This article was first published in June in PenTest Magazine and this full version is available only for PenTest Magazine subscribers and Wonderful Tech Stuff readers and will never be displayed on any other site.
The concept of Defense in Depth has actually been reverse engineered and used against the IT Professionals and is now utilized by attackers using this concept to provide them the attack vector they require to facilitate a successful attack. Cyber attackers are forcing IT Professionals and organizations into an unsustainable stance, exhausting available resources, and adapting advanced techniques to walk right in the front door and strut past the people, process, and technology utilized by Defense in Depth. Cyber attackers are provoking organizations to implement a layered defensive stance that is complex, far-reaching, unmanageable, extremely costly, and requires a team of subject matter experts to run.
As Information Technology (IT) professionals, we are familiar with the concept of Defense in Depth. For those unfamiliar with the concept, the adaptation for Cyber-security is to layer multiple defense mechanisms to delay (not prevent) a successful attack until appropriate preventative measures are deployed. As IT professionals, we are also familiar with the requirement for us to stay up to date on technologies, education, current events, etc. Now that defense in depth has been around for a while and professed by all organizations, another look at the concept, how it is implemented, and if it is still effective against Cyber Warfare and Cyber Crime is worth a look. Traditional military strategies and ideas can no longer be applied at the root of their intent when dealing with Cyber Security as the tactical landscapes of both have changed. We need to learn to adapt or continue suffering the cyber-consequences.
Defense in Depth as Designed
Defense in Depth at its inception was a military strategy originally defined by the National Security Agency (NSA). The goal of this Defense in Depth strategy was to elongate and delay rather than prevent the success of an attacker therefore exhausting their resources and causing them to diminish their forces while buying time and keeping attackers at bay. Instead of defeating an attacker and defending their territory with a single, strong defensive mechanism, Defense in Depth relied on the tendency of an attack to lose momentum over time as resources were consumed over a period of time. This would allow a defender to give up lightly defended grounds in an effort to use an attacker’s logistics to consume its own resources, rendering them susceptible to a counterstrike. As attackers’ resources are consumed and they have begun to lose momentum and cover more ground, a counter strike could be launched on the attacker’s weak points in an attempt to cripple the attacker or cause them to fall back to their original positions.
The following figure depicts a basic visual representation of Defense in Depth as it was designed.
Each one of the lines above illustrates different Defense in Depth mechanisms as the concept was initially designed. The major differentiator is that Defense in Depth was designed for a physical real world application.
Defense in Depth for the IT Professional
Defense in Depth as implemented by IT Professionals is an Information Assurance (IA) concept in which multiple layers of security controls are placed throughout an IT system. Defense in Depth for the IT world layers people, processes, and technologies with the intent to provide additional security controls if the primary security control fails or a vulnerability is exploited to circumvent the primary control. Defense in Depth boils down to having multiple defensive mechanisms, at multiple layers, performing different tasks.
Defense in Depth from an IT view point is better defined as a Layered Defense Model. Figure below illustrates an example of a Layered Defense Model.
An example of this Defense in Depth or Layered Defense would be using a Network Based Intrusion Prevention System (NIPS) and a Host Based Intrusion Prevention System (HIPS). The NIPS would operated at the Network Layer and provide a defensive mechanism inspecting traffic as it traverses the network. If the network traffic made it passed the NIPS, the HIPS on the target host would provide another mechanism for inspection and protection.
Possible Defenses At Each Layer or Layered Defense Examples
-
The Perimeter Layer Defenses
This is your first layer of defense and usually resides at the border of your network. It is the first asset that someone from the outside would reach if they were attempting to attack your network. These devices could be firewalls, routers, load balancers, etc. If properly configured, they will reduce your malicious traffic inside your network by up to 95%.
-
Network Layer Defenses
These are your internal mechanisms for detection and prevention and are usually the entrance into your internal network. These devices could be firewalls, routers, intrusion prevention systems, etc.
-
Host Layer Defenses
These are mechanisms that run on the host or against the host. They inspect content on each host and being sent to and from each host on demand. This could be anti-malware systems, configuration management systems, host based firewalls, host based intrusion prevention systems, etc.
-
Application Layer Defenses
These are mechanisms that work at the application layer of the communication stack. This could be strong passwords, session timeouts, input validation, encryption etc.
