Rethinking Defense In Depth

Anthony SaracinoInformation Technology Security OfficerBucks County Community CollegeOctober 4, 2018

Discussion Points• Background• Risk and Risk Management Objectives• Defense in Depth Overview• Defense in Depth Strategies

o Cyber Kill Chain Methodologyo Mitre ATT&CK Frameworko Zero Trust Architecture

Fundamental IT Security Goal

CIA Triad

Confidentiality – prevent unauthorized disclosure of sensitive information

Integrity – prevent unauthorized modification of systems and information Data Integrity System Integrity

Availability – prevent disruption of service and productivity

• Represents the fundamental security principle upon which all information security functions are based

• While all three areas are important – some organizations may place a higher value on one component than another

Source: ISACA CISM

• Risko The probability of an event and its consequenceso The probability of an event is the likelihood that a given threat will exploit an exposed vulnerabilityo If there are no consequences or impact …. there is no risko The greater the consequences …. the greater the risko Risk = Likelihood of an Event x Potential Impact … or … Threat x Vulnerability

• Exposureo The degree to which a a vulnerability is exposed to a threat … the attack surfaceo Is affected by the extent and effectiveness of controls and where a particular device is located in the

networko Asset Classification – business value, sensitivity, critically

• Security Focuso Managing risk to critical assetso Risk appetite - Risk toleranceo Loss reduction - Controlso Residual Risk

Risk Defined

• A process aimed at achieving an optimal balance between realizing opportunities for gain and minimizing vulnerabilities for loss

• Ensures that the impact of threats exploiting vulnerabilities is within acceptable limits and acceptable cost

• Accomplished by balancing risk exposure against mitigation costs and implementing appropriate controls and countermeasureso Detective controlso Preventive controls o Corrective controls o Compensating Controls o Must include sound policies, procedures, standards, and guidelines

• Who determines the acceptable limits and acceptable cost?

• Risk appetite and risk tolerance need to be defined

• Risk Impact = Risk - Controls in Place (Preventive Controls) - Likelihood of Detection (Detective Controls)

Risk Management

Consists of a series of processes that take into account the end-to-end requirements of identifying, analyzing, evaluating, and maintaining an acceptable risk level

Establish scope and boundaries – include internal and external factors Identify information assets and valuation Perform risk assessment – qualitative or quantitative Determine risk treatment or response Accept residual risk Communicate and monitor risk

Source: ISACA CISM

Security Risk Management Process

Continuous Risk Management Process

Source - ISACA

What is Defense in Depth• The coordinated use of multiple security counter measures to protect the

integrity of the information assets in an enterprise.

• Places multiple barriers between an attacker and an organizations computing and information resources

• Minimizes the adverse impact and provides time to deploy new or updated counter measures to prevent recurrence

• Increases security by increasing the adversaries effort needed in an attack

• Based on several core principles:

o There is no “silver bullet” when it comes to network and system security

o Any layer of protection might failo Multiple levels of protection must be deployed within each layero Measures must be across a wide range of controls that include

preventive and detective measures

Source: hexad.org

Defense in Depth - Overview• Identify the Network Perimeter, critical assets, and define and document the data flows

• Questions to be askedo What assets need to be protected?o Where does critical data reside?o How does data flow from host to host?o How does data flow from application to application?o What about the cloud?

• Define what you want to protect againsto External Threatso Internal Threats – Malicious Insider and the non-malicious, uninformed employee

• Implement controls that work across multiple layerso Preventiono Containment o Detection/Notificationo Reactiono Recovery/Restoration

Defense in Depth Fundamentals• Select the right mix of products and services

o Endpoint Protection Software Antiviruso Web Application Firewalls and Next Generation Firewallso Mobile Device Management and BYODo Identity Management, SSO, and MFAo Includes network segmentation, VLAN’s, ACL’So DLP and traffic inspection – including SSLo Multiple Honeypot traps

• Establish Effective Controls and Processeso Least Privilege Accesso Role Based Accesso Periodic Access Reviewo Security Awareness

• Key Pointso Need to continuously monitor and reacto Focus on what needs to be protected … have a strategy

