Rethinking Defense In Depth
Anthony SaracinoInformation Technology Security OfficerBucks County Community CollegeOctober 4, 2018
Discussion Points• Background• Risk and Risk Management Objectives• Defense in Depth Overview• Defense in Depth Strategies
o Cyber Kill Chain Methodologyo Mitre ATT&CK Frameworko Zero Trust Architecture
Fundamental IT Security Goal
CIA Triad
Confidentiality – prevent unauthorized disclosure of sensitive information
Integrity – prevent unauthorized modification of systems and information Data Integrity System Integrity
Availability – prevent disruption of service and productivity
• Represents the fundamental security principle upon which all information security functions are based
• While all three areas are important – some organizations may place a higher value on one component than another
Source: ISACA CISM
• Risko The probability of an event and its consequenceso The probability of an event is the likelihood that a given threat will exploit an exposed vulnerabilityo If there are no consequences or impact …. there is no risko The greater the consequences …. the greater the risko Risk = Likelihood of an Event x Potential Impact … or … Threat x Vulnerability
• Exposureo The degree to which a a vulnerability is exposed to a threat … the attack surfaceo Is affected by the extent and effectiveness of controls and where a particular device is located in the
networko Asset Classification – business value, sensitivity, critically
• Security Focuso Managing risk to critical assetso Risk appetite - Risk toleranceo Loss reduction - Controlso Residual Risk
Risk Defined
• A process aimed at achieving an optimal balance between realizing opportunities for gain and minimizing vulnerabilities for loss
• Ensures that the impact of threats exploiting vulnerabilities is within acceptable limits and acceptable cost
• Accomplished by balancing risk exposure against mitigation costs and implementing appropriate controls and countermeasureso Detective controlso Preventive controls o Corrective controls o Compensating Controls o Must include sound policies, procedures, standards, and guidelines
• Who determines the acceptable limits and acceptable cost?
• Risk appetite and risk tolerance need to be defined
• Risk Impact = Risk - Controls in Place (Preventive Controls) - Likelihood of Detection (Detective Controls)
Risk Management
Consists of a series of processes that take into account the end-to-end requirements of identifying, analyzing, evaluating, and maintaining an acceptable risk level
Establish scope and boundaries – include internal and external factors Identify information assets and valuation Perform risk assessment – qualitative or quantitative Determine risk treatment or response Accept residual risk Communicate and monitor risk
Source: ISACA CISM
Security Risk Management Process
Continuous Risk Management Process
Source - ISACA
What is Defense in Depth• The coordinated use of multiple security counter measures to protect the
integrity of the information assets in an enterprise.
• Places multiple barriers between an attacker and an organizations computing and information resources
• Minimizes the adverse impact and provides time to deploy new or updated counter measures to prevent recurrence
• Increases security by increasing the adversaries effort needed in an attack
• Based on several core principles:
o There is no “silver bullet” when it comes to network and system security
o Any layer of protection might failo Multiple levels of protection must be deployed within each layero Measures must be across a wide range of controls that include
preventive and detective measures
Source: hexad.org
Defense in Depth - Overview• Identify the Network Perimeter, critical assets, and define and document the data flows
• Questions to be askedo What assets need to be protected?o Where does critical data reside?o How does data flow from host to host?o How does data flow from application to application?o What about the cloud?
