📑
Network edge equipment is physical or virtual equipment including firewalls at the edge, VPN gateways, enterprise edge routers, and Internet boxes. How should you respond if you suspect that this equipment has been compromised, or if the compromise is proven? The response sheets from InterCERT France (FR) summarize the steps involved in assessing and containing the incident.
The incident must first be assessed by answering a number of questions about the incident, its scope, its impact, and its criticality.
The compromise of network edge equipment assessment
Prerequisites for assessing the compromise of network edge equipment
Internal and, if necessary, external expertise must be mobilized to assess the security incident. At this stage, the administration and monitoring of the information system, edge equipment, and security equipment must be accessible to those involved in the assessment. They must also be aware of the organization’s business priorities and emergency contacts.
To record the incident’s handling timeline, track the progress of the remediation, and evaluate its effectiveness, the organization must open a logbook including:
- The date and time of the action or event
- The name of the person or department that detected or reported the event
- A detailed description of the action or event, the machines involved
- Actions taken in response to the incident
- Etc.
Storage outside the compromised information system is required, for example on a shared cloud folder, external media, or even in paper format.
Let’s look at the factors to consider when confirming and assessing the compromise of network edge equipment.
Assessing the compromise of network edge equipment
Confirming the compromise of network edge equipment
This step allows you to learn more about the threat and possibly confirm the compromise.
To identify suspicious equipment, you must first explore the logs and information from internal (EDR, SIEM, antivirus, etc.) and external reporting tools.
Has a software vulnerability been reported, and can a link be established with the detected incident? Do the logs show traces of malicious network connections and, if so, over what period? In the event of a confirmed compromise, does the attacker have access to the device’s operating system?
Assess the scope of the network edge device compromise
If the attacker has user access, they can access the device’s features. Do they also have valid authentication secrets to use the equipment’s functions, or access to features that should be protected by authentication?
If the attacker has internal access, the compromise is more serious because they can execute arbitrary code (e.g., “remote code execution” (RCE)).
In all cases, it is necessary to determine:
- The attacker’s network access via the compromised equipment (internal LANs, third-party systems, etc.)
- The secrets hosted by the compromised equipment that allow access to the information system, and whether they can be renewed quickly
- Whether the incident is limited to an identifiable part of the information system
- Whether administrative resources have been compromised
- Etc.
Assess the impact of compromising network edge equipment
The impact of the incident may affect both the information system and business activities, for example if the attacker can reuse secrets or if business applications are accessible via the compromised equipment. Operation in downgraded mode may then be required.
Assess the urgency of resolving the compromise of network edge equipment
The urgency of resolving the compromise depends on the risk to activities that are vital to the organization and the attacker’s ability to extend their actions to other areas of the information system.
If the network edge equipment compromise is confirmed, after following the steps outlined above (assessment of the perimeter and impact), containment measures can be taken to contain the attack.
Containing the compromise of network edge equipment
The containment steps will depend on whether or not the equipment can be isolated, whether or not the attacker has user or internal access, whether or not there are vulnerabilities, etc.
Pro tip
Before isolating any equipment, the risks of disrupting the functioning of the information system and the organization must be assessed. For this reason, the assessment stage is crucial.
Possible network actions
Isolate compromised network edge equipment
Isolating equipment suspected of being compromised is the first step in containing the incident: the equipment must be paused if it is a virtual machine, or isolated from other equipment, disconnected, or deactivated if it is a physical machine. Once isolated, the machine can no longer be used by the attacker. Note: if it is a VPN gateway, incident response administrators need to maintain access to the information system.
Filter traffic as much as possible
Traffic can be filtered through the following actions:
- Limiting the exposed surface area (deactivating non-essential exposed services, disconnecting from the Internet for services that do not need to be connected, access lists for remaining exposed services)
- Isolate the vulnerable service
- Filtering outgoing traffic from the equipment (preferably upstream and downstream of the compromised equipment and not on the equipment itself to prevent the attackers from modifying the network configuration to grant themselves rights)
Isolate the vulnerable service
The vulnerable service must be disabled to make it inaccessible. Failing that, incoming traffic must at least be filtered.
Possible system actions
Update the equipment and patch the vulnerabilities
If the compromised equipment is vulnerable and a patch from the vendor is available, it must be deployed. Note: this update may disrupt the service, and this impact must be anticipated.
Change compromised secrets
Any secrets used or potentially used by the attacker must be changed. If secrets cannot be changed due to the risk of disrupting the functioning of the information system, they must be closely monitored.
Apply the manufacturer’s mitigation measures
If the manufacturer of the compromised network edge equipment offers mitigation measures, they must be implemented to limit the impact of the vulnerability, while taking into account the potential impact on the functioning of the information system.
Preserve evidence of network edge equipment compromise
To facilitate investigations, system data must be preserved (virtual machine snapshot, export of physical machine configuration and system data, etc.), as well as log evidence generated by the compromised equipment.
Once containment has been achieved, the teams in charge of handling the incident can focus on monitoring new attempts by the attacker, and on forensic investigations.
A compromise of a network edge system can have consequences that require actions beyond the IT perimeter — including external communication with partners or even the general public, filing a complaint, reporting to the relevant authorities, and so on.
In the event of a crisis, how should you prepare?
Find out everything you need to know:
More articles
10 recommendations for mobile cybersecurity
How can you ensure the security of mobile devices?
Key metrics to evaluate EDR performance
Want to assess the performance of an EDR, but what to measure is not totally clear to you? Here are…
System compromise: assessing and containing an incident
How should you respond when an IT system is compromised? From assessment to containment, InterCERT France offers a series of…
After the crisis: the importance of investigation
Determining the end of a cyber crisis remains complex, as it is often marked by the cessation of emergency measures…