-
Data Layer Defenses
These are defenses that allow/deny/monitor access to data. It could be a file integrity monitor, access control lists, permissions, file activity monitoring systems etc.
Defense in Depth’s Cyber Shortfalls
What is practical in the IT world and in the civilian sectors cannot be deemed Defense in Depth because the full application and design behind Defense in Depth cannot be applied to its strategy and counter attack to eliminate the enemy. The following points underscore the downfall of Defense in Depth as applied to IT:
- Defense in Depth, in its original design, works for the physical world. The problem with the design for Cyber Defense is that it is unsustainable. Boundaries in the physical world are still well defined; however, a cyber attacker can perform the same actions from their grandmother’s basement as can someone sitting in the next cubicle over.
- The end goal of Defense in Depth as designed is to counter attack the attacker. This would not be legal and is ethically questionable.
- Counter attacking would not be cost effective or practical for a Cyber Defense with existing challenges and strained resources.
- A counter attack from the public sector is not a good idea. This is equal to poking a bear and would likely result in escalation of the attack and increase costs with no benefit.
- As technology is evolving, concepts such as “The Cloud” and telecommuting, the border network is becoming harder to see.
The concept of Defense in Depth has actually been reverse engineered and used against the IT Professionals and is now utilized by attackers using this concept to provide them the attack vector they require to facilitate a successful attack. Cyber attackers are forcing IT Professionals and organizations into an unsustainable stance, exhausting available resources, and adapting advanced techniques to walk right in the front door and strut past the people, process, and technology utilized by Defense in Depth. Cyber attackers are provoking organizations to implement a layered defensive stance that is complex, far-reaching, unmanageable, extremely costly, and requires a team of subject matter experts to run.
Every week the numbers of press releases surrounding cyber attacks and data breaches continue to surface. Global companies, massive organizations, and governments around the globe are reporting intrusions and extrusions of data due to the failure of Defense in Depth as practice by IT. Regardless of what actions are taken to stop a cyber attacker, what tools are used to prevent a cyber attack, even if the attacker is locked out of a system, they are simply sitting at the perimeter trying something new.
How the IT Professionals Can Evolve
Cyber attackers are excellent at sharing data or selling data that will allow more attackers to gain access to your data. IT Professionals and organizations must evolve also or continue to suffer at the hands of these Cyber attackers. Collectively we must issue a call to arms and begin to win back the cyber war. This can be achieved by the following recommendations:
-
Participation
The more people participate in the collective information sharing, the more effective they will be in building a strategy for the prevention, detection, containment, and eradication of cyber attacks. It is up to the IT Security community to make this happen.
-
Information Sharing
First, sanitize your data before sharing. Even competitors can work together collectively to thwart cyber attacks. It is critical for IT Professionals to have accurate data in a timely manner to take action against.
-
Relationships Among Vendors
Vendor integration to build a strong relationship between different tools is critical in being able to withstand a cyber attack.
-
Knowledge Sharing
Vendors and organizations across all different verticals must share their knowledge about each vertical in an effort to participate in collective information sharing.
-
Teamwork
Corporate organizations, private organizations, governments, and others must work together to reduce threats.
The changes required across the cyber landscape are achievable. The Cyber attacker is currently ahead in the race of attack vs defense. The cyber threats are winning. Cyber defense must make a dramatic shift in the current way we do business to continue to apply pressure on the cyber criminals. Resources are constrained and the opposition is evolving.
Author Bio: Jon Ringler is the Technology Security Director at FTI Consulting. Subject matter expert in the field of intrusion detection, forensics, cloud security, and application security. Jon has a Masters Degree in Information Assurance and holds several certifications such as CISSP, CISA, and CEH. Jon, his wonderful wife Debbie, and two beautiful daughters Avery and Camryn live in Annapolis, Maryland, USA. |
PenTest Magazine is a weekly downloadable IT security magazine, devoted exclusively to penetration testing. It features articles by penetration testing specialists and enthusiasts, experts in vulnerability assessment and management. We cover all aspects of pen testing, from theory to practice, from methodologies and standards to tools and real-life solutions. Visit our webpage and register for free! |
Also Read: Best Science and Technology Monthly Magazine You Should Subscribe To