Using Network Defense In-depth to Build the Moat
Believe it or not, defense in depth has its foundation (no pun intended) in medieval times. Back then, the term referred to the use of multiple mechanisms incorporated to protect the royal treasure, with the idea that if one mechanism should fail, another is in place to defend against an attack.
Similarly, the term is also used by the military to describe a strategy for delaying the advance of an attacker. Instead of focusing all available manpower in one strong line of defense, this approach is designed to slow the advance of an attacker by buying enough time to wear them down. This leaves them susceptible to a counterattack and eventually, defeat.
Cyber Security Defense In-depth Strategy
Defense in depth for cyber security takes the best of both scenarios and applies them to approaches that include guidance for controls (military strategy) as well as hardware and software solutions (castle walls). Defense-in-depth strategy elements contain approaches intended to stop and/or slow an attacker’s efforts. The defensive mechanisms are layered to protect valuable data and information and act like marbles to hinder the progress of a threat, slowing and wearing it down, until either it ceases to threaten or until additional resources can pitch in to help eliminate that threat.
The castle’s main gate is protected by an army of soldiers and surrounded on all sides by a large fence.
Cyber Attacker Mindset
The front gate is heavily fortified so we must find another path in. Feeling confident with their defenses surrounding the main gate, the castle doesn’t consider other means of gaining access including; Infiltrate castle by posing as a workerGain physical access through open windowsClimb through terrace as entry point at night and place USB drives loaded with malware throughout staff quartersConnect to castle Wi-Fi from the nearby forest to gain network accessTailgate behind a carriage vendor into the castle to look for server room
Defense In-depth Architecture
Because there is no single method that can successfully protect against every single type of attack, companies choose to employ a defense in depth architecture to better protect IT resources. Implementing a collection of security solutions increases the security of a system as a whole and addresses many different attack vectors. This coordinated use of multiple security countermeasures also includes how a team monitors, is alerted to, and responds to a threat. This way, damage avoidance or mitigation that cannot be managed by purely technological measures can be enacted before the full effects of a threat are realized.
Using an Advanced Adversary Simulation to test a company’s defenses helps determine if security strategies are set up properly to identify emerging threats and warn teams. If a company has chosen to trust in using a single layer of security, an attacker will quickly pivot around that protected area to another area full of vulnerabilities that are wide open. By combining firewalls, malware scanners, data encryption and integrity auditing solutions, and intrusion detection systems, companies close gaps otherwise left exposed by the use of a single security layer.
Q: What are some ways you can help keep attackers off of your on-prem/cloud network?
Brian: So to keep the attackers at bay and keep them out of the cloud and on-premise networks, you really need a good strategy of defense and depth. You know, don’t just rely on that one or two tools and think that they’re going to be everything. A good attacker is going to do their homework on you first. They’re going to do lots of enumeration to figure out what type of defenses you may have in place to see if there are bypasses or something they can develop to bypass. So you kind of need to have a holistic view of, alright, given my situation of here’s what I have on my on-premise network, and here’s what I have in my cloud network, and here’s how they all communicate; where are my largest areas of weakness? And now that I know where my largest areas of weakness are, how can I put something to detect if someone is aiming for that weakness or if someone is aiming for that vulnerable soft area in either the cloud network or the on-premise network. And have some defense in depth so that even if we bypass antivirus, there’s plenty of artifacts that we leave behind as attackers that still allow you to find us and hopefully stop us, or find the real attacker and stop the real attacker before they do ransomware or whatever it is they’re trying to accomplish.
Q: Why do so many organization fail to notice that an attacker got into their network?
Brian: One of the reasons companies may think that they’re protected when they put all this investment in – and attackers are still getting in, we still see it in the news every day. All these companies that are getting breached are investing in security. They are having people whose job it is to look at security, but oftentimes, it’s one of those things where you also have to have the attacker mindset, or, as I mentioned earlier; if the only way you think to get into a building is through a door, you’re going to put all your security around the doors and not realize that people can go through windows. It’s the same with a company’s on-premise network or its cloud network. If you think the only way into the on-premise network is through the VPN or this cloud access security broker and you put all of your attention, all of your awareness and focus in on those, and you forget that bad guys think in multiple different vectors, and they’re going to go in through the side entrance to get into your network, or they’re going to go through some legacy system that you’d forgotten about.