[BreachExchange] Keeping Data on a Short Leash to Avoid Breaches

Destry Winant destry at riskbasedsecurity.com
Thu Oct 18 23:23:38 EDT 2018


Even the best-trained dogs have leashes while in public. Despite how
much one trusts their dog to act obediently, it simply is not possible
to know what kind of situations one might encounter while on a
walk—maybe an enticing squirrel? A loud noise? Another dog? Dogs need
to be on a leash. What is the right length for a leash? A leash should
be long enough for the dog to “do business” and stay beside the owner
but not too long to allow the dog to encounter harm or get in trouble.
We put dogs on leashes for good reason. Why not do the same to data?

Today, a data breach is almost guaranteed. Every day, there are news
accounts of costly, devastating breaches. Many involving company
secrets or proprietary information are not even disclosed or reported.
Even the NSA, FBI and security vendors have been breached
successfully. The reality is that a motivated attacker will get into
any network, if only through theft of valid user credentials. Once
inside, the odds are heavily in favor of the attacker. While still
important, preventive security is no match for an attacker.

Various solutions exist to find network intruders, but most of these
are made ineffective due to the amount of noise they force operators
to work through due to the number of false positives they produce.
Practices of encrypting data at rest as well as in motion hope to
solve the issue, but credential theft can leverage valid access.
Locking data down is not effective if bad actors can easily get the
keys. Segmenting data may slow down an attacker, but ultimately will
not prevent eventual theft or damage.

One approach to protection is based on a little-known aspect of
networking that can effectively put a short leash on data. Every
packet contains a value for the number of hops—or number of routing
devices a packet travels across between its source and destination.
While crossing each firewall, router or gateway, the hop count
decreases by one. Generally, hop count is fixed at a default setting
of 128, allowing ample travel between any two points in the world. Hop
count can be changed and set or limited to a specific number.

By knowing the exact number of hops that data must make between a
server or storage device and supported destination devices, data can
be effectively put on a leash and limited to this specific number. In
this way, important data could be limited to stay within a data center
or on a primary corporate network.

Hop limits automatically destroy data, preventing it from falling into
the wrong hands. Again, by knowing a specific hop count, one can
establish an upper limit. Each router decrements and examines the hop
limit. When the limit reaches 0, the router destroys the packet and
issues an ICMP message to the sender. This enforcement is already
performed by every router on the internet. The missing pieces for this
approach have been intelligent software to pick appropriate limits and
monitoring to detect attempts to breach the perimeter.

This new approach to security is based on distance rather than access.
Access can and will be compromised. Distance is an absolute.
Controlling hop count obviates risk.

Monitoring discarded packets spotlights hackers already within the
network. Traditional approaches have proven ineffective at rooting out
intruders to the point hackers remain undetected for an average 200
days. Those tools either miss intruders or trigger so many false
positives that their alerts are ignored. Hop limits trigger
high-quality alerts that are specific and actionable.

To secure data using hop count first requires knowledge of how data is
accessed legitimately. What are the legitimate destinations, and what
path does the data travel? How many hops are required? Once this is
established, hop count limits can be set. Obviously, inaccurate hop
counts can create havoc and prevent authorized users or applications
from getting the data they need. Dealing with the outcome from such
chaos is a job no one wants.

In some cases, data can be limited for internal use only, and hop
count can be the leash to ensure it doesn’t leave a certain network.
Even within a company, data can be kept from unauthorized employees
and eliminate internal threats.

Security has largely kept to a set of practices and technologies for
risk mitigation. Using hop count to secure data and eliminate risk by
establishing a proper leash with a proper length is a way of teaching
an old profession a new trick. Now data can be fully protected, and
threat actors will be left outside in the dark.

More information about the BreachExchange mailing list