Progress in cyber security comes from one big hack to the next, with two of the most recent high-profile incidents starring Fireeye and Solarwinds, with one having their red team tools pilfered and the other being co-opted as part of a supply-chain attack targeting their customers. In these instances, it’s always easy for people to wag fingers and shake their heads in contempt, especially if you point to something like Verizon’s Data Breach Investigations Report, suggesting an uptick in data breaches over the years with no decline in sight. But when you take a look at the dwell time or number of days between compromise and detection, it’s actually gone down over the years, suggesting an overall improvement in security.
The truth is that treating an organization’s cyber defense purely in terms of its preventative abilities is a deeply flawed and outdated framework. Which is why in this video, we’re going to go over what might be the biggest misconception in cybersecurity, a more modern way of thinking about it, along with four of the most important things you should be doing to improve the cyber defenses on your organization’s network. Let’s start off with that big misconception in cyber, and that’s the word security, where you either call things secure or insecure. In most infosec-related courses, they’ll describe security using CIA triad framework, which stands for the confidentiality, integrity, and availability of data and systems. It was first mentioned in a 1977 NIST publication: Audit and Evaluation of Computer Security by Albrecht Neumann, Norman Statland, and Richard Webb. Frameworks like these are great to learn, but they can be quite limiting, since if you approach them with a binary view of security, as soon as any one of these pillars gets compromised, you’re insecure. Asking if a network or app is secure is like asking if somebody’s healthy, which requires much more context. Take Bob and Alice for instance. Alice exercises, sleeps plenty, and gets fueled by farm-to-table meals and lots of water, but recently got sick from COVID. Bob, on the other hand, is overweight, smokes two packs a day and gets fueled by a diet of soda and McDonald’s, but is otherwise disease-free.
As you can see, it’s a bit over-simplistic to call Bob healthy and Alice unhealthy, because when you evaluate the health of a human body, it’s much more than just your ability to prevent bacteria and viruses from getting in through barriers like the skin, mucous membranes, or digestive system. This happens all the time on a daily basis. There’s also non-specific countermeasures like inflammation and fever that create an inhospitable environment for microbes, and specific immune responses with B and T cells to tag them with antibodies for attack. It’s this type of defense-in-depth and our ability to detect and respond to intrusions that keeps us healthy, with lifestyle playing a key factor in shaping this. This concept applies in the same way for an organization. In a traditional cyber defense framework, the focus is on prevention.
Firewalls, blocklists, network or host IPS, anti-exploitation features like Windows Exploit Guard, or access control systems like SELinux. Preventative measures are often seen as a plug-and-play solution for cyber security, with higher initial capital expenditures, and lower operating costs. Just slap a new shiny appliance on the network and you’re secure, right? The truth is that prevention is only just the first layer in a modern cyber defense framework. Things like deception, detection, and response are much more important factors requiring talented people and mature processes to pull off. The notion that military and government networks are ultra secure compared to corporate ones don’t quite hold true when you look at it this way. Because in today’s threat environment, you’ve really got to operate with the assumption that you’re already compromised. Even if you’re not, this mentality changes your decision-making calculus when building your cyber defenses. Rather than focusing on preventing intrusions, you’re much more focused on containing their reach and hunting them down. Instead of just blocking something from happening, you’ll also generate events to correlate and analyze activities. Log events seldom happen in isolation. Something fishy in one place usually means there’s probably something fishy elsewhere too, since attackers’ actions are chained and combined together throughout the attack cycle. You might even plant decoys and honeypots to gather intel on an adversary’s action.
Take a listen to Rob Joyce, former chief of NSA’s Tailored Access Operations, to see what he has to say on it. Any large network, I will tell you that persistence and focus will get you in without the zero days. One of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior going on. And somebody’s paying attention to it. Rob’s account kind of reminds me of English philosopher Jeremy Bentham’s panopticon idea, which is a penitentiary design that allows a single guard to selectively watch any of the inmates at any time without the inmates knowing whether or not they’re being monitored. Even though the guard can’t track everyone at the same time, the uncertainty raises the stakes for bad behavior. So with these concepts in mind, let’s start off with the first way to improve your cyber defense, which is building a defensible network. Also called security architecture, it’s all about designing things so you can have visibility into what’s happening on the network, which begins by knowing what’s even there. We’ve all heard about knowing yourself and knowing the enemy from Sun Tzu’s Art of War, so let’s first focus on ourselves. To do this, it’s crucial that you maintain a good asset inventory that tracks all the identifiers of anything connected to your network, such as IP address, hostnames, serial numbers, locations, operating systems, along with the responsible users with access to them. While you could do all this in an Excel spreadsheet, there’s also great tools like Rumble, made by HD Moore, who also happens to be the creator of Metasploit, that can make it easy to scan your network and fingerprint their type. Once you’ve got a good inventory, the next consideration is how to hook them up. If you create a flat network without proper segmentation, like connecting all your devices to a dumb switch or same access point, there’s no way to prevent them from talking to each other or detecting if they do. One of the first things an attacker does after gaining initial access into your network is to identify what other devices it can reach, then move laterally. There’s zero visibility in this case and the network’s indefensible.
