Network Security: Complete Guide to Threats and How to Defend Your Network

Network Security vs. Cyber Security

Cybersecurity is the practice of defending computer systems and data from unauthorized access and damage. Cybersecurity processes and tools protect an organization from a variety of threats including automated attacks, targeted attacks by external attackers, and insider threats.

Network security is a subset of cybersecurity which focuses on protecting corporate networks. Network security includes processes and technologies that can monitor network traffic, identify threats, and take action to mitigate them. Common threats include malware, zero-day attacks, denial of service (DoS), advanced persistent threats (APT), and security misconfigurations.

Network Security Threats and Attacks

Malware

Malicious software (malware) is designed to perform a specific malicious function. Cybercriminals use malware to steal sensitive information, block access to files, make a system inoperable, and generally disrupt operations.

Each type of malware works differently. For example, ransomware encrypts files and displays a ransom note demanding payment in exchange for a decryption key. Trojans deploy malware by impersonating legitimate software and spyware covertly gathers information about a target.

Learn more in our detailed guide to malware detection.

Phishing

A phishing attack tricks its targets by impersonating a reputable entity or real person. Cybercriminals typically send out emails containing malicious attachments or links. Users clicking on these links download malware that performs various malicious activities. For example, some malware can extract account information or login credentials.

Phishing attacks can also attempt to trick users into inputting their sensitive information into a legitimate-looking form. This attack is not restricted to emails and may also be deployed via SMS or phone calls.

DDoS Attacks

A Distributed Denial of Service (DDoS) attack employs several compromised computer systems to attack a specific target. The goal is to cause a denial of service that drops network resources like servers or websites.

A DDoS involves flooding a target system with numerous connection requests, malformed packets, or incoming messages to force it to slow down or crash until it shuts down and denies service to legitimate systems or users.

Advanced Persistent Threats (APTs)

An APT is a targeted cyberattack orchestrated over a long time. It involves gaining covert access to a specific network maintaining access for as long as needed to achieve the attack’s objective.

Cybercriminals use many resources to carry out APT attacks, which is why they usually choose high-value targets, such as large corporations or nation-states. The typical objective of an APT attack is stealing sensitive information.

A common tactic of APTs is to penetrate the network and gradually attempt privilege escalation and lateral movement to expand their reach. This way, an APT can initially compromise a poorly defended resource such as an employee workstation, and gain control over sensitive systems and data.

Learn more in our detailed guide to Advanced Persistent Threat (APT) attacks.

Drive-By Downloads

A drive-by download is the unintentional download of malicious code. It does not involve clicking on anything, opening malicious files, or pressing download. This attack infects a computer or mobile device without any action performed by the user.

A drive-by download attack exploits security flaws in operating systems, web browsers, or applications. These vulnerabilities typically occur due to a lack of updates or unsuccessful updates.

DNS Attacks

A DNS attack involves exploiting vulnerabilities in the domain name system (DNS). There are numerous types of DNS attacks that exploit the communication between client and server. For example, cybercriminals can log in to the website of a DNS provider using stolen credentials and redirect DNS records elsewhere.

Network Security Model and Architecture

A network security architecture should address various areas, including physical security, authentication, access controls, and accountability. All security measures must work together to prevent unauthorized users from entering the network and exposing, modifying, or damaging its contents.

Network security relies on six main functions:

Security Policies

Establishing and enforcing a security policy lets organizations identify malicious behavior and manage security risks. Technological requirements and threats should inform the security policy. Effective policy enforcement requires clear policy provisions and the ability to detect policy violations. Any behavior that doesn’t conform to the policy triggers an alert, and the security team may respond.

Visibility

Securing a network requires strong visibility across all users, assets, and communications. It is a best practice to embed monitoring and analytics tools into the network architecture to provide visibility into the following elements:

• Logs – track user behavior and establish accountability. Suspicious behavior is more easily identifiable via logging details.
• Network traffic – monitor unidirectional traffic streams like source and destination ports, protocols, and IP addresses.
• DNS – monitor repetitive DNS queries to identify anomalous DNS activity indicating DDoS.

Context

Adding context to security events helps provide actionable insights to inform response decisions. Contextualizing events depends on established knowledge of the network. For example, if systems that do not usually communicate with each other suddenly start to, or if several systems try to communicate simultaneously, it may indicate botnet traffic or a malware attack. Context relies on visibility and analysis.

