During my (informative and rewarding) time in the Air Force, I was fortunate enough to take some military strategy courses. One of the main tenets of military strategy (borne out over 5000 years of human combat) is the notion of “Defender’s Advantage”, which essentially states that a defender force will be able to hold off an invading force up to 3 times its size. Which makes sense: if you are the defender, you know the terrain, have time to prepare defense fortifications, and can stock up on supplies. But in information security, its seems like anything but a Defender’s Advantage.
It’s a curious reversal of a time honored maxim. Time and again we see large organizations completely defeated by small groups of electronic attackers. Why does the defenders advantage disappear in the information security world?
Let me be very clear: I do not at all mean to trivialize war and physical violence by comparing that with IT security, there is a clear distinction. OK, let’s press on!
Perhaps the nature of electronic attacks are better modeled after guerilla style warfare. In guerilla warfare, the smaller attackers look to harass and cause specific impacts against the larger force, using their agility to their benefit. Prized resources are targeting for destruction or theft, will the goal being disrupt the operations of the larger force.
Even so, there is plenty of work on strategies and tactics to handle this type of “asymmetric warfare”. So the question remains, why don’t we see an inherent advantage towards the defender?
Seize the Advantage #1 – Know the Terrain
This is probably the biggest area for improvement in most organizations. It’s important to know exactly what systems are connected to your enterprise, how they are connected, what they do, and who uses them.
- Conduct regular inventories of all systems connected to the network
- Implement a vulnerability management program
- Documentation on your network should be up-to-date and available (perhaps in an offline fashion as well)
Seize the Advantage #2 – Decide Who Gets In and Out
A standard model of preventing attacks before they happen necessitates blocking malicious traffic on its way into your network. Of course, that method is not a reliable method for defending a network, although the majority of the attention (and budget) goes there. In reality, we need to use a model where we prevent as much of the obviously malicious traffic as we can, and then start watching for traffic that is leaving our network.
The truly dangerous attacks usually require outbound access from the network, either to send home the stolen loot, or to check in with the mothership and ask for new instructions. Fans of the kill-chain model (myself included) will recognize this either the Command and Control or Action stages, and know that this is where the majority of malware is detected and thwarted.
Within the context of the Defender’s Advantage, we need to ensure we are completely leveraging the control that we can assert over the entry and exit points of the network. We should be monitoring and blocking the outbound traffic just as much as the inbound traffic.
- Firewalls should have outbound access-control entries configured too – set them up and monitor them!
- Whenever possible, use a proxy or content filter capable device to control the traffic that does leave your network
- Monitor outbound DNS requests
Seize the Advantage #3 – Segmentation and Depth
Getting back to our martial metaphor (and alliteration too, my English teachers would be so proud!), the guerrilla warfare tends to be waged against the isolated outposts of the larger organization. This occurs for a number of reasons, mostly because the outposts tend to be less well defended, are closer to the attacking guerrilla force, and enable to the guerrilla force to be successful without having to overextend their time and resources attacking a deeper target.
In the case of designing our network, we need to provide ourselves with some segmentation and depth in our networks to ensure that getting to the principal resources are as costly and expensive for the opponent as possible. That is not to say it makes the process impossible, it just means that we give ourselves a few more hops to monitor, and make the attacker work a little harder (and a little longer).
Seize the Advantage #4 – Build Your Own Robot Army
If you read our review of the Verizon DBIR we posted earlier this year, you’ll remember that attackers go from initial compromise to data exflitration in minutes or hours. They’ve found a way to leverage automation to their advantage. Let’s take a cue from these (highly successfully and extremely detestable) folks, and do the same thing ourselves!
So what do you need to start your own robot army? Well, first you’re going to need:
- A log management solution (or a SIEM)
- Detailed and complete network inventory
- An action platform (you’re going to need a way to respond and execute commands)
When we start working on automating-for-good, its important to realize I’m not necessarily talking about automating an end-to-end action (although that would be awesome!). Start by automating components of the security operations. Let’s you have an alert from your IPS that opens a priority 1 ticket. When your team goes to respond to that alert, do they have all the information they need to make a decision, or do they have to go into hunting mode? Why not have all of that information available in the ticket? Snag the firewall logs associated with the alert, gran the AV and system logs for the target for that time frame, and put all that together in one place? Now instead of logging in and tracking down enough information to investigate, we skip right to the part where the human does what humans do best: make a decision.
As you automate portions of these activities, you may find that the decisions being made can also be pretty easily automated as well. Maybe 90% of the alerts follow a pattern that indicates no issues. Go ahead and automate that, and only alert for the outliers. I can’t imagine a security engineer in the world who wouldn’t mind having a 90% reduction in P1 alerts.
We’re going to expand on each of these sections in the next few posts. Time to go reclaim the advantage.
Stay safe out there. And thanks for reading!