Offense Must Inform the Defense – Is Your Cyber Security Program Fixing the Right Problems
To solve a problem, you must understand the problem that needs to be solved and identify the optimum solution. The problem with cyber security is often organizations are fixing the wrong problem. To solve this, you must identify the problem that is, not focus on the problem that isn’t. In cyber security, people often create problems or explanations that do not exist and insist that resources are used to address these problems. A core principle to always live by is to let data drive decisions not emotions. If you cannot show me factual data to support the problem you want to solve, then it is not a high priority problem. The factual data that should be used for all decisions is how is the adversary going to exploit your organizations and what exposures exists that will allow this to occur.
This is accomplished by looking at how the offense operates and functions. To win at security, offense must drive the defense. At a high level you need to understand how the offense works and operates. Essentially to be able to fix a problem you need to dissect down the problem, identify the root cause and fix them.
To give a quick analogy, this would be comparable to a homeowner concerned that their house is going to get robbed so they install video cameras in the front of the house, install a double deadbolt on the front door and put bars on all the windows. The problem is that the robber is going to enter via the basement door in the back of the house. In this case, the person spent significant time and money on physical security, but it did little to no good because it was not aligned with the actual threat or the real problem. While this example might seem humorous in the real world, it is a very real problem that occurs in cyber space. With every major breach, the company spent significant money on cyber security but still got compromised because they focused on the wrong problem.
The main question you want to always ask is: What is the biggest threat to our organization and how do we fix it? Or, another way of looking at this is: Whether your cyber security program is aligned with how attacks actual work, making it harder for them to be successful?
How an Attack Works?
To implement effective security, it is important to understand the basic requirements that are needed for an attack to be successful. The interesting part is that it does not matter whether we are talking about a physical robbery or a cyber threat, they operate in a similar manner.
If I am staying at a hotel room, that I fill with gold and you want to steal my gold, what information do you need for an attack to be successful. You essentially need 3 pieces of information: 1) The address of the hotel; 2) my room number; 3) a way into my room. With those 3 pieces of information you could launch a successful attack, without them you would not be successful.
Translating this to cyber space, the attack is not much different. If I have a server that contains critical information and you want to break in and steal the information, you need 3 pieces of information:
- the IP address of the system;
- an open port with a listening services;
- a vulnerability that can be exploited. Therefore, if you want to make it harder for an adversary to break in you need to control and manage these 3 areas.
First, you should have a list of all servers that are visible from the Internet and ask a simple question: Are all the servers required to have access in order to support the business? One of the best ways to make it harder for an adversary to break in, is to reduce the attack surface. If a server is not required to be accessible from the Internet and you either move it to the internal network or turn it off, you have just removed the attack vector because you cannot break into a server that is not accessible.
Second, for each server that needs to be accessible verify that every open port is required, and the underlying service is up to date. Any services that are not required should be turned off and any ports that are not required should be closed.
Third, all software and services on the system should be fully patched with any extraneous software removed. Vulnerability and penetration testing must be performed to verify that there are not any known exposure points. What is interesting is over 10 years ago the main method of attack was unknown or zero-day attacks. This meant that even if your system was fully patched you could still be exploited. However today, since so many companies are not patching system most attackers are using known exploits. The good news for companies is that if they are just consistent and vigilant in patching, they can stop a large percent of the attacks.
Assessing Your Cyber Security
The question to ask about your cyber security is whether it is offensive friendly or defensive friendly? This surprises me how few organizations ask this question and assess how easy it would be for an adversary to break into their organization. Really what the question is asking is how well you know your organization and how much visibility you have into the exposures and vulnerabilities that exist.
The reason why assessing your cyber security is so important is because cyber security is an unfair game. For the adversary or attacker to break into your organization, they only need to find one vulnerability. For the defender to protect and secure their organization, they need to find all the vulnerabilities. Therefore, the more complex your environment is the easier it is to be compromised and the harder it is to defend. To win in cyber security, you must have full visibility into your organization, and to get full visibility you need to have the proper foundations in place.
Foundation of Cyber Security
The foundations of cyber security focus in on getting proper visibility, knowing your environment and reducing the attack surface. This is accomplished by focusing in on 2 core areas:
- Asset Inventory – having an accurate list of all the systems on your network. The trick is to focus in on high risk systems or one’s that are visibility form the Internet. You cannot protect what you do not know – therefore it is critical to have an accurate up to date list of all systems.
- Configuration Management – the difference between a secure server and vulnerable server is how it is configured. Once you know a system is on your network, you must know how it is configured so you can identify any exposures or vulnerabilities.
The adversary is ruthless and will not stop and is taking advantage of organizations that are sloppy. Instead of launching advanced zero-day attacks, they are just finding unpatched systems and exploiting them. Therefore, organizations must stay one step ahead of the adversary by understanding how the adversary works and making it harder for them to break in. By limiting visibility though asset inventory and configuration management, you can have an organization that is defensive friendly. To make sure this is properly maintained always ask yourself every day:͞ “What is the biggest threat to my organization and how do I fix it?”