Network Segmentation

Segmenting a network helps mitigate the impact of a breach in one part of the network, restricting its access to the rest of the network. Traditional segmentation approaches use a combination of firewalls, Virtual Local Area Networks (VLANs), and Access Control Lists (ACLs). These techniques help contain attacks and reduce damage, but implementing them can be complex and expensive.

Trust Model

It is important to determine an entity’s level of trust when granting access permissions. Various mechanisms can verify the identity of the user or entity requesting permission. There are two main ways to establish trust for network security:

• Direct trust – establishes secure communication between two trusted entities, with one entity performing the authentications for the other. The Certificate Authority handles all validations without delegation. This approach is more secure but also requires more effort.
• Third-party trust – uses the common relationship of two entities with a third party that vouches for them. For example, a bank can serve as a third party vouching for the trustworthiness of a customer or service provider.

Large corporate networks have many users who might not know each other personally. Organizations can use public-key cryptography to establish trust with multiple users – the organization serves as the trust guarantor.

Multi-factor authentication (MFA) tools require users to prove their identity using at least two types of proofs (i.e., a password and a token or OTP). IP addresses and digital certificates also help establish trust.

Network Resilience

Resilience is essential for withstanding successful attacks – it is not enough to rely on preventive methods to secure the network. Proactively building resilience requires a network architecture that can anticipate a breach. Organizations make their networks resilient by deploying two high-availability devices protected by firewalls. If one device fails, the second can take over.

Another way to achieve resilience is to design a network infrastructure that withstands DDoS attacks, for example, increasing the server’s bandwidth. The larger bandwidth can buy time for the security team to mitigate the risks and counter the attack.

11 Network Security Technologies

The following technologies are commonly used to secure enterprise networks.

1. Network Firewall

Network firewalls were introduced over two decades ago and have become a central part of network security. Firewalls regulate traffic, preventing access to network servers from outside sources unless they are explicitly allowed. They perform packet inspection and filtering, checking the source and destination of every data packet and allowing or rejecting it according to predetermined rules.

2. Next-generation Firewall (NGFW)

A next-generation firewall (NGFW) builds on first-generation firewalls, providing deep packet inspection (DPI) capability that can allow it to enforce security policies at application, port, and protocol levels, not just at the IP level. NGFWs are application aware, meaning they can detect and block malicious applications in the network. They can also inspect encrypted communication over SSL and SSH

In addition, many NGFW solutions provide additional capabilities such as web content filtering, network address translation (NAT), virtual private networks (VPNs) and malware detection.

3. Firewall as a Service (FWaaS)

FWaaS vendors provide cloud-based network traffic inspection capabilities that enable organizations to augment or decommission on-premises network firewall appliances. It helps reduce the management burden on in-house security staff.

FWaaS vendors provide advanced network security features like next-generation firewall (NGFW) technology, intrusion prevention and detection, URL filtering, application-aware security policy enforcement, advanced malware prevention, and threat intelligence.

4. Intrusion Prevention System (IPS)

IPS is a network security solution that can be deployed either as a hardware device or a software program. It monitors the network for malicious activity and can immediately block and report malicious traffic. Because it is deployed inline, it must be powerful enough to scan network traffic without affecting performance. IPS is a component of many modern security solutions, including NGFW and unified threat management (UTM).

5. Network Access Control (NAC)

NAC is used to manage connections to a network by employees, customers, third parties, and guests, whether locally at the organization’s offices or remotely. NAC solutions can restrict access, operating according to policies that determine which users and devices have permissions to which resources on the corporate network.

NAC works by intercepting connection requests, then authenticating them against an identity and access management (IAM) system. Once a user is authenticated by IAM, the NAC system uses its policies to accept or deny the specific connection request. NAC can enable closer control over devices, resources, and roles, and establish location-based connection criteria. It can also help organizations enforce patch management and put in place controls required by specific compliance standards.

6. Network Security Policy Management (NSPM)

NSPM uses analytics and manual auditing to optimize network security rules and change management workflow according to real-life conditions. It tests rules, verifies compliance, and visualizes traffic behavior. NSPM solutions typically provide a visual map that shows devices and firewall rules in the network, helping administrators understand network paths and whether the restrictions applied are appropriate.

