[BreachExchange] Living in an Assume Breach world

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 24 21:53:40 EDT 2017


https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/

Some security professionals claim their networks are secure from hacking.
They may say this to justify a recent large purchase of security equipment.
But many times, they say this because executive leadership or customers
don’t want to hear the bad news that all systems can be breached. As the
poet Cross Jami said, “When a man is penalized for honesty he learns to
lie.”

Anyone with any experience in security knows better: a hack-proof security
architecture is an unusable security architecture. There are always
trade-offs and to do anything useful, we need to open ourselves up to risk.
Given that a certain amount of risk of breach is inevitable on all
practical systems, it is safer to defend your systems with this attitude.

The assume breach mindset

The traditional defenses we still have in place today will not be as
effective against the attacks of today, and they will only deteriorate over
time as new attacks and technologies are invented. Like
antibiotic-resistant infection, malware has routed around signature-list
antivirus solutions while network attacks have shifted to application and
user identity attacks.

Like water, attackers flow to where the cracks are. Accepting that your
network will be broken into is called the Assume Breach principle. It means
you’ve accepted the fact that an attack is going to succeed no matter what,
and you’re going to build your defenses accordingly.

Pick your battles

Your minimum level of security across the board must repel the
opportunistic attackers. Luckily, we know what’s needed there: Vigorous
access control, robust patching, minimal attack surfaces, malware control.
But you need to realize that a determined attacker or unlucky zero day will
break through that basic line of defense.

Sun Tzu said, “Those skilled in war bring the enemy to the field of battle
and are not brought there by him.” So, we fight these opponents on
favorable terms. This means we define the subset of our systems that really
matter. The systems holding our most valuable intellectual property, the
systems processing our critical transactions, the systems containing
personal private information. These systems are what is in scope for our
audits and where we concentrate our best controls.

Here is where we lay our best traps, spin our thorniest mazes, and bolt on
sturdiest locks. (In compliance parlance, this area is called the “scope,”
so I’ll use that term from now.) Put all your eggs in one basket and then
watch that basket. But, this will drain a significant portion of your
resources and impede practical usage of systems in scope. So, you’ll want
to keep your scope as small and tight as possible, which obliges you to use
the Least Privilege principle.

Compartmentalization

Now that you’ve defined your secure scope and concentrated additional
controls there, what about the rest of your organization? Naturally, you
will have controls and defenses in place there, but they won’t be as
expensive or demanding to users. This is the zone where we expect a
determined enemy to gain entry but we don’t want it so open that casual
attackers and malware constantly sweep through. Movement from the un-scoped
parts of your systems into the scoped systems should require passage
through elevated access controls.

Furthermore, these systems should have barriers to deter any attacker, be
they insider or outsider, from crossing over. This means assuming that an
attacker has compromised the main systems and may have full administrative
rights on the unscoped network, so there should be segregation in controls
between the zones. Separating authentication domains, internal firewalls,
and divergent anti-malware solutions is a good idea to ensure that whatever
broke into the outside network won’t use the same methods to break into the
scoped network. The key is rigid segregation to ensure that failures can’t
cascade through interconnected systems into the systems in the scope.

Many networks already have evolved to include some of these controls to
accommodate compliance and operational requirements. However, the Assume
Breach design is a deliberate compartmentalization between zones of
differing trust and as little overlap or interdependency as is feasible. In
biology, the concept of enantiostasis refers to the ability of a system or
organism to self-stabilize to maintain functionality in an unstable
environment. That is the goal for the scoped systems.

Global visibility with rapid response

Since we are expecting attackers on our networks, we want to know what
they’re doing and then jump on them as soon as possible. This means leaning
harder on tools like threat intelligence, logging, and security incident
response. It also necessitates that you already have a good idea of where
all your important data is stored (and in what state? encrypted?), and what
software should be running on machines. Again, this is resource intensive,
which is why it’s easiest to concentrate these efforts on your scoped
systems and the scope barriers.

Part of this visibility is using threat intelligence to monitor darknets
and data breach notification services to see if or when your organization’s
identities or intellectual properties become known to hackers. It also is
useful to look for your organization’s IP addresses on things like
reputation blacklists, botnet command and control (C&C) networks, or
peer-to-peer file sharing nodes.

Visibility can also mean laying booby traps such as honeypots and alarmed
fake data entries to detect when intruders are moving around inside your
networks. Deceptive defenses such as these work very well deep in the
scoped network since, by definition, there is less traffic and activity
there to trigger an alarm.

Lastly, your incident response process and team should have their jobs down
cold. Living in an Assume Breach world means that their services will be
needed. In the middle of an incident is not the time to figure out who does
what and who is going to notify the proper authorities.

Conclusion

Here it is again in a nutshell: Assume the bad guys will get in (because
they will), so make sure they can only get to the stuff you don’t care as
much about. Segregate the important things with the assumption that the
barbarians will be at the gate, even if the gate is inside your own
network. Watch for enemies within and without, while being ready to respond
calmly and totally at a moment’s notice. This is living with the Assume
Breach mindset.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170824/222998d4/attachment.html>


More information about the BreachExchange mailing list