I was sitting in my United Airlines exit-row seat the other day chatting with the person next to me while flying to Washington, DC to meet with some associates in the government and defense industry. The usual ‘what do you do’ conversation came up. We’ve been working on a far better elevator pitch than I used to use so I was able to succinctly answer, “We build highly secure servers that are very unlikely to get viruses (malware, rootkits, etc depending how initiated my partner in this chat is), puts a firewall around each application, logs everything in a non-destructible manner, and is remotely manageable.” It felt really good to be able to explain a majority of our value proposition in less than 20 seconds and at the same time invite more inspection and conversation from my seat mate.
Within five minutes I had realized I had met someone who was at a minimum highly inquisitive, and seemed quite knowledgeable as we started ruminating on different attack vectors, different styles of attack that are seen in industry today. Feeling pretty inspired after my conversation and having a better command of how our system prevents most of the more common attacks, mitigates some of the worst, and identifies when it is being compromised by the newest threats I started chatting with my friend Allan at a small off-the-beaten-path coffee shop and again the conversation turned to attack vectors seen in government.
I was telling the adage of the two men relaxing after a day of fly fishing with their bare feet in the stream when a bear notices them from afar and starts charging towards them. The first man gets up and starts running as fast as he can. The second man methodically starts putting on his shoes. Man 1 looks back, stops, and yells incredulously, “you can’t outrun a bear you idiot, come on!” The second man looks at the first and says, “I don’t have to outrun the bear you idiot” (implying – I just have to outrun you). Many of the initial attacks people encounter are like the bear unless you have a large repository of interesting private data.
The bear looks for the closest, easiest prey. The job in defending from a bear is not to necessarily build the most impenetrable, air-gapped, defensive structure ever seen – it is simply to be significantly better than the average of your peers. Thus when that bear comes along your systems are well protected, or at least far more trouble for the hacker than the other 90% and thus the least likely to be penetrated by an attack. Low hanging fruit gets picked first and all that.
A few things to look into that will set your security framework far ahead of your peer group are things like:
– Identify critical control-point systems and ensure they are booting signed images, logging administrative transactions, etc
– Build a bastion host for accessing ‘back-end’ servers for your administrators, use two-factor authentication here and on all systems feasible
– In your DMZ lock down the hosts, put virtual or hardware firewalls between each segment
– User networks that receive email and enable outside transactions should have zero access to data stores – effective segmentation can prevent many of the dumbest breaches
The bloodhound is an altogether different type of adversary. We saw an example of one of these attacks hit today with the data breach at Ashley Madison. A target is identified, researched, and methodically and relentlessly pursued. With enough skill, patience, and budget your attacker will get in. The question isn’t so much ‘if’ and ‘when’. For these scenarios, two-man and M-of-N admin rules, true air gaps, and policy changes around non-volatile storage, gold master signature signed image repositories, removal of all desktops, deployment of systems that log all transactions in/out separately from the host O/S, etc are the only recourse.
Even then in the bloodhound scenario, with enough application of resources an employee can sometimes be convinced to do the wrong thing. Ensuring there is proactive control and logging over administrative sessions into systems is critical some things to consider:
– A true airgap in management/administrative stations – separate switches, routers, etc. These stations should have no ability to export data to USB, CD-RW, etc.
– The hosts themselves should geo-IP lookup all management sessions and ensure they are coming from authorized address ranges. I like using reverse-DNS for this and the admins of the DNS servers should be separate from the admins of the data warehouses/repositories.
– Proactive recording of all admin/management sessions is very useful for forensics and identifying who did what in arrears although it won’t prevent a breach it will help prosecute the belligerents
– One interesting consideration a co-worker mentioned was identifying ‘high bandwidth’ administrative sessions – there are very few situations where an SA should be using hundreds of megabits to manage a server. Identifying these sessions can point a finger towards activity worth looking into.
A final thought – in the defense you need to understand your attacker. It is like playing a classic tower defense game (my personal favorite being Fieldrunners). Your enemy can always send enough bad guys at you to overwhelm your defenses, our goal in the defense is to delay the penetration long enough, make it difficult enough, and make it obvious enough that we can identify when we are being attacked and turn off the access to the resources that are being aimed at. If any user can gain network access to your document store, credit card info, user database, trading systems, accounting systems, etc – you deserve what you are going to get as your defense is unprepared for the threat.
P.S. I have to give a shout out to some friends who helped me put this piece together through some fun conversations and debates: Allan Friedman, the Director of Cybersecurity Initiatives for the US Department of Commerce, NTIA who in addition to inspired discourse and came up with a far better title for this that the ones I had been ruminating on. Greg Kesner who in my initial conversations and debates kept pointing out to me (until it finally got through) that the attack vector of a focused entity like a nation state is very different than the spray and pray style used in a weaponized phishing attack. Greg and I are having a fireside chat webcast in early August about the types of attacks nation-states are perpetuating against corporate and government entities. Given Greg’s background it should be a pretty good one and I’ll do my best to keep it entertaining.
P.P.S – I wish I had Chris Hoff’s creativity and could actually write a ballad… I tried, I tried in the shower, I tried on the train – I can’t actually write a ballad…