Last week, we released the Third Edition of the Hacker’s Playbook, and shared insights from more than 3,400 breach methods executed across 11.5 million simulations in real-world deployments. One of the most common security controls deployed within our customers’ environments is of course the next-generation firewall. Despite the fact that it’s a ubiquitous security technology, not everyone is optimizing next-generation firewalls for the best defense.
Here are some typical errors that we’ve found, along with considerations to get more from your next-generation firewalls using breach and attack simulation:
- Next-generation firewalls used as basic port and protocol firewalls: The power of the next-generation firewall lies in its ability to implement rich security policies based on applications and users, instead of ports and protocols.These policies should be easier to define than legacy firewalls. However due to lack of resources or expertise, some organizations implement their firewall policies in stages, starting with basic port and protocol configuration. The challenge is that teams get busy, projects get in the way, and the next-generation firewall policies — true application enablement — never actually get implemented, enabling SafeBreach (and therefore attackers) to bypass these controls.
Suggestion: CISOs can use breach and attack simulation to continuously challenge these firewalls, and ensure that risks from the lack of true next-generation application enablement policies are clearly documented.
- Threat inspection features enabled incorrectly: Next-generation firewalls include the ability to inspect traffic at a very granular level. There are plethora of threat inspection features such as the ability to inspect for threats within application traffic (IPS/IDS), the ability to detonate unknown files in a sandbox (APT sandboxing), and the ability to identify anomalous behavior within application traffic. The challenge is when you’re defining complex policies, how do you ensure they are actually working rather than waiting for an actual breach to be the first indication that something is wrong?
Suggestion: CISOs can use breach and attack simulation to ensure threat inspection policies are actually working against high-profile attacks, and then visualize the impact of attacks via a cyber kill chain view. SafeBreach Labs delivers new breach methods for our Hacker’s Playbook based on our research, as well as requests by customers, to ensure that policy is up-to-date to stop new and emerging attacks.
- Firewall migration challenges: Many security vendors provide auto-migration tools to help new customers migrate from their legacy firewalls to next-generation firewalls. However, occasionally errors may occur during this process, as vendor features and architecture can vary. SafeBreach has discovered breach scenarios due to these policy gaps and errors resulting from assumptions about new next-generation firewall vendor default policies and auto- migration challenges.
Suggestion: Breach and attack simulation enables security teams to challenge and optimize security policies for the best defenses. CISOs can also build the business case to enable additional features when security gaps are discovered via breach and attack simulation.
- Incorrect segmentation policies: In addition to deployment in the perimeter, next-generation firewalls are also deployed to segment internal networks and within the data center. It’s important to continuously validate that segmentation is actually working, as segmentation is a great security best practice to break the kill chain and stop attackers from moving deeper into the network. SafeBreach has discovered internal servers (assumed to be properly segmented) were actually communicating out to command and control servers.
Suggestion: Use breach and attack simulation to automatically and continuously validate segmentation for PCI, GDPR and HIPAA.
- Encryption challenges: When simulating hacker breach methods, one of the most common ways to bypass security controls is via encrypted traffic. Many organizations don’t decrypt encrypted traffic like SSL,TLS, and SSH. This becomes a major blind spot for the organization, and is the very tactic that attackers will take advantage of to hide what they are doing. One key feature of next-generation firewalls is the ability to terminate and inspect encrypted traffic to stop threats (SSL inspection), but unfortunately isn’t utilized as often as it should.
Suggestion: Breach and attack simulation can show where encrypted traffic can be used to bypass security, and tunnel data out to command and control. While employee privacy is important, SSL interception doesn’t have to be an all or nothing proposition. Breach and attack simulation can assist with building the business case for inspection of encrypted traffic using our findings, and identify how policy can both protect against data loss, and respect employee privacy.
For more tips on how to make the most from your next-generation firewalls, download our whitepaper “Getting the Most From Your Next-Generation Firewalls”.