Rantings of a Cyber Security Analyst - (October Edition)

Layered Defense. I am sure many in the security field has heard this term. Most understand this as having different solutions to protect different portions of the infrastructure. A firewall for networking, endpoint protection for the devices, some form of Multi Factor Authentication for better verification of access… the list goes on.

What I personally feel goes wrong is treating this as a checklist. Do I have a firewall? Check. Endpoint Security? Check. Once all these requirements are checked, my security is good. Right?

Not completely in my opinion

During the time when I was still new to cyber security, I got into a meeting with a bank’s security team. One of the team members said “We can buy all available solutions, block everything, but is that feasible? If it is not, what is the risk of this and how do we minimize or control the risk?”

This statement stuck with me and really made sense. Another, more general statement that should always be remembered is, “if it's too good to be true, it probably is”. Let’s use a simple example of a house.

Let’s say you just built a house and naturally you would want to secure it. Maybe fence up the entire property? What is the crime rate like in the area? What would be the risk of not having a fence? Even with a fence, you would still have a door into your home. If the risk is high or you are just paranoid, you may even consider having a gate before the door. As you shop for locks, this salesperson comes over and tells you the lock he sells is unpickable and you need not even bother to get an additional gate. Too good to be true?

Now you look around your house and notice it is possible to climb through the windows on the first floor. Solution would be to get grilles, but what about the second-floor windows? What are the chances of someone climbing and reaching the second-floor windows? Do I want to spend my budget on getting grilles for the second-floor or invest in some alarm system?

In the example, the planning and design of the security is based on risk. Ideally, I think it would be great if all cyber security personnel planned their security in this way. As the term “Layered Defense” states, you build layers to reduce risk. There is no silver bullet solution and there should be decisions on what product should be purchased and even how it is configured with the goal of reducing risk in mind. But remember, there is no such thing as zero risk. It simply does not exist and there is no way to reduce risk to zero.

Back to the cyber world, a common example that I hear is companies using legacy operating systems due to the business-critical software not designed to run on the newer supported operating systems. With that, there is no way to patch should there be any vulnerabilities and there is a security risk involved. So how do you secure these systems? Do you still treat them as your other servers running on supported operating systems? Slap on an anti-malware solution and call it a day? Now use a risk management approach to deal with this. Must this server be public facing? Is it possible to restrict access and even protocols to these servers? For the service to function, must it be part of the domain? It is possible to have the important data store on another server which can be better secured? All that thought process helped to create a feasible security for the legacy systems, with risk that is much more manageable. Even if the server is compromised, the access to other systems have been considered.

So where does Cyber Threat Intelligence come into play here? Remember there is no silver bullet to security, and Cyber Threat Intelligence is just another layer. As the name implies, it is not a product, but information. The value of CTI is having the capability to learn of methods used to breach environments. One common way is to monitor for intelligence of threats against companies of the same industry.

For example, monitoring the healthcare industry, if the company I am securing is a hospital. Understanding how a threat actor is currently targeting exposed MSSQL servers, for example, allows the team to firstly check if they do have an exposed MSSQL server. If they do, the next step will be to check if they see similar traits, such as build version of the MSSQL service, signs of attempts to remotely exploit and run commands on the system. Even if all these are secured (server is patched, XDR in place to monitor the system and perform threat hunts on related indicators), the 5 Ws 1 H, which I talked about in the last article, should be asked. Why is this server public facing? What other services is this server running? How can I reduce the risks of this exposed server? Should this MSSQL server, holding data which poses risk if stolen, be exposed to public or is there a way to restrict access, such as restricting access through a VPN or only allowing a specific remote IP to access it?

This entire process is a cycle as threats will always evolve and continuous understanding of these threats will allow the security team to learn of the risks and adapt a strategy to defend against the new threat.

Another common mistake I often experience is companies getting a NAS and backing up data to it. That is a great first step towards having data resiliency in the event of hard disk failure, but that does not reduce the risk of a breach.

“I have data backed up, so if I get hit with ransomware, I can recover from the NAS.”

That’s the statement I often hear, but when hit with an actual ransomware attack, failure to realize this is a human adversary whose goal is to make sure all your business-critical data is encrypted, including the backups is devastating. Adversaries easily realize there is a NAS in place; through mapped drives, applications on the server itself or looking at the scheduled tasks. And often, for convenience, access to the NAS from the server is unhindered. The result is data in the NAS gets encrypted too. I have also seen cases of adversaries simply resetting the NAS to factory default, wiping out all data in the process.

In a risk management approach, questions such as “What if the NAS gets compromised?”, “How do I secure the NAS?”, “Do I have another copy of the data, maybe a week old, stored offline?”, should be asked.

This is the reason many security practitioners say, “Assume breached”. Daunting as it may sound, companies need to understand this is the way to design their security and for smaller organizations, they should approach a security advisor who plans, using the same risk management approach.

Biography

Harvey Goh

Harvey Goh is a cyber security specialist having been in the cyber security industry for over 15 years as technical personnel. Currently he is working as part of Sophos’ Managed Threat Response team. He is also a member of AiSP CTI SIG, EXCO and volunteer at CSCIS CTI SIG.

Views and opinions expressed in this article are my own and do not represent that of my places of work. While I make every effort to ensure that the information shared is accurate, I welcome any comments, suggestions, or correction of errors.