Think Defense? NO! Think like an attacker
You can’t go far without tripping over a debate around this. I’ve talked about how vital it is to channel the enemy in more than one post, but can a natural leaning towards one position or the other (my recent past is all governance, risk and compliance), have an unhelpful blinker effect?
This post was prompted by Alex Butcher sharing his take on BSides London talks. Mine got a mention, but mainly to point me at a recent Technet article by John Lambert:
- Here’s his – Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win
- Here’s mine – ‘Monstrous Security Appetites’ (far more pictures than words, so speaker notes are included).
When someone eloquently lays out a perspective so apparently counter to yours, it usually provokes a rethink…or it should. So I read it very, very carefully and decided it categorically deserved more than a 140 character response. So here we are.
Graphers and Listers
My take on John’s points (corrections welcome):
Attackers start wherever they have, find or make an ‘in’ to a network. After landing they work their way towards valuable assets by using connections, credentials and data to enable next steps, or point the way.
Like hermit crabs, they regularly swap their access shells for more privileged compromisable accounts. Moving outwards in multiple navigable directions, until a prize is in sight. That might be one specific asset (perhaps a pre-identified target based on insider knowledge, or social engineering), or it might be a location where connections or passing credentials cluster. Somewhere to camp and scoop ever increasing quantities of valuable data or intel.
When you understand the matrix of potential access in relation to key assets, the ‘jumping off points’ in close proximity become a priority to protect too.
But mapping up, down, backwards, forwards, left and right, from potential ingress points, to assets and onwards, is a mammoth undertaking. For many it may not be feasible with current tools, skills and funding.
Alternatively, the ‘listers’:
They labour to enumerate all the assets that need protecting. More or less effectively (usually less – a problem I consistently write about solving) using risk, legal and regulatory requirements to define highest priorities for protection. A much more familiar governance model. The trouble is (much like for graphing), that’s one heck of a lot of work and it’s always an incomplete and moving picture. Every day data, devices (mobile and internal), applications, connections, accesses and suppliers get changed or chucked into the mix.
The upshot – piecemeal protection.
John’s recommendations (within the scope of the brief post) were:
- Mapping accesses and related paths to priority assets
- Relating that to connection clusters, account control servers and vulnerabilities that multiply ingress points
- Ring fencing the most hack-worthy assets and nearby pathways with network and access segregation.
- Reviewing privileged accesses to minimise them and ideally switching to temporary ‘just-in-time’ access models.
- Using 2fa wherever possible and not ignoring less scrutinised ways credentials are exchanged e.g. printers and internal database permissions.
My recommendations (within the scope of my 15 minute talk) were:
- Identify the traits that make assets (including card data, personal information, finance information, IP, passwords, source code, strategic plans or processes requiring high availability), most attractive and vulnerable to hackers.
- Quickly (it’s possible) triage entities, identifying which ones store, handle or support most at risk assets. Entities iinclude, among other things, endpoints, servers, software, projects, suppliers, people.
- Point most assessment effort at that riskiest stuff delving into detail on quality of controls, specific vulnerabilities and threats
- Decisively land risk ownership early and not usually with IT or security (they operate controls and set/test benchmarks, but are rarely where the buck stops if it really hits the fan).
- Avoid the FUD from the media and vendors, that sends you down budget gulping threat cul-de-sacs.
- Rebalance time and effort spent on tech vs people risk and suppliers.
- Improve comms up and down the business to get and keep sponsorship for work.
- Do all this to best use limited resources. Freeing staff from working reactively (jumping every time there’s a local incident, media reported breach or logo worthy exploit), so they can concentrate on real breaking news about harder to mitigate attacks and longer term security strategy.
Firstly, you can see why I overran! Rookie mistake. Secondly, after proper consideration, I don’t see that these are mutually exclusive, or even ‘better vs worse’ approaches. They can be complimentary. Here’s my take on why:
Serving Graph and List Masters
It is, in both cases, mainly about the data. In John’s model, intel to gain initial ingress, then credentials (mainly), to extend reach to the highest value assets, which are mostly data stores.
In my model I start and end in a different place, but I’m essentially focusing on the same things. Directing in-depth assessment and remediation effort at highest value, or most criminally desirable assets (often the same thing and again mainly data).
Entities, my chosen targets, also include projects and suppliers (extending John’s model to keep eyes on evolution of the environment). That helps the business to ‘get’ problems, because entities are typically where controls are applied and they are far easier to pin owners on than information assets.
Where I didn’t go, but John did, was into the shape of assessment itself. If I had, it would have specified that the entity shouldn’t be assessed in isolation. It should be looked at including surrounding physical, tech, user and process context (hosting environment, kit, OS, midrange, applications, interfaces)…not forgetting, as one critical area of focus, access. Access to all those layered interracting pieces of the entity’s security puzzle. A special place reserved for privileged access, which always requires a step up in scrutiny and required control…and suddenly things begin to sound more aligned.
- An approach prioritising what’s at most risk in the real world.
- An approach that acknowledges surroundings are as important as targets.
- An approach that has data and access at it’s heart.
John recommends technical discovery and mapping of assets in network context. In my version it’s technical and manual identification of entities (the usual context for assessment and reporting on risk and security controls). One view adding perspective and filling gaps for the other.
As he rightly also points out, compromise is MORE likely to start with an overlooked workstation than the locked down server where you keep your data crown jewels. That doesn’t change the fact that securing outwards from high value assets is his (and my) core recommendation. You can’t secure everything all of the time. But, to minimise pain when someone does break in, you can put up effective roadblocks and listening posts to reduce the chance of success.
Where there should be absolutely NO disagreement…
You cannot understand risks and implement appropriate levels of control, if you have no idea what your key assets are, where they are and how likely they are to attract determined effort from hackers, or compromise by uneducated, coerced, careless or criminal insiders.
A point underlined by this quote from John:
“Defenders need to ensure that attackers don’t have a leg up on them when visualizing the battlefield. In this contest, defenders can have the upper hand. They can have full information about their own network, whereas attackers need to study the network piece by piece.”
There’s more I could write (says the BSides talk overrunner), but as I want some folk to make it to the end, here are four final points:
- The content and tone of my talk (broad and light), was never going to cover all fronts, but it has persuaded someone to take time to start a debate – that’s a result.
- We, as an industry, can have a tendency to write off some value of people in the opposite camp. Not law abiders vs criminals, but coders and technologists vs ‘security suits’.
- The solution to this mammoth security challenge is in co-operation and selecting the best from all camps. Cohesion and support is the only way through.
- NONE of what we try to do will see consistent improvement in security, if we don’t bring the purse string holders along for the ride. The boom/bust budget cycle, driven by failed tech/business translation, FUD and incidents, will carry on forever. The keys to unlock that trap – respect and effective communication.
On that (given I’ve strayed into more technical territory than usual here), I’m confident we can all agree.