Defense in Depth: Go Deeper

What is Defense in Depth?

Simply put, defense in depth is the use of layers of security controls to protect a network.

The best defense is a multi-pronged, layered defense, both on the physical battlefield and in the digital world. Cyber attackers have your business or organization under the microscope, waiting for a misstep or an easy access point to maximum damage. To get ahead of these potential threats, you need defense in depth (DiD).

Defending the Edge

Historically, InfoSec has been most concerned with defending “the edge” of a network. Traditional firewalls, email firewalls, web application firewalls, data loss prevention products – all of these work at the magical edge where the outside meets the inside of your digital presence.

With more on the line than ever, attackers have become increasingly sophisticated and are highly motivated. A determined adversary will find a way through the edge; an employee will click the link to a phishing campaign and give up credentials, an organization will have a trust relationship with a compromised third party, a zero-day attack will occur… the onslaught is endless.

The “edge” that the community has held so dear has turned out to be extremely porous, even in a well defended network. Here, defense in depth as a strategy was born. Rather than assuming the edge stops everything, the edge has become just one of many moving layers of defense and security control.

Elements of a Layered Defense

Your digital assets deserve to be protected at all costs. Your fortress needs eyes in the sky, trip wires, and armed boots on the ground to secure the assets. What do those elements look like in a cybersecurity setting? Let’s dig in.

1. Visibility Beyond the Edge

Defending beyond the edge of a network means working in a space where you have no control. This layer of defense is largely about using actionable intelligence and knowledge about your own network to predict attacks on the horizon in order to better harden your network – here’s how:

  • Red teaming. Review your cybersecurity posture from head to toe with an adversarial mindset.
  • Threat Intelligence. Leverage available knowledge by studying actionable intelligence from attacks on other networks; learn and apply these lessons. Ensure you receive results by learning to identify actionable threat intelligence with [redacted].
  • Scan yourself from the outside. What would an attacker see? Where are the weak points? Harden them or add detections around them. Not sure how to get started, or just don’t have the bandwidth? Get penetration testing services so that a team of cybersecurity professionals can locate your weak points before cyber criminals can.

2. Visibility and Policy Enforcement at the Edge

Just because defense in depth goes beyond the edge doesn’t mean it ignores the edge. Perimeter defenses are equally as important as the rest of the layers. Equip your cybersecurity architecture with:

  • Firewalls with or without IDS/IPs. Visibility into and filtering on data entering and leaving the network is fundamental to network defense. Modern firewalls add the ability to perform packet inspection and filter/drop connections based on the content of the flow.
  • Email firewalls. Email firewalls enable an organization to filter and block both inbound and outbound email based on default and custom rules. More advanced email firewalls may even perform attachment sandboxing and link rewriting against inbound emails.
  • VPN. VPN provides a private tunnel between users outside of your network and your network. This enables machines that are not physically located on your network to securely access network resources.

3. Network Architecture

Once an adversary is through a network’s edge, the architecture of that network strongly impacts their ability to move around and achieve their desired actions on objective, whether they be data exfiltration of data encryption. Good network architecture can also enable visibility into internal network traffic, which can assist network defenders in tracking an adversary and defending a compromised network.

  • Network segmentation. A segmented network is more defensible, since each segment can be defended independently. At a minimum, ensure segmentation between user endpoints, critical internal servers, servers with an external connection, domain controllers, appliances, guests, and IOT devices. Logs of traffic between segments are invaluable to network defenders in the event of a compromised network.
  • Data protection. Consider encryption schemes for data based on its criticality and the likelihood of theft of a physical device. Regularly back data up, leveraging immutable backups where possible. This can limit the impact an adversary can have against a compromised network.

4. Internal Visibility and Policy Enforcement

Once an adversary makes it through the edge, they dwell within the network. They will typically land on an endpoint or server, then use lateral movement techniques to compromise additional hosts to ensure persistence beyond discovery. This layer of defense in depth focuses on detecting an adversary on a host or while moving between hosts.

  • Endpoint security. Endpoint security includes everything from basic antivirus to endpoint detection and response. No matter the tool an organization chooses to use for endpoint security, it is important that they have a skilled team monitoring the logs and alerts from the solution.
  • Internal NetFlow. Internal netflow is often overlooked, but is invaluable for the detection of both lateral movement and the staging of data for exfiltration.
  • Identification and protection of crown jewels. Identify the data of value to the organization, then place additional protections around it. For example, say HR and payroll data lies on a server named HR-Server. If possible, disconnect HR-Server from the internet, place it in its own segment, monitor internal traffic to and from, and alert on the movement of anomalous amounts of data. Deploy endpoint protection to the server and consider applying a more aggressive protection profile to it and servers like it. Additionally, ensure that HR-Server is backed up regularly and that those backups are immutable.

5. Good Network Hygiene

Good network hygiene practices make it more difficult for an adversary to move across a network, making each layer of the network more defensible. Elements of good network hygiene include the following:

  • Least privilege. Each user and service account should only have the privileges necessary to do their job. This makes it more difficult for an adversary to compromise an admin account, making it more difficult for them to achieve actions on objective.
  • Multifactor Authentication (MFA). Multifactor authentication mitigates the impact of a stolen password by preventing the adversary from authenticating without an additional factor of authentication. This alone mitigates many of the vectors for lateral movement and privilege escalation.
  • Conditional Access Policies. Conditional Access Policies mitigate the impact of stolen cookies and/or credential by requiring re-authentication and/or additional factors of authentication based on the time of day, geolocation, and role of the authenticating user.
  • Vulnerability and patch management. A network free of known vulnerabilities is not only more difficult for an adversary to break into, but also more difficult to move around and persist in. Good vulnerability management makes every layer of a layered defense stronger.

6. Preparedness

Insidious evildoers live comfortably knowing that there are businesses completely unprepared for their attacks – don’t be like them. Get your cybersecurity posture squared away and get a professional like [redacted] on board to lead the charge. Here are two ways you can stand at the ready:

  • Incident Response Plan. An incident response plan (IRP) is a plan that dictates how an organization responds and recovers from a security incident; in this case, a breach of “the edge”. A well written IRP will help an organization effectively leverage their layered defenses to better defend their network.
  • Training. The people defending the network have to understand what an attack looks like and how to leverage layered defenses to detect and counter a compromise. This requires constant training that is aligned to the tools in use in the network.

Build an Impenetrable Fortress, Partner with [redacted]

Most attacks begin at the edge and require things like network discovery, lateral movement, credential access, or privilege escalation. A robust policy of defense in depth makes each of those techniques more difficult for an attacker to execute, easier for a defender to detect, and significantly limits the blast zone.

An attacker’s worst nightmare is a fortress well defended. A layered defense in depth strategy coupled with a team of expert cybersecurity professionals who know how to leverage those defenses is the sweet spot for your peace of mind.

We’re here to help.

Schedule a call with our team cybersecurity experts to talk about how [redacted] can help secure your fortress.

Tags:

[r Authors

Portrait of Lauren Pearce

Lauren Pearce

  • Director of Incident Response and Forensics

Lauren serves as the Director of Incident Response and Forensics at [redacted] where she’s frequently found on the front lines, leading incident response efforts on behalf of clients. Prior to joining [redacted], Lauren worked at Los Alamos National Laboratory where she specialized in malware analysis as a member and occasional leader of the incident response team. She enjoys teaching technical content and has experience teaching malware analysis to students ranging from private sector managers to US military and everything in between. She holds a BS and MS in Computer Criminology - Computer Science and a BA in International Affairs, all from Florida State University.

Speak with our technical team.