Open in app

Sign in

Write

Sign in

Mitigation strategies for edge
devices

SOCFortress
5 min readOct 3, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

The Australian Signals Directorate (ASD) has observed malicious actors targeting internet-facing ‘edge’ devices that act as security intermediaries between internal networks and the internet.

More information is available in a previous blog entry, Routers and IoT Devices for Botnet Operations.

Edge devices are essentially internet connected doors into enterprise networks, where data flows in and out.

Malicious actors employ a range of techniques to gain access through network edge devices. The rapid exploitation of newly released vulnerabilities is now standard tradecraft. Both skilled and unskilled
malicious actors conduct reconnaissance against internet-accessible networks to identify and exploit vulnerable devices.

Edge device mitigation strategies

The table below summarises recommended mitigation strategies, as published by the ASD:

See also previous blog entry about Best practices for event logging and threat detection.

We’ll focus on some of the mitigation strategies next.

Vulnerability Management

Organizations are challenged by identifying assets across the enterprise and defining processes related to:

  • Identifying present vulnerabilities that might compromise those assets.
  • Classifying all detected vulnerabilities according to their severity and impact.
  • Evaluating the likelihood of existing vulnerabilities being exploited by external and/or internal actors.
  • Implementing vulnerability management processes.
  • Integrating vulnerability management in risk assessment.

The EDR solution as implemented by SOCFortress includes a vulnerability scan module capable of gathering the agent’s operating system and installed software and running all the information collected against the NIST CVE Database.

With the NMAP integration described in this brochure the vulnerability detection capabilities part of SOCFortress’ service portfolio are extended to network devices and any other IT assets in an organization where the EDR agent can’t be installed.

More details can be found in this previous article.

Asset Management, Patching and updates

Non-intrusive, automatic SNMP polling to network devices from clients premises and centralized collection of network data, IP addressing and endpoints.

  • Wired and wireless networks.
  • Broad range of network vendors supported.
  • Automatic neighbors discovery using CDP/LLDP.
  • Full Network inventory, including hardware modules, locations, device model, OS/firmware, serial number, etc.
  • Full VLAN inventory.
  • Full IP addressing inventory, subnets allocation and IP-MAC associations.
  • Wireless SSIDs and connected endpoints.
  • Full endpoint inventory, including servers, workstations, laptops, IP Phones, printers, scanners, IoT, etc.
  • Endpoint connection details by port switch/wireless access point.

More details can be found in this previous article.

Event logging and forwarding

SOCFortress has a long list of network vendors and devices that we’ve integrated for log collection and analysis:

When the edge device is a NextGen Firewall there standard or common capabilities to pay special attention to when analysing logs, events and alerts:

  • Application-level inspection, Application Awareness:
    - Identify and control specific applications or application categories traversing the network.
    - Granular policy enforcement based on application-level context,
  • Intrusion prevention:
    - Detect and prevent network-based attacks.
    - Inspect incoming and outgoing traffic for: known attack patterns, malware signatures, abnormal behaviors, proactive protection against various threats.
  • user identification:
    - Identify and associate network traffic with specific user identities.
    - Integration with authentication systems like Active Directory or RADIUS.
    - Enforce policies based on user roles or attributes, providing better control and visibility over user activities.
  • Advanced threat detection and prevention mechanisms.
    - Sandboxing,
    - Behavior analysis,
    - Machine learning.
    - Help identify and block sophisticated threats like zero-day exploits, advanced malware, and command-and-control communications.
  • SSL/TLS Inspection:
    - Inspect encrypted traffic by decrypting and re-encrypting SSL/TLS connections.
    - Analyze the contents of encrypted sessions for potential threats or policy violations.
    - Higher level of security for encrypted communications.

Syslog messages should always be encrypted in transit if the traffic path includes public/untrusted networks. In cases where the network devices don’t support TLS as the transport protocol for remote syslog, a local collector should be used, as detailed in the diagram below:

Threat and Anomaly Detection

Security teams generally depend upon four sorts of data sources when trying to detect and respond to suspicious and malicious activity. These include:

  • third party sources such as law enforcement, peers, and commercial or nonprofit threat intelligence organizations.
  • network data.
  • infrastructure and application data, including logs from cloud environments.
  • endpoint data.

Zeek is primarily a platform for collecting and analyzing the second form of data — network data.

When looking at data derived from the network, there are four types of data available to analysts. As defined by the network security monitoring paradigm, these four data types are:

  • full content.
  • transaction data.
  • extracted content.
  • alert data.

Using these data types, one can record traffic, summarize traffic, extract traffic (or perhaps more accurately, extract content in the form of files), and judge traffic, respectively.

More details can be found in this previous article.

Hardening

CIS Benchmarks Categories:

  • Cloud Providers
  • Operating Systems
  • Server Software
  • Mobile Devices
  • Network Devices
  • Desktop Software
  • Multi Function Print Devices
  • DevSecOps Tools

Network Devices, existing benchmarks:

  • Check Point Firewall
  • Cisco
  • F5
  • Fortinet
  • Juniper
  • Palo Alto Networks
  • pfSense Firewall
  • Sophos

Some CIS controls related to NextGenFW features:

Some CIS controls related to system settings, user accounts management:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Network Security
Cybersecurity
IoT
Threat Intelligence
Siem

--

--

SOCFortress
SOCFortress

Written by SOCFortress

3.7K Followers
2 Following

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams