In my research I touched on the cyber kill chain and how that overlays an existing zone model architecture that I’ve been a big proponent of for a long time, about how we have internal and external users and service presentation business logic storage. Nobody has direct access to the data. They must be mediated by some web server, some business logic server that then accesses the data on their behalf as a way to manage and control that. Because that’s how the attacker is going to get to it, and each one of those is a point where we can actually stop the attack and it’s not just getting the data, they have to then get it out along the same sort of paths – so that provides a way to overlay that. If our networks are compromised, you can’t protect everything, so it really means you’ve got to identify and protect that small bit. Even in somewhere like ‘air gap networks’, for example. Your master key and your HSM (hardware security mode) that should be a device that’s not connected to the network. That forces someone to physically go to it to do something, or other examples like that. It’s a new way, and we have to think about the problem differently, and to the NSA’s point, they operate under the assumption they are compromised and then say ‘what do we do?’ on a daily basis. Your 60 percent or 80 percent of organisations that have malware in there, how do we go about our daily business knowing that and we wouldn’t be able to define them, even with root kits and things like that, you might not always be able to identify where you’re compromised.
CRN Can you give us a specific example of how the cyber kill chain might work for a typical organisation. What about a retail organisation, for instance?
Keith Okay so they are doing credit card processing. We talked a little bit about phishing and that’s where they do the initial analysis and targeting. Then they have to get in, typically using some malware that some legitimate user clicked on and activated from a legitimate website, but with cross-eyed scripting and eye frames and all these other vulnerabilities. It has its place in the world for those things that get infected, and then that attacker can then essentially go out the front door, use an HTTPS like you would go to your bank or something. If I was an attacker, I’d put banks somewhere in my control domain so it would slip through a lot of that, and then that’s how they establish a foothold, maintain persistence, go through to privilege escalation, identify the assets, exfiltrate the assets and then maintain the presence.
What the cyber kill chain is about is interfering with each one of those spaces. You have an opportunity to stop the attack, forcing the attacker to go back again. So if they’re already in the network, how do we stop them from going from our work station in the corporate network to the data. Again we go through a business logic. We go through a secure storage and some database server that breaks connections with firewalls, RPSs, access control and all those controls, and each one of those point to get around is a kill point on the attacker.
Sean I agree entirely. The chains are fragile and if you can break any one of those points, there’s generally no robustness and no work around, if you break that, you’ve stopped it.
Keith In an open flat network, once you’re there you can move laterally anywhere you want to, and essentially own the whole network. But as soon as you start segmenting that with security controls, we just increase the complexity of an attacker to move around. Think about it like an onion with concentric layers. To get to the middle, you’ve got to peel each layer of the onion down to get to that information in the middle, and that’s really how we should be looking at networks, and building and designing networks.
Peter One of the issues is this mentality of security professional that he’s got to protect everything, and actually this is a perception of protecting everything, not just protecting the green zone, and it’s really that bit, the education of the security front is teaching people that yes some malware, some lack of security is acceptable.
CRN A point you made in your white paper as well Keith is the increased complexity of vulnerabilities. If you read all the headlines in the technology media, you would get the impression that the number of vulnerabilities is increasing exponentially. Well yes it is, but as you point out the complexity of those vulnerabilities means that you don’t have to worry necessarily about all of them, but you have to understand which ones you have to worry about.