Cybercriminals rolled into 2021 with a bang and managed to achieve both record-breaking ransom demands and the shutdown of a major part of the fuel infrastructure in the eastern United States. Fresh off of the disclosure of the Log4j vulnerability, they're showing no signs of backing off in 2022.
If the urgency to quell the rise of advanced threats hasn't been enough to motivate public and private organizations to modernize their defenses, Executive Order 14028 and OMB M-21-31 have put federal agencies in the midst of a massive transformation—both culturally and technologically—to meet freshly mandated data retention and reporting requirements. Executive Order 14028 served as the initial call for modernization, but M-21-31 provided the framework for reaching modern cybersecurity benchmarks through visibility and data sharing, which is a vital component to keeping up with new attack vectors, vulnerabilities, and attacker tactics.
Five months after the release of M-21-31, every federal agency in the United States is now working toward meeting basic logging and data retention requirements which will set the baseline for further benchmarks. Visibility and data retention has been central in an effort to gain more insight into how threats are targeting federal agencies, but as agencies look for ways to modernize, the wide array of security tools and the data sources they pull from can make the benchmark for visibility a little murky.
With a renewed focus on visibility, let's first define the sources of visibility for modern cybersecurity operations which, for the purposes of threat detection, investigation, and response, largely relies on three data sources: machine data, agents, and wire data. When most people hear the word log, they typically are referring to machine data, such as event logs and SNMP traps, and data from agents such as endpoint detection and response (EDR) or application performance monitoring. Both data types should form the foundation of any modern cybersecurity operation, but they also come with blind spots and pitfalls. Misconfigurations and attacker tampering limit the amount and scope of data that can be retained, reducing the actual visibility they can effectively offer.
Wire data—aka real-time network data down to the packet level—adds a layer of network visibility that fills in blind spots left by machine data and agents. Wire data from an agentless, out-of-band network detection and response (NDR) solution has the ability to give security teams a third-party, unbiased assessment of exactly what is happening on a network, without risking misconfigurations or tampering, making it an essential part of comprehensive visibility.
There is no single tool or single data source that can offer the level of visibility needed to effectively take on today's threats. Unfortunately, many organizations lack an effective means of gathering wire data or are left in the dark by encrypted protocols that limit their ability to detect attacks in pursuit.
How Wire Data Supports Compliance
As of now, all federal agencies should be working toward meeting the requirements of EL1 outlined in M-21-31. To lay the proper foundation for the first and subsequent maturity models, you should first understand and map your network. Taking this step sets the stage for effective data retention policies in the future and can help you use other data sources more effectively.
To effectively meet the first maturity model, agencies should first take inventory of what they actually have on their network. ExtraHop Reveal(x) is an NDR solution that eliminates the guesswork by automatically discovering and classifying all connected devices, and feeds data from the various devices and protocols into one centralized interface, with the capability to drill down to and store transaction-level details.
Encrypted Traffic Visibility
While wire data from an NDR solution can help bridge visibility gaps, the truth is that more network traffic than ever is encrypted, leaving attackers with more places to hide, and defenders in the dark. M-21-31 will eventually require visibility into encrypted network traffic to help defend against attacks that hide in encrypted protocols.
While network data is central to the function of an NDR solution, the increase of encrypted traffic—and the attackers who use it to their advantage—decreases the detection capabilities of NDR solutions that rely solely on encrypted traffic analysis (ETA) vs. secure, out-of-band decryption. The prevalence of attackers hiding in the network's dark spots has become more evident in more recent exploits like PrintNightmare and Log4Shell. These attacks can both compromise and fully exploit your enterprise completely within the confines of 100% encrypted communications. NDR with secure decryption, by contrast, can detect specific actions associated with these attack vectors, leaving defenders better able to stop attacks in progress.
ExtraHop Reveal(x) for M-21-31 Compliance
With an understanding of how wire data supports compliance, let's take a look at how ExtraHop Reveal(x) NDR collects and retains the necessary data for each of the event logging tier (EL) benchmarks.
