In my previous blog I discussed Intent-Based Networking and security and how the adoption of Intent-Based Networking allows users to greatly enhance the security posture of their network. In this blog we dig deeper and see how an Intent-Based Network can help with threat mitigation.
Intent-Based Data Center Automation
Enterprises are implementing Intent-Based Networking to realize efficiency, agility, and significant OpEx savings. The technology has matured and is now widely deployed across various industries as described here. Intent-Based Data Center Automation leverages Intent-Based Networking technology to achieve a new level of data center transformation. I’ll use Intent-Based Data Center Automation to show how Intent-Based Networking can help with threat mitigation.
So, what is an Intent-Based Data Center? Data centers have evolved significantly over the years; the following figure shows the evolution of the data center over the past few decades.
This white paper describes in detail the evolution of the data center and the following figure depicts some of the capabilities required to implement an Intent-Based Data Center.
The functionality outlined in the previous figure needs to be well supported, and allow users a choice of hardware and switch OS, choice of workload (e.g. bare metal, virtual machines, containers and microservices), and choice of cloud (e.g. Microsoft Azure, Amazon AWS, Google GCP, etc.).
Intent-Based Networking Solutions
As I mentioned, Intent-Based Networking solutions are widely deployed in production networks. As these solutions mature, it is important to qualify the maturity and capabilities of an Intent-Based Networking solution. Sasha Ratkovic describes the maturity of various Intent-Based Networking solutions in this excellent blog, and as depicted in the following figure.
In order to leverage Intent-Based Networking for threat mitigation, the solution must be at Level 2 or higher as explained in the Intent-Based Networking taxonomy blog. Real-time change validation is a key capability and a fundamental requirement for an Intent-Based Networking solution to be able to effectively tackle threat mitigation.
Data Center Security
As we see adoption of Intent-Based Networking technologies to help drive efficiency, agility, and OpEx savings, Enterprises, Cloud Service Providers, and telcos should also think about the security posture of their data center and leverage Intent-Based Networking constructs to enhance the security posture of their data center. As the latest trends are discussed this week during the RSA Conference in San Francisco. it will be interesting to see where Intent-based Networking falls into the fold.
Data center security has two major elements:
Perimeter security: Securing North-South traffic, which is typically handled by a next-generation firewall.
Securing East-West traffic (traffic inside the data center, typically server-to-server traffic between tiers, containers, and/or microservices).
There is a lot of innovation in the industry to secure East-West traffic. Application architectures have evolved drastically, shifting most of the traffic in modern data centers to East-West, rather than North-South. In this blog we will explore how Intent-Based Networking can help mitigate the threat to East-West traffic inside the perimeter and complement other solutions to help drive efficiency in security operations for the data center.
Threats to East-West Traffic
In order to secure East-West traffic there are a few key challenges: there is limited visibility as the traffic is typically high speed (40G, 100G or even 400G Ethernet) and it is several orders of magnitude larger in volume than North-South traffic. This is a very conducive environment for an adversary to conduct an attack with minimal risk of detection. Attacks can occur can in a variety of ways. For example let’s look at two typical methods of attack used by adversaries and how an Intent-Based Networking system can help mitigate the impact. We will analyze several real-world examples.
Administrator Credential Compromise
In this mode of attack a network administrator is a victim of a phishing attack, or the adversary is a malicious insider. With this type of compromise the adversary can operate with the privileges of the administrator. In this mode, the attack is from the inside and the perimeter-based security solutions will not be effective as the attack is happening behind the firewall. In this scenario the adversary will typically use lateral movement to find vulnerable spots inside the data center and then figure out how to establish Command and Control (C2) communication to further the attack. In order to mitigate the attack, it is necessary to detect the lateral movement and the C2 communications.
An approach could be to look at various metrics and analyze “behaviors” of various elements in the data center and use that to detect suspicious behaviors and attribute the same to a given threat and mitigate the impact of the threat. This is not straightforward as the the system needs to collect metrics across various nodes and run queries and analytics on collected data and determine patterns (“behaviors”) that are considered normal (good) behavior and then detect suspicious behavior. Note that there is a lot of innovation in this area with concepts like Artificial Intelligence (AI) and Machine Learning (ML) being utilized to detect these behaviors. We will explore how an Intent-Based Networking system can help with detection of suspicious behaviors.