As soon as you break up the avenues of approach with VLANs and configure access controls, you’ve now introduced some compartmentalization into the network. Even better, you might want to consider using Private VLANS or Client Isolation on wireless networks, which puts every single endpoint on its own segment and prevents them from talking to each other. If someone opens a phishing email and gets hacked, it’s more difficult to maneuver laterally. Compromises like these that originate from within the network will need to eventually phone home, so another action to consider in your security architecture is to deny outbound traffic by default. Most organizations will block uninitiated inbound traffic except for explicit services like VPNs, so why not do the same for outbound? In many cases, the only types of traffic that should be allowed to egress is HTTPS on 443, DNS on 53, and SMTP on 25, among some others that users might actually need to access. Any other outbound traffic blocked can tip you off to misconfigurations, or policy violations like someone plugging in their Xbox, or installing unauthorized software. It also narrows down the network traffic you need to inspect, and offers log data to look at. Leveraging preventative measures like blocking outbound can help inform your detection and response capabilities, which as we discussed earlier, can be more important layers to a good cyber defense strategy. to a good cyber defense strategy. Which brings us to the second way to improve cyber defense, and that is to implement proper security monitoring in your organization. There’s two important sides to a good security monitoring framework: asset monitoring and network monitoring. Let’s start with the first. When it comes to asset monitoring, every device on the network needs to be configured to generate logs, whether it’s network appliances like routers, switches, and firewalls, servers running services like file shares, DNS, and Web, or endpoint devices like phones or workstations. Doing so let’s you correlate activity that’s happening, whether it’s failed login attempts or blocked connections. All these logs need to get streamed and centralized somewhere that’s air-gapped or at least segregated from the main network for monitoring, not saved locally to the devices, so that an attacker can’t just erase them and blind you. Whether it’s native remote logging features like Syslog or Windows Event Collector, or third party forwarding agents like Logstash, send everything off to a centralized monitoring platform. Projects like the ELK Stack, provide you a free, DIY approach to building a SIEM, which by the way stands for security incident and event management. Monitoring these systems for strange behavior or attempted modifications to the baseline, will let you layer on detection and response functions on top of any preventative measures already in place. On Windows, install and configure Sysmon to generate detailed event logs like process creations, network connections, and changes to the file system. SwiftOnSecurity has a Sysmon configuration file on his GitHub repo that filters for high-quality events to avoid log overload. For something more cross-platform, osquery by Facebook gives you endpoint visibility by letting you regularly query for information about a system, just like an SQL database, from simple things like users logged in or listening ports, to advanced ones like processes running in-memory without a corresponding file on disk. Monitoring asset activity will give you detailed access to systems in an on-demand basis. But device logs only tell you part of the story. For a more holistic perspective into what’s happening in the network, you also want to track what’s traversing the network as well, which is referred to as network monitoring. The best way to do this is to create choke points for the types of traffic that you do allow outbound for inspection, which are pretty easy to identify if you’ve properly segmented the network. One of the most important types of choke points is a local DNS server that will log and forward domain queries for systems on the network. Baseline your systems to use this server as their DNS resolver, and have your firewall block and alert on any DNS traffic not going through it. This lets you check domains against public blocklists, submit unknown ones to reputation scoring services, and calculate entropy to counter everything from ad networks to malware domains. For non-enterprise networks, there’s projects like Pi-hole that’s easy to set up and can do this for you. In a pinch, there’s also public resolvers like Cisco’s OpenDNS, Cloudflare, or Quad9 that will check queries against threat intel feeds and block known malicious domains. Another super-important choke point is a forward proxy like Squid or Zscaler that clients must use to send web traffic. Besides the benefits of traffic shaping or caching data for faster connections, web proxies can track user agent strings, TLS certificates, and the websites that are being accessed, which let you filter based on reputation or types of content. For further visibility, you may also want to activate TLS interception so you can see what’s happening within the web traffic at the data-level. How TLS interception works is you first install the organization’s TLS certificate as a trusted certificate authority for clients on the network, so that the proxy can act as a man-in-the-middle to negotiate the encrypted connections on their behalf. If malware is tunneling data or doing command-and-control through HTTPS, it would either reject the organization’s custom certificate and fail, or accept it and allow you to inspect and detect what’s under the hood. For applications that use certificate pinning, you’ll have to bypass them with an exception in your web proxy, but that’s on as-needed basis. One recent development that’s made it very hard to track DNS requests is DNS-over-HTTPS, also called DoH, now supported by major web browsers and public DNS resolvers, but is now becoming a common C2 channel that’s starting to be abused by malware, since it can hide the domain names that are being queried by a client. Intercepting TLS traffic can give you visibility into these domain names that would otherwise be encrypted. Along with proxies, we also want to consider using a network tap or SPAN port to mirror traffic going between security perimeters and sending them to an intrusion detection system like Snort or Suricata to generate alerts and events on malicious traffic. Even though signature-based methods have their limitations, a properly tuned ruleset is indispensable for detecting known-bad activity that you’d otherwise miss. To avoid alert overload, you’ll want to activate rules one at a time to dial down their sensitivity for false positives. Rules should be regularly updated and pruned as the network evolves so that the IDS isn’t overwhelmed and drops traffic. For an anomaly-based IDS, definitely implement a system like Zeek, formerly called Bro, to generate event logs from traffic to provide a holistic overview of all the conversations happening across the network. Zeek can even carve files off the wire, so all those email attachments and files users are downloading can get archived for examination or submitted to VirusTotal for scanning. While you’re at it, you may even want to archive full packet capture for a period of time, so analysts can retroactively perform network forensics if an incident occurs. Just looking at logs only gets you so far in making conclusions about an investigation, because as my favorite saying goes, PCAP or it didn’t happen. It’s really not that hard, since storage costs have literally gone from millions of dollars per gigabyte to pennies per gig today so it’s not that expensive to store PCAP on a RAID array that’s packing a few dozen terabytes. One thing to note for security monitoring is that whether it’s telemetry from endpoints, proxies, or IDS, you want to make sure everything’s synchronized via an NTP, or network time protocol server so that the timestamps are all correctly matching, preferably using UTC time. Otherwise, it’ll be really difficult to correlate activities between everything. But at the end of the day, remember: increased visibility increases defensibility, which lets you improve your organization’s detection and response capabilities. The fourth and final principle for improving cyber defense is establishing a security baseline across all of your systems. It’s hard to monitor for anomalous activity when you don’t even have the baseline configurations for assets across the network. Defaults tend to come with all sorts of vulnerabilities, and depending on the system, it can be a matter of hours or minutes before an unpatched, default device connected to the public Internet will get hacked. Baselines introduce consistency and reproducibility into your organization as well, since it’s no good if only some systems are hardened while others aren’t. To start, you want to maintain a good software inventory to track which kinds of software can actually operate in your organization, by using application whitelisting, now called allowlisting software like Windows AppLocker or fapolicyd on Linux to block and alert when unknown programs get run. Since many modern offensive techniques around this will also execute code through PowerShell or Visual Basic Scripts, you’ll also need to look into logging and locking down script execution as well. But these are just a few of the many other things you’ll need to do, like reducing privileged access or enabling auditing. To make sure you’re not missing steps, you really want to take a checklist-approach of industry best-practices. A great reference you should check out is the CIS or Center for Internet Security’s Benchmarks, which are free PDFs documenting steps you should take to harden everything from operating systems, network devices, server software, and web browsers. They do offer build kits and a tool to automatically configure systems according to their benchmarks via shell scripts and Group Policy Objects. The National Institute of Standards and Technology, or NIST, maintains a vulnerability database that lets you search for security baselines, whether it’s provided by governmental agencies to run against systems or third-party authorities like CIS. You can download these baselines in SCAP format, which stands for Security Content Automation Protocol, and scan devices with a tool like OpenSCAP. You can use SCAP data with a vulnerability scanner like OpenVAS to regularly check if your systems need patching. Besides CIS and NIST, there’s also vendor-provided baselines like Microsoft’s Security Compliance Toolkit, which lets you test Windows operating systems against Microsoft’s recommended baselines. For Linux systems, there’s Ansible playbooks offered on GitHub repos like OpenStack or Dev-Sec that you can deploy to harden server hosts in an automated fashion. Whatever your choice, security baselines are definitely things that you shouldn’t do manually, which is why understanding scripting and automation are some of the most important skills to learn in cyber security, especially cyber defense. So with all these concepts in mind, you might be thinking: “Gee, that’s a lot of stuff to learn and implement, how am I ever going to get there?” Well the answer is one step at a time. You’re not going to be able to learn and understand many of these technology stacks all in a week or a month, especially since there’s also concepts like cyber deception, threat intelligence, threat hunting, threat emulation that we haven’t even begun to cover yet. It’s much easier to work with others to tackle all four principles we’ve mentioned, since cyber defense is a team effort over time of continually improving your network’s position from a foxhole, to a bunker, and then a fortress. Most organizations’ networks tend to have things slapped on over time and end up looking like slums: functional but quite vulnerable to compromise. It’s only when you deliberately design a network for security and robustness, with talented people operating it, that your organization can continually adapt and thrive in an environment of constant cyberattacks. If your organization doesn’t have the time and resources to build out a complete security architecture, focus your cyber defenses on the high-value assets like systems running your domain controller, production servers, and databases that store sensitive information. Try to map the most critical business functions in the company to the devices that support them, which makes it easier to demonstrate to your boss and higher, the value of investing extra resources to protect them. All in all, cyber security is a never-ending process that spans both the technology and human aspects of our world, so a good cyber defense architecture will need to account for both domains. So that’s it for this episode on the four ways to boost your cyber defenses. Remember to like and subscribe with notifications if you want to stay up-to-date with more content like this. Really hope you enjoyed this video and learned something worth sharing. Thanks so much for watching, and I’ll see you soon!