Post 23 - Almost there

26 Dec 2022

Task 28, Day 23, Defense in Depth Mission ELFPossible: Abominable for a Day

One to go…

Defense in Depth core mindset founded on idea that there is no such thing as a silver bullet for security woes. No single defense mechanism can protect from the bad world out there.

Contrasting Past and Modern Takes

Castle walls built to withstand sieges and barrages, fortified and manned to protect from pillagers and marauders, but sooner or later will be breached. Defender’s response inside the walls could spell the end. For longest time lots of orgs had similar posture: focus on securing the walls/perimeter. Downside is that once breached they often faltered and it spelled the end.

Modern defensive security mindset shifting to more robust approach. Castle walls are good and important, but the the only way to security. At somepoint gunpowder is discovered and the walls will fall. Having additional defense layers, especially for high value targets, is crucial.

Disrupting Adversarial Objectives

DiD mainly focused on adversarial objectives, not just securing perimeter, but everything in the path the adversary will take. Three levels of defense:

  1. First level, focus on perimeter. Great prevention measures in perimeter and complete trust within. Once breached, at mercy of adversary.
  2. Second level has defensive layers, but emphasis soley on prevention. While adversarial objectives may be prevented some, lack of ‘knowing your environment’ leads to missed opportunities for detection, alerting, and response. Prevention is good, but key to defeating is visibility into what the attacker is doing.
  3. Third level is well-rounded defensive layers in place, leveraging strategic application sensors, effective creation of analytics, and efficient alerting and response capabilities of security team. Preventative measures coupled with detection and alerting, and immediately and efficiently dropping the hammer.

First level includes orgs that employ great defenses like Web Application Firewalls (WAFs), Perimeter Network Firewalls, and even Demilitarized Zones (DMZ), but has no internal security and no zero trust mechanisms in place.

Second level includes orgs that employ level one, but add internal measures like network segmentation, zero trust principle implemetation, least privileged access principle implementation, and even hardened hosts and networks. Really good defense, but many missed opportunities, likely with existing products.

Third leve uses both previous levels but rampls up detection and response through effective log collection and well-crafted analytics.

We’re not only expected to be good at layering preventive measures against attacks, but also capable of responding if and when these defenses are bypassed.

Scenario given: Adversary penetrates perimeter defenses via spearphishing campaign, still has to navigate hardened environment full of traps and tripwires. This may give him one specific user’s account, but having least privilege access he is limited to damage that can be done. Even if able to move laterally to another better user via pass-the-hash, good logging mechanisms and detection capabilities allow analytics to recognize it and alert the cavalry to respond and remediate immediately.

The Task

Break into the compound and navigate around to steal the naughty/nice list flags at each security level.

Level three is frustrating in a game, worse in the real world.

Summary

Implementing layered security is iterative and cyclic, breaches and detections show areas of improvment which are then acted on. Any attack, successful or not should inform new defensive steps and approaches.