Defense in Depth – Tactics

• All components need to work together so that there is a cohesive view across all attack vectors• Need to ensure that all public cloud applications are included• Need skilled engineers with a diverse set of IT skillsets

Pillar Component Pillar ComponentAuthentication Auditing and Logging/SIEMAuthorization File Integrity Monitoring (FIM)Awareness and Training HoneypotsBYOB/MDM Configuration Intrusion Detection (IDS)Data Loss Prevention (DLP) Measurements and MetricsEncryption MonitoringFirewalls Additional Security MechanismsHost Intrusion Prevention (HIPS) Incident ResponseNetwork Intrusion Prevention (IPS) New or Better ControlsPatching Policies and Procedure ChangesPhysical Security Backups/RestorationVirus Scanning Business Continuity PlanningAccess Control Lists (ACL's) Disaster Recovery PlanningAuthorization Failover to High Availability SitesFirewalls and Security Domains ForensicsNetwork Segmentation Management and Monitoring

Defense in Depth by Function

Prevention

Detection/Notification

Reaction

Recovery and Restoration

Defense in Depth by Function

Containment

The Cyber Kill Chain Methodology - Overview• Developed in 2011 by Lockhead Martin and defines the steps used by adversaries• Fundamental concept - An effective attack is a chain of events• The Traditional Kill Chain Model:

• By understanding each of these stages an organization can better identify and stop attacks at each of the stages.

• The more points you intercept adversaries actions at, the more likely you can deny their objective. • Detecting an attack and blocking delivery of the attack are the keys to a successful defense.• If the attack goes through all phases it means that an organization was unable to notice that they were

the subject of the attack. • A successful attack is due to either:

o Good preparation of the adversary … or …o Poor preparation and execution by the attacked organization

no monitoring, incomplete tool set, inadequate security policies, procedures not followed

The Cyber Kill Chain Methodology – DetailsPhase Objective Adversary Actions Defender Countermeasure

Reconnaissance Identify the Targets

Conducting research to understand which targets will enable them to meet their objectives. Once target is identified will harvest e-mail address and Social Engineering sites to obtain information.

Detecting reconnaissance as it happens can be extremely difficult to detect. Some available tools:- Network Traffic Detection- Detect Port Scanning

Weaponization Prepare the OperationPreparation and staging phase of the operation. Will use a tools that couples malware and exploit into a deliverable payload.

Weaponization can not be detected as it happens.

Delivery Launch the OperationMalware and payload is delivered to the target. Can be delivered via email, usb, or other mechanism.

The key most important opportunity to block the intrusion attempt. - inspection of network traffic, including SSL- block risky applications- block the ability to send known exploits/malware

Exploitation Gain Access to the TargetA vulnerability is exploited to gain access and execute code.

Traditional hardening measures will assist but custom capabilities such as application whitelisting will be necessary to stop zero-day exploits

Installation and Data Identification

Establish Entry PointInstallation of a persistent backdoor or malware in the targeted environment to maintain access for an extended period of time

Endpoint controls to log, detect, and alert installation activity and analyze endpoint activity to mitigate new endpoint compromises

C2Remotely Control Breached Targets

Malware opens a command channel to enable the adversary to remotely manipulate the target

Attempt to block C2 channel, risky URL's, or redirect suspicious network traffic to local traps. If adversary can't issue commands then the threat is contained.

Actions on Objectives and Persist Undetected

Goal AttainmentOnce access is obtained the attackers goal is accomplished

The longer an adversary has C2 access, the greater the impact. This stage must be detected as quickly as possible. DLP tools and traffic inspection.

• What’s the goal – to break the chain of attack or the kill chain at any stage …. except for the last stage …. where system compromise and data theft have occurred.

• What are the process steps needed to implement to break the chain:

The Cyber Kill Chain Methodology – Tactics

Tactic Description

PreventionPreventing an advesary from successfully launching an attack.

DetectionDetecting that an attack is occurring and taking the required steps to neutralize it.

DisruptionImpeding an attack and making the attack less effective and unprofitable for the advesary.

Degradation Weakening the power of attack its effectiveness and impact to an organization.

DeceptionForcing the advesary into wrong assumptions about the system which will result in selecting an ineffective attack vector.

