Using defense-in-depth to prevent self-inflicted cybersecurity wounds

This past week, I encountered an all too common situation — a user gets a targeted phishing attempt. Despite a strong training program, the user opens the attachment and gets infected with ransomware.

For many organizations, this would have resulted in a disaster. Ransomware would have encrypted files on any servers, and the organization would have been forced to either restore the files from a backup, assuming they had them, or to hold their nose and pay a ransom. 

The news was better, however, for the organization I mentioned above.

Fortunately, the premise of their security planning was that someone would eventually shoot them in the foot. With a security plan that assumed this, they had a depth of layered controls to help. While their anti-virus software did not prevent the infection, it did recognize and send an alert about it, after the fact. In the meantime, their web filtering appliances and their DNS service provider, recognizing the call from the infected PC to a command and control server to get an encryption key, blocked access. Since the ransomware client never got the key, it did not encrypt any files. The blocking of command and control access provided the extra time needed to get the PC pulled out of service and repaired. 

The organization referenced above had a happy ending. For every such happy ending, though, I suspect that there are hundreds that end badly. Since these often happen in small organizations, or those that attempt to keep such matters quiet, we often don’t hear about them, but they do exist. It is these sorts of attacks that resulted in an estimated $209 million ransomware payout in the the first three months of 2016, according to Forbes. 

There is no end it sight for these attacks, because bad actors are working hard to make the process easier. These efforts have resulted in a new class of malware — Ransomware as a Service (RaaS), a turn-key approach for those who wish to extort people, but don’t have the technical chops to pull off an attack. The hackers do the coding, and make the software available, either for a purchase price or a percentage of any ransoms paid. As such, new hackers can join the fray with little risk. 

If you are placing your hopes in law enforcement to stop the trend, or to help you out when you’re hit, you probably should go ahead and by some bitcoins. It is not that law enforcement does not want to help. Quite the contrary, they are working hard to combat the trend. But because there are so many bad actors participating, and because they are often in countries where we can’t get to them, law enforcement is almost helpless. 

If the above situation gives you a sense of hopelessness, don’t despair quite yet. As with the aforementioned organization,you, too can plan for the worst — and have layered defenses approachwe in the industry call defense-in-depth. 

A defense-in-depth strategy assumes that something will go wrong with your basic security precautions. This can be the result of user error, a really smart hacker, or just Murphy’s Law in full force. To address the problem, you assume in advance that something will break, and you plan for additional controls to make up for that failure.

This approach is hard for many organizations to accept, because they hate to spend money multiple times to solve the same problem. The fallacy of this thinking is that, outside of the helm on information security, we implement defense-in-depth all the time. Consider, for example, a warehouse that invests in a sprinkler system to extinguish fires. Even if they have purchased the best possible sprinkler system, they will still pay for an alarm system to notify the fire department of the emergency — just in case. If you think about it, you probably have many such precautions already in place. Why should cybersecurity be different? 

When planning your defense-in-depth strategy, think about the different categories or layers of protection you need: 

Perimeter

This is the front line of defense from outside attacks against your network. Using a firewall to prevent unwanted traffic from entering or leaving your network is the key to a strong perimeter defense.

The good news is that many organizations have such a firewall. The bad news is that they are often mismanaged. It is critical to only allow traffic in and out of the firewall that is essential for the operation of the organization. Everything else should be blocked. All too many organizations install a firewall, turn it on, and think they are protected out of the box. This is a false sense of security. 

Mid-network

This layer should include intrusion prevention, web filtering, and similar systems. These devices monitor for, and filter out, unusual traffic that is missed at other layers. Web filtering prevents users from aiming a gun at your feet by visiting sites that are known to be infected.

This layer is also a good place to employ a technique called a honeypot, which acts as bