Last time, I talked about how attackers are at an advantage when it comes to targeted attacks, and how it is important that we accept that fact in order to deal with attacks properly. Here comes the hard part: knowing that attackers have a great level of control, what do we do now?
Remember that even though we’ve come to accept that attackers have greater control, does not mean that we don’t have any of it. We do, and it is important to take note of that because using that control is highly critical in dealing with targeted attacks.
Control the Perimeter
Of course, any form of control can only be truly successful if founded on an awareness of what we truly own. Acquiring a firm grasp of what and who gets access to the network and the level of access that is provided may come at the expense of what most employees see as convenient, but considering the dangers of targeted attacks, it is important to put security first.
Part of identifying the network is also having a deep understanding of it, specifically the operations, processes, events, and behavior we consider normal. Knowledge of what is truly normal and what is not will help identify anomalies better and faster.
Once the network is defined, it is critical to have a means to monitor the network, which means having visibility and control of everything that goes in and out of it. A good example of a technology that can help network administrators do this is DNS Response Policy Zone. DNS RPZ provides a scalable means to manage connections to and from the network. If complemented with a domain name blacklist, it would create a network environment that is significantly safer.
Deploy Inside-Out Protection
Traditional defenses focus on hardening firewalls and keeping bad components out through blacklisting. Now, while this “outside-in” strategy would be effective for dealing with fairly straightforward attacks, it would be utterly unreliable against targeted attacks. Traditional defenses are made for attacks where the form and source are easily recognizable, which is not the case for targeted attacks.
Figure 1. Traditional defense
A good example of a better type of defense is the one used in Minas Tirith in The Lord of The Rings. The castle is designed in a way where the citadel, located at the center, is surrounded by seven walls. Each wall is higher than the one before it, with the outermost wall being the lowest, but the strongest. There are also gates in each wall, but the gates are never in front of one another, and are all situated in different portions of the castle. This kind of strategy , also known as the military strategy “defense in depth”, works because it does not only offer protection from outside forces, but even from those within the perimeter. In terms of network defense, it is equivalent to deploying multilayered protection, and encrypting critical data.
Figure 2. Defense in depth
The high walls also represent another important strategy. As it gets harder for attackers to infiltrate the fortress further, archers on the high walls have a bird’s eye view of what exactly is taking place. Also, the archers can not only serve as defense for enemies outside the wall, but also for those who are already within. In terms of security, this increased visibility via network monitoring also affords the defenders a level of control for both incoming and outgoing forces.
Assume Intrusion and Act Accordingly
Recall that the first wall at Minas Tirith was known throughout the lands as supposedly indestructible, yet eventually it was breached by the force of the battering ram Grond and the power of the Witch-king. In the same way, what form of protection do we turn to should our traditional defenses fail to prevent targeted attacks? The better attitude to take is to assume that an attack is already inside the network, as this will force us to rethink the way we are currently protecting it.