7. Zero Trust Architecture

ZTA is a network security approach that assumes the network consists of too many entry points to allow complete protection and may already contain hostile threats. Instead, effective security architecture needs to protect its assets rather than block external threats.

ZTA is not a specific product – it is an architecture that organizations can set up to suit their security and business needs. It typically involves using a proxy to grant or deny access and permission to users according to their risk profile. The risk profile is informed by various contextual factors, including user device, application, time of day, location, and data sensitivity.

8. Microsegmentation

Microsegmentation technology helps prevent threat actors from moving laterally across the network. Here are the three categories of microsegmentation tools for network security:

• Network-based tools – organizations can deploy these tools at the network level, typically with software-defined networking. It helps protect assets connected to the network.
• Hypervisor-based tools – organizations can use these tools to implement microsegmentation and increase the visibility of network traffic flowing between multiple hypervisors.
• Host-agent-based tools – organizations can use these tools to segment certain hosts by installing an agent on these hosts. It helps separate hosts from the rest of the network. These tools can work on physical servers and cloud or hypervisor workloads.

9. Secure Web Gateway (SWG)

SWG was initially a solution aimed at optimizing bandwidth, and has evolved into a system that protects users from malicious websites and content. Modern SWG solutions provide URL filtering, decryption and inspection of HTTPS traffic for malicious activity, data loss prevention, and anti-malware. Most SWGs also provide a limited form of a cloud access security broker (CASB).

10. Secure Access Service Edge (SASE)

SASE is a new solution category that combines several network security tools into one. SASE includes SWG, NGFW, zero trust network access (ZTNA), and software defined wide area networking (SD-WAN). It is a managed, scalable WAN service that provides connectivity between multiple geographical regions. It secures network traffic regardless of the physical location of the user or the company resource being accessed.

11. Extended Detection and Response (XDR)

XDR is a new paradigm for threat detection and response, extending beyond the network to secure endpoints, email systems, and cloud resources. XDR is a proactive approach to threat detection. It combines data from multiple layers of the IT environment, applying advanced analytics to automatically construct an attack chain from multiple, seemingly isolated events.

XDR allows security teams to:

• Quickly identify hidden, evasive threats including insider threats and advanced persistent threats (APT).
• Track threats across multiple security silos in the organization.
• Increase productivity of security teams by providing automated forensic investigation and a single interface for investigation and response.
• Automate response by integrating with existing security tools.

XDR promises to reduce the time to detection and response in a SOC, improve detection of sophisticated threats that can be missed by existing security technologies, and save time for security teams. This is critical given the global cybersecurity skills shortage and the proliferation of advanced threats on the modern network.

Securing Your Network with Cynet

Beyond XDR – Autonomous Breach Protection

Cynet is the world’s first Autonomous Breach Protection platform that natively integrates the endpoint, network and user attack prevention & detection of XDR with the automated investigation and remediation capabilities of SOAR, backed by a 24/7 world-class MDR service. End to end, fully automated breach protection is now within reach of any organization, regardless of security team size and skill level.

XDR Layer: End-to-End Prevention & Detection

• Endpoint protection – multilayered protection against malware, ransomware, exploits and fileless attacks
• Network protection – protecting against scanning attacks, MITM, lateral movement and data exfiltration
• User protection – preset behavior rules coupled with dynamic behavior profiling to detect malicious anomalies
• Deception – wide array of network, user, file decoys to lure advanced attackers into revealing their hidden presence

SOAR Layer: Response Automation

• Investigation – automated root cause and impact analysis
• Findings – actionable conclusions on the attack’s origin and its affected entities
• Remediation – elimination of malicious presence, activity and infrastructure across user, network and endpoint attacks
• Visualization – intuitive flow layout of the attack and the automated response flow

MDR Layer: Expert Monitoring and Oversight

• Alert monitoring – First line of defense against incoming alerts, prioritizing and notifying customer on critical events
• Attack investigation – Detailed analysis reports on the attacks that targeted the customer
• Proactive threat hunting – Search for malicious artifacts and IoC within the customer’s environment
• Incident response guidance – Remote assistance in isolation and removal of malicious infrastructure, presence and activity

Simple Deployment

Cynet can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.

Get a free trial of Cynet and experience the world’s only integrated XDR, SOAR and MDR solution.