HoneyPot, DNS Sinkholing

Tools

HIDS, NIDS, AV, Log Analysis, SIEM's, FIM

IPS, NexGen FW's, ACLS, Pen Tests, Vulnerability Scanning, Patching Methodology, DLP

System Hardening Standards, HoneyPots

Disabling Unused services, QOS

The Cyber Kill Chain Methodology – Finalized PlanPrevention Detection Disruption Degradation Deception

Reconnaissance IPS IDS System Timeouts

WeaponizationThreat Intelligence

Gathering

Delivery IPS IDS System Hardening

Exploitation HoneyPot

Installation and Data

IdentificationFIM

C2 and Data Exfiltration

Next Gen FW DLP

Actions on Objectives and

Persist Undetected

SIEM - Log Analysis

TacticPhase

The Cyber Kill Chain Methodology – Variation 1• Variations to the Traditional Kill Chain

• Process Steps List All Available Controls Map existing controls currently in place to the phase Determine Capability Maturity Model Level and map to control

Controls

Application WhitelistingChange ManagementDLP TechnologyEncryption Endpoint ProtectionIntrusion DetectionMDM ControlsMultiFactor AuthenticationNetwork SegmentationPatchingSecurity Awareness TrainingSIEM Deployment

Initial Attack Vector

Establish Foothold

Identify Interesting Data

Distribute Malware

Exfiltrate DataPersist

UndetectedX X

XX

X

X XX X X

X X XX XX X

CMM Level Not in Place = 0 Initial = 1 Repeatable = 2 Defined = 3 Managed = 4 Optimizing = 5

The Cyber Kill Chain Methodology – Variation 2• Law Enforcement Cyber Center – Mandiant version

• Still need to follow the same process steps: List All Available Controls Map existing controls currently in place to the phase Determine Capability Maturity Model Level and map to control

• Is there a “best” version?

Sources – Law Enforcement Cyber Center and Mandiant

• Developed by Mitre Corporation in 2013

• ATT&CK refers to Adversarial Tactics, Techniques, and Common Knowledge

• 2018 Ponemon Institute Survey - Breach Discovery Takes an Average 197 Days

• Was established for describing and understanding the actions an adversary may take to compromise and operate within an enterprise network

• Doesn’t try to prevent adversaries from entering the network at the perimeter

• The goal is to break down and classify attacks:

o in a consistent and clear manner o make it easier to compare and contrast various attacks o focus on what attackers do post exploit – their behaviors

• The different stages of an attack were derived from the Cyber Kill Chain model.

• It describes a list of common Tactics, Techniques, and Procedures used for each task.

The Mitre ATT&CK Framework – Overview

• Tactics represent the reason an adversary performs an action

• Techniques represent how a tactical objective is met by performing an action

• Frameworko Maintains a adversary perspective and not a defensive and reactionary postureo Uses empirical data from publicly reported incidents on suspected and actual APT group behavioro It is an approximation of what is publicly knowno Defines an adversary’s actions and specific methods of defense – doesn’t contain a toolseto Brings greater awareness of what actions may be seen during an enterprise network intrusiono Contains listing of all tools, custom or commercial code, operating system utilities, open-source

software used by an adversary once inside a network

The Mitre ATT&CK Framework – Overview

Source: MITRE

The Mitre ATT&CK Framework – Tactic and Technique Matrix

The Mitre ATT&CK Framework – Tactic and Technique Matrix

Description - When operating systems boot up, they can start programs or applications called services that perform background system functions. Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry.

Examples - Elise configures itself as a service; Emissary is capable of configuring itself as a service; Hydraq creates new services to establish Persistence.

Mitigation - Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services. Identify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting like AppLocker

Detection - Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software.

