Security Alerting Systems (SASs) generate security-related alert messages indicating a potential compromise of a protected resource, such as a computing device. The alerts are transmitted to a trusted receiver for analysis and action. U.S. patent application Ser. No. 13/537,981(now U.S. Pat. No. 9,160,539), filed Jun. 29, 2012, entitled “Methods and Apparatus for Secure, Stealthy and Reliable Transmission of Alert Messages from a Security Alerting System,” discloses methods and apparatus for secure transmission of alert messages over a message locking channel (MLC). Alert messages are buffered at the monitored endpoint and transmitted to a collection server, such as a Security Information Event Management (SIEM) server, for further security analytics processing.
These regular buffer transmissions correspond to a special type of “heartbeat” that constitutes an additional assurance level. Whenever heartbeat transmissions are not received as expected, a special type of “heartbeat” alert is produced by the collection server.
When “heartbeat” alerts occur, however, the cause of such alerts cannot be clearly identified. For an adversarial heartbeat alert, the host was compromised by an attacker consequently blocking some buffer transmissions. For a benign heartbeat alert, network failures resulted in significant delays or loss of normally transmitted buffers. An attacker can take advantage of this ambiguity to hide its actions while being in full control of an invisible victim host.
A need therefore exists for a network blockage policy that limits the network capabilities of a device when a “heartbeat” alert has been raised.