First and foremost, agencies must capture the logging categories defined as Criticality Level 0 (notated in Appendix C of M-21-31). This may be a tall order for those enterprises that capture little-to-no logging currently. A properly deployed Reveal(x) sensor can easily capture the majority of these required data formats in short order, including but not limited to:
DHCP Lease Information
Load Balancer URLs
Proxy Servers and Content Filter URLs
Authorization Access and Accounting (AAA)
Network Flow Logs
SMB and NFS File Access Records
EL1 placed special emphasis on "passive DNS" data collection, which effectively screams wire data. For well over a decade now, ExtraHop customers have gotten enormous benefit through our real-time DNS analytics. EL1 also lays out the groundwork for access requirements to this captured data, such that lawful 3rd parties (e.g. CISA, FBI, etc.) can access the data on demand. Finally, there are requirements in EL1 that ultimately point agencies down the path of a modern SOC architecture, utilizing advanced behavioral analytics and security orchestration (SOAR) technologies—but more on that later.
While EL1 sets a standard for the most critical data sources and assets, EL2 starts setting higher standards to match the tactics used by today's advanced threats, including the inspection of encrypted data which is of increasing importance for detecting attacks that hide in trusted encrypted protocols.
There has been no better example of this activity than the recent Log4j vulnerability. Upon disclosure, attackers immediately went to work by hiding malicious JNDI requests in encrypted protocols, obscuring their activities from detection.
By securely decrypting traffic for inspection, Reveal(x) can detect the origin of malicious activity, the devices affected, and how each device responded, giving defenders a clear picture of how attacks originate and are executed on a network.
Additionally, you'll see a specific requirement for 72 hours worth of full packet capture (PCAP) storage, although many standards and thought leaders push for longer retention. It's best that agencies seek out solutions that easily scale retention periods as needed (ExtraHop is one of few vendors that offer a bring-your-own-storage option here).
Last but not least, when selecting an NDR solution, make sure you go with one that does proper indexing of packets. This allows incident responders to quickly search for and access PCAPs as needed (you can easily get a feel for this in the Live ExtraHop Demo).
Although the EL3 (Advanced) rating is not required until August of 2023, organizations should certainly begin the planning process now (this is even called out in the earlier phases). For organizations looking ahead to future maturity levels, by using network data from an NDR solution such as Reveal(x) to meet EL1 and EL2 requirements, security operations teams will be well on their way to achieving EL3 requirements which take agencies into a much more modern approach towards both detecting and responding to advanced threats.
Specifically, the requirements call out User Behavior Monitoring, as well as the ability to detect attack techniques such as compromised credentials, privilege escalation, and lateral movement. In other words, we are talking about detection and response in network detection and response.
ExtraHop Reveal(x) utilizes both signature-based detection mechanisms (i.e. next-generation intrusion detection systems) as well as behavioral and machine learning techniques to spot signs of compromise from credential theft and other attacks that bypass perimeter defenses.
ExtraHop's Threat Research team continuously refines our detection/ML models using industry standards like MITRE ATT&CK, OWASP, etc., so that even the most advanced attackers and nation-states are stopped dead in their tracks. And integration with leading security orchestration (i.e. SOAR) platforms mean that remediation can be achieved instantaneously.
Achieving Visibility with Complementary Data Sources
While contextual network data from an NDR solution such as Reveal(x) will undoubtedly make M-21-31 compliance at every maturity level easier on security teams, every benchmark will require a robust security ecosystem, where each data source fills in gaps and supports the others. Because of this, any new security solution should be evaluated both by its own capabilities, and how it integrates with other necessary toolsets.
Machine data sources such as SIEM, SOAR, and agents such as EDR have drawbacks and blind spots, but they are also critical for meeting new visibility and data retention requirements. As today's attackers have become skilled at disabling and evading core security tools, NDR is necessary to fill in gaps with wire data as a source of unevadable truth.
By adding and integrating features such as network mapping and discovery, packet-level data retention, and machine learning-based detections to existing toolsets, federal agencies can gain the visibility needed to keep ahead of today's threats.
To get an in-depth look at how Reveal(x) supports M-21-31 compliance, complete with product demos, view this recent webinar, Modern Security Approaches to Achieving Your Government Logging Mandate.