Another typical attack vector is when adversaries exploit system vulnerabilities to gain unauthorized access to the network. We see news about various vulnerabilities discovered and impacting systems, and software vendors working diligently to provide patches and mitigation steps for detected vulnerabilities. We see a huge adoption of open source software, which is excellent as an innovation driver. However, the fact that the source code for open source is available by definition, it makes the software vulnerable to exploits.
A security system has the responsibility to enable users to leverage open source software securely. In these types of attacks the adversary will use a valid authenticated connection allowed by the perimeter firewall as an authenticated user and then leverage a known vulnerability in a given network OS, server OS, or a server’s hosted application and use techniques like privilege escalation to get administrator (or root) level access to systems. Once this happens the attack approach is similar to the credential compromise and mitigation starts with detecting suspicious behavior.
Intent-Based Networking Systems and Threat Mitigation
With Intent-Based Networking, the system is designed to provide the ability to reason about various metrics along with their context (e.g. role of the element, and its relation to other elements in the network) in real time. What I mean by real time is that you do not necessarily need to collect and store all the network state data and correlate it by querying a datastore offline. Intent-Based Networking solutions offer the ability to validate your intent (expected behavior) with network operational state as the system processes the data.
If intent is set up to detect suspicious behavior, the system will provide alerts when a deviation from expected behavior is seen in the network. This is known as continuous real-time validation and is a key differentiator in how Intent-Based Networking systems can greatly optimize how you detect and mitigate threats.
Based on a declarative specification of intent, the system knows what network state needs to be collected and analyzed and it can do this for every iteration of network telemetry. In addition, sophisticated Intent-Based Networking systems can collect interesting data for further analysis and use the concept of data pipelines for more advanced processing like trends, baselines, averages, standard deviations, or even the ability to apply custom functions to relevant and context-enriched data.
Detecting an Attack — a Real World Example
Let’s take the example of an attack called “DNSpionage” where DNS request/response payloads were used by adversaries to exchange infected system and C2 information and further the attack.
To counter this, an enterprise could have had in place a set of data processing pipelines for proactively detecting this type of activity. The proactive monitoring should look for the following:
Monitor the DNS request/response payload sizes and report a deviation in payload sizes.
Detect new behavior in systems related to startup folder changes (or task scheduler or cron job changes) and alert if there is a deviation from normal behavior. A security administrator can program certain known suspicious patterns and trigger these detections.
A security researcher can also program “known” suspicious processes and the system will report any instance of these processes or even process command lines if there are observed and as soon as they are observed.
Note each of the above “behaviors” in isolation could be normal operation, but when they happen in conjunction with each other and are detected on systems related to each other, it could indicate an attack in progress, This is an illustration of how an Intent-Based Networking solution can be used to detect anomalous behavior, alert security operators, and greatly reduce their steps to help detect and catch new and existing variants of known threats or an attack in progress.
Note that this approach can be very effective if the Intent-Based Networking system can detect several such “behaviors” – also known as “indicators of compromise” (IOCs) – in the order of several hundreds thousands (or even millions) in real time. The system should also be flexible enough for security researchers to be able add or update new “behaviors” without major disruption and as a part of normal operation. In traditional systems this would mean collecting logs from various elements and using logic outside the core system to correlate various events by using data analytics on large amounts of data.
Cyber attacks are becoming increasingly sophisticated and use automation and other methods to create variants of previous techniques to generate new day-zero threats. It is a constant battle to negate the threat of cyber attacks. A solid approach is to have security baked into normal network orchestration, automation, and operation; in order to do that one has to start with an Intent Based Networking approach and then leverage the “composition” of an Intent-Based Network to be able to detect anomalous behavior. The figure below shows how an Intent-Based Networking system can effectively leverage network context and help with threat mitigation.
Intent-Based Analytics (part of Intent-Based Data Center Automation) provides a powerful threat detection pipeline to map attack signatures to indicators of compromise. Intent-Based Data Center Automation is then able to do correlation in real-time to determine based on the indicators of compromise present, which attack signature is being used, and where the threats are detected, which can then be used to take action to remediate the threat. All of this is only possible with a true Intent-Based Networking solution.