Permissions Required – Administrator, System

Effective Permissions - System

Sources – Process Monitoring, Process Command Line Parameters

Common Attack Pattern Enumeration and Classification (CAPEC ID) - 550

• What can it be used for?o Adversary emulation scenarios to test and verify defenses against common adversary techniques

• A good way to structure a red team exercise and measure security posture

• Changes the rules of engagement in a penetration test

o Identify potentially malicious activity within a system or network that may not rely on prior knowledge of adversary tools and indicators

o Determine what parts of an organizations computing enterprise lack defenses and/or visibility

o Test the maturity level of a Security Operations Center

o Conduct a GAP analysis against current defenses

• Have the blue team analyze and mitigate gaps

o Cyber Threat Intelligence Enrichment

o Provides focus on what is needed to improve upon

• Provides a measure of what your security actually is … and what can be detected …. not just a collection of defensive techniques

o Tactics and Technique Chart shows what can be seen if focus is only on the network perimeter ... Missing a lot of tactics …. Need to focus on the host

The Mitre ATT&CK Framework – Summary

The Zero Trust Model – Overview• Developed by Forrester Research

• Premise

o You don’t assume a device or user can access information just because they are part of the network or have been granted access via password or fingerprint.

o Access is driven by users’ individual needs.

o Trust models are created based on the device AND the person.

o The point of Zero Trust is not to make networks, clouds or endpoints more trusted; it’s to eliminate the concept of trust from digital systems altogether

o All data breaches are, ultimately, breaches of trust

o John Kindervag, the founder of Zero Trust:

trust is not the desired state

trust is the failure point you want to avoid

trust is a vulnerability

o The model moves from “Trust but Verify“ … to …

“Never Trust … Always Verify”

Source – Minion Quotes

The Zero Trust Model – Overview• Key Points

o Takes into account the possibility of threats coming from External … AND …Internal Sources

o Focuses on protecting the network endpoints not just perimeter network security boundaries

o Eliminates the concepts of a trusted network and an untrusted network

o The network perimeter has dissolved as employees and businesses have become more agile.

o All traffic is untrusted … the network can not be trusted ..IoT, cloud, personal devices, trading partners

o Does not eliminate the need for network perimeters and other security mechanisms

o Removes trust of the internal network and replaces it with trust of authenticated users and healthy devices

o Authentication at a point in time is not enough

o Identity and Access management (IAM) is the foundation to providing zero trust …. SSO, MFA, GRC Solutions

o Does Identity become the new perimeter?

The Zero Trust Model – Principleso Ensure all resources are accessed securely regardless of location

• Need to protect data from internal abuse the same as external compromise• Encrypted tunnels for internal and external networks … required• Focus on the protect surface not the attack surface

o Adopt a least privilege strategy and strictly enforce access control• Minimal privileges and access to resources … which users have access to which data• Reduces pathways available to malware and adversaries to gain unauthorized access and

move laterally• Determine how to enforce access control and inspection policies• Identify the context in which a device is being used

o Inspect and log all traffic• Provides visibility and verifies data flows• Who is accessing data, what data is it and how is it being accessed • Need to be able to spot abnormal user and device behavior• Need to inspect what is happening in allowed applications and services ... “always verify”

The Zero Trust Model – Architecture• Network Segmentation Gateway – Central Security Element

o Used to define internal trust boundarieso Enables secure network access and controls traffic flowo Continuously monitors sessions and see’s ALL network traffico Contains granular policy regarding data, application, and asset access that is strictly enforcedo Isn’t this just segmentation – not quite …. it’s a lot more.

Layer 3 Rules – Source, Destination, Port Zero Trust Rules - User ID, Application ID, Time Limitations, System Object, Data Classification, Protection Controls

• Define and build trust zoneso Each zone attached to an interface is a “microcore and

perimeter (MCAP)”o All resources in each MCAP share similar functionality and attributeso All traffic is inspected and logged …. between zones and within each zone or MCAP

• Centralized managemento Switching fabric is placed around the network segmentation gatewayo In hierarchical networks the switching infrastructure is the center of the network

Source – Palo Alto

The Zero Trust Model – Roadmap• Identify and Map the Flow of Sensitive Data … including Toxic Data

• Zero Trust Networks are built around:o Data, Services, Applications, Assets

• Define Standardso Standards for proving identityo Standards for securing devices that access your data.o Standards for where and when your data and applications may be accessed.

• Architect the Network – build from the inside outo Based on based on how transactions flow across a network and how users and applications access

the data – no more “model after”o Start with critical system assetso Enable local end point protections - Start at the network to define policy before moving to the

endpoint.o Extend network connectivity in a controlled manner

• Adoption

Rethinking Defense in Depth

Wrap Up and Questions

Thank You!!!