• Define what you want to protect againsto External Threatso Internal Threats – Malicious Insider and the non-malicious, uninformed employee
• Implement controls that work across multiple layerso Preventiono Containment o Detection/Notificationo Reactiono Recovery/Restoration
Defense in Depth Fundamentals• Select the right mix of products and services
o Endpoint Protection Software Antiviruso Web Application Firewalls and Next Generation Firewallso Mobile Device Management and BYODo Identity Management, SSO, and MFAo Includes network segmentation, VLAN’s, ACL’So DLP and traffic inspection – including SSLo Multiple Honeypot traps
• Establish Effective Controls and Processeso Least Privilege Accesso Role Based Accesso Periodic Access Reviewo Security Awareness
• Key Pointso Need to continuously monitor and reacto Focus on what needs to be protected … have a strategy
Defense in Depth – Tactics
• All components need to work together so that there is a cohesive view across all attack vectors• Need to ensure that all public cloud applications are included• Need skilled engineers with a diverse set of IT skillsets
Pillar Component Pillar ComponentAuthentication Auditing and Logging/SIEMAuthorization File Integrity Monitoring (FIM)Awareness and Training HoneypotsBYOB/MDM Configuration Intrusion Detection (IDS)Data Loss Prevention (DLP) Measurements and MetricsEncryption MonitoringFirewalls Additional Security MechanismsHost Intrusion Prevention (HIPS) Incident ResponseNetwork Intrusion Prevention (IPS) New or Better ControlsPatching Policies and Procedure ChangesPhysical Security Backups/RestorationVirus Scanning Business Continuity PlanningAccess Control Lists (ACL's) Disaster Recovery PlanningAuthorization Failover to High Availability SitesFirewalls and Security Domains ForensicsNetwork Segmentation Management and Monitoring
Defense in Depth by Function
Prevention
Detection/Notification
Reaction
Recovery and Restoration
Defense in Depth by Function
Containment
The Cyber Kill Chain Methodology - Overview• Developed in 2011 by Lockhead Martin and defines the steps used by adversaries• Fundamental concept - An effective attack is a chain of events• The Traditional Kill Chain Model:
• By understanding each of these stages an organization can better identify and stop attacks at each of the stages.
• The more points you intercept adversaries actions at, the more likely you can deny their objective. • Detecting an attack and blocking delivery of the attack are the keys to a successful defense.• If the attack goes through all phases it means that an organization was unable to notice that they were
the subject of the attack. • A successful attack is due to either:
o Good preparation of the adversary … or …o Poor preparation and execution by the attacked organization
no monitoring, incomplete tool set, inadequate security policies, procedures not followed
The Cyber Kill Chain Methodology – DetailsPhase Objective Adversary Actions Defender Countermeasure
Reconnaissance Identify the Targets
Conducting research to understand which targets will enable them to meet their objectives. Once target is identified will harvest e-mail address and Social Engineering sites to obtain information.
Detecting reconnaissance as it happens can be extremely difficult to detect. Some available tools:- Network Traffic Detection- Detect Port Scanning
Weaponization Prepare the OperationPreparation and staging phase of the operation. Will use a tools that couples malware and exploit into a deliverable payload.
Weaponization can not be detected as it happens.
Delivery Launch the OperationMalware and payload is delivered to the target. Can be delivered via email, usb, or other mechanism.
The key most important opportunity to block the intrusion attempt. - inspection of network traffic, including SSL- block risky applications- block the ability to send known exploits/malware
Exploitation Gain Access to the TargetA vulnerability is exploited to gain access and execute code.
Traditional hardening measures will assist but custom capabilities such as application whitelisting will be necessary to stop zero-day exploits
Installation and Data Identification
Establish Entry PointInstallation of a persistent backdoor or malware in the targeted environment to maintain access for an extended period of time
Endpoint controls to log, detect, and alert installation activity and analyze endpoint activity to mitigate new endpoint compromises
C2Remotely Control Breached Targets
Malware opens a command channel to enable the adversary to remotely manipulate the target
Attempt to block C2 channel, risky URL's, or redirect suspicious network traffic to local traps. If adversary can't issue commands then the threat is contained.
Actions on Objectives and Persist Undetected
Goal AttainmentOnce access is obtained the attackers goal is accomplished
The longer an adversary has C2 access, the greater the impact. This stage must be detected as quickly as possible. DLP tools and traffic inspection.
• What’s the goal – to break the chain of attack or the kill chain at any stage …. except for the last stage …. where system compromise and data theft have occurred.
• What are the process steps needed to implement to break the chain:
The Cyber Kill Chain Methodology – Tactics
Tactic Description
PreventionPreventing an advesary from successfully launching an attack.
DetectionDetecting that an attack is occurring and taking the required steps to neutralize it.
DisruptionImpeding an attack and making the attack less effective and unprofitable for the advesary.
Degradation Weakening the power of attack its effectiveness and impact to an organization.
DeceptionForcing the advesary into wrong assumptions about the system which will result in selecting an ineffective attack vector.
HoneyPot, DNS Sinkholing
Tools
HIDS, NIDS, AV, Log Analysis, SIEM's, FIM
IPS, NexGen FW's, ACLS, Pen Tests, Vulnerability Scanning, Patching Methodology, DLP
System Hardening Standards, HoneyPots
Disabling Unused services, QOS
The Cyber Kill Chain Methodology – Finalized PlanPrevention Detection Disruption Degradation Deception
Reconnaissance IPS IDS System Timeouts
WeaponizationThreat Intelligence
Gathering
Delivery IPS IDS System Hardening
Exploitation HoneyPot
Installation and Data
IdentificationFIM
C2 and Data Exfiltration
Next Gen FW DLP
Actions on Objectives and
Persist Undetected
SIEM - Log Analysis
TacticPhase
The Cyber Kill Chain Methodology – Variation 1• Variations to the Traditional Kill Chain
• Process Steps List All Available Controls Map existing controls currently in place to the phase Determine Capability Maturity Model Level and map to control
Controls
Application WhitelistingChange ManagementDLP TechnologyEncryption Endpoint ProtectionIntrusion DetectionMDM ControlsMultiFactor AuthenticationNetwork SegmentationPatchingSecurity Awareness TrainingSIEM Deployment
Initial Attack Vector
Establish Foothold
Identify Interesting Data
Distribute Malware
Exfiltrate DataPersist
UndetectedX X
XX
X
X XX X X
X X XX XX X
CMM Level Not in Place = 0 Initial = 1 Repeatable = 2 Defined = 3 Managed = 4 Optimizing = 5
The Cyber Kill Chain Methodology – Variation 2• Law Enforcement Cyber Center – Mandiant version
• Still need to follow the same process steps: List All Available Controls Map existing controls currently in place to the phase Determine Capability Maturity Model Level and map to control
• Is there a “best” version?
Sources – Law Enforcement Cyber Center and Mandiant
• Developed by Mitre Corporation in 2013
• ATT&CK refers to Adversarial Tactics, Techniques, and Common Knowledge
• 2018 Ponemon Institute Survey - Breach Discovery Takes an Average 197 Days
• Was established for describing and understanding the actions an adversary may take to compromise and operate within an enterprise network
• Doesn’t try to prevent adversaries from entering the network at the perimeter
• The goal is to break down and classify attacks:
o in a consistent and clear manner o make it easier to compare and contrast various attacks o focus on what attackers do post exploit – their behaviors
• The different stages of an attack were derived from the Cyber Kill Chain model.
• It describes a list of common Tactics, Techniques, and Procedures used for each task.
The Mitre ATT&CK Framework – Overview
• Tactics represent the reason an adversary performs an action
• Techniques represent how a tactical objective is met by performing an action
• Frameworko Maintains a adversary perspective and not a defensive and reactionary postureo Uses empirical data from publicly reported incidents on suspected and actual APT group behavioro It is an approximation of what is publicly knowno Defines an adversary’s actions and specific methods of defense – doesn’t contain a toolseto Brings greater awareness of what actions may be seen during an enterprise network intrusiono Contains listing of all tools, custom or commercial code, operating system utilities, open-source
software used by an adversary once inside a network
The Mitre ATT&CK Framework – Overview
Source: MITRE
The Mitre ATT&CK Framework – Tactic and Technique Matrix
The Mitre ATT&CK Framework – Tactic and Technique Matrix
Description - When operating systems boot up, they can start programs or applications called services that perform background system functions. Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry.
Examples - Elise configures itself as a service; Emissary is capable of configuring itself as a service; Hydraq creates new services to establish Persistence.
Mitigation - Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services. Identify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting like AppLocker
Detection - Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software.
Permissions Required – Administrator, System
Effective Permissions - System
Sources – Process Monitoring, Process Command Line Parameters
Common Attack Pattern Enumeration and Classification (CAPEC ID) - 550
• What can it be used for?o Adversary emulation scenarios to test and verify defenses against common adversary techniques
• A good way to structure a red team exercise and measure security posture
• Changes the rules of engagement in a penetration test
o Identify potentially malicious activity within a system or network that may not rely on prior knowledge of adversary tools and indicators
o Determine what parts of an organizations computing enterprise lack defenses and/or visibility
o Test the maturity level of a Security Operations Center
o Conduct a GAP analysis against current defenses
• Have the blue team analyze and mitigate gaps
o Cyber Threat Intelligence Enrichment
o Provides focus on what is needed to improve upon
• Provides a measure of what your security actually is … and what can be detected …. not just a collection of defensive techniques
o Tactics and Technique Chart shows what can be seen if focus is only on the network perimeter ... Missing a lot of tactics …. Need to focus on the host
The Mitre ATT&CK Framework – Summary
The Zero Trust Model – Overview• Developed by Forrester Research
• Premise
o You don’t assume a device or user can access information just because they are part of the network or have been granted access via password or fingerprint.
o Access is driven by users’ individual needs.
o Trust models are created based on the device AND the person.
o The point of Zero Trust is not to make networks, clouds or endpoints more trusted; it’s to eliminate the concept of trust from digital systems altogether
o All data breaches are, ultimately, breaches of trust
o John Kindervag, the founder of Zero Trust:
trust is not the desired state
trust is the failure point you want to avoid
trust is a vulnerability
o The model moves from “Trust but Verify“ … to …
“Never Trust … Always Verify”
Source – Minion Quotes
The Zero Trust Model – Overview• Key Points
o Takes into account the possibility of threats coming from External … AND …Internal Sources
o Focuses on protecting the network endpoints not just perimeter network security boundaries
o Eliminates the concepts of a trusted network and an untrusted network
o The network perimeter has dissolved as employees and businesses have become more agile.
o All traffic is untrusted … the network can not be trusted ..IoT, cloud, personal devices, trading partners
o Does not eliminate the need for network perimeters and other security mechanisms
o Removes trust of the internal network and replaces it with trust of authenticated users and healthy devices
o Authentication at a point in time is not enough
o Identity and Access management (IAM) is the foundation to providing zero trust …. SSO, MFA, GRC Solutions
o Does Identity become the new perimeter?
The Zero Trust Model – Principleso Ensure all resources are accessed securely regardless of location
• Need to protect data from internal abuse the same as external compromise• Encrypted tunnels for internal and external networks … required• Focus on the protect surface not the attack surface
o Adopt a least privilege strategy and strictly enforce access control• Minimal privileges and access to resources … which users have access to which data• Reduces pathways available to malware and adversaries to gain unauthorized access and
move laterally• Determine how to enforce access control and inspection policies• Identify the context in which a device is being used
o Inspect and log all traffic• Provides visibility and verifies data flows• Who is accessing data, what data is it and how is it being accessed • Need to be able to spot abnormal user and device behavior• Need to inspect what is happening in allowed applications and services ... “always verify”
The Zero Trust Model – Architecture• Network Segmentation Gateway – Central Security Element
o Used to define internal trust boundarieso Enables secure network access and controls traffic flowo Continuously monitors sessions and see’s ALL network traffico Contains granular policy regarding data, application, and asset access that is strictly enforcedo Isn’t this just segmentation – not quite …. it’s a lot more.
Layer 3 Rules – Source, Destination, Port Zero Trust Rules - User ID, Application ID, Time Limitations, System Object, Data Classification, Protection Controls
• Define and build trust zoneso Each zone attached to an interface is a “microcore and
perimeter (MCAP)”o All resources in each MCAP share similar functionality and attributeso All traffic is inspected and logged …. between zones and within each zone or MCAP
• Centralized managemento Switching fabric is placed around the network segmentation gatewayo In hierarchical networks the switching infrastructure is the center of the network
Source – Palo Alto
The Zero Trust Model – Roadmap• Identify and Map the Flow of Sensitive Data … including Toxic Data
• Zero Trust Networks are built around:o Data, Services, Applications, Assets
• Define Standardso Standards for proving identityo Standards for securing devices that access your data.o Standards for where and when your data and applications may be accessed.
• Architect the Network – build from the inside outo Based on based on how transactions flow across a network and how users and applications access
the data – no more “model after”o Start with critical system assetso Enable local end point protections - Start at the network to define policy before moving to the
endpoint.o Extend network connectivity in a controlled manner
• Adoption
Rethinking Defense in Depth
Wrap Up and Questions
Thank You!!!