExtraHop's ability to automatically discover all assets and transactions on a network is uniquely suited to this task of application rationalization and dependency mapping, before, during, and after a migration.

Before implementing ExtraHop, our customers could only begin to approach this broad and deep visibility into their environment by relying on multiple tools, each with their own learning curve, deployment overhead, and in some cases, performance impact. Bennett emphasized this precise concern, that the aforementioned negatives of such point-tool sprawl cannot be continued in the "new DISA."

As all organizations grow, they will, just like DISA, face the same challenges of building consistent services delivery architectures, which can be manageably maintained and monitored by a solution that provides broad and deep visibility across all architecture tiers. Consolidation efforts began many years ago, and they show no signs of slowing down.

The ExtraHop team looks forward to sponsoring more AFCEA events, and we hope to see you at one in the near future!

For more information on how ExtraHop supports Federal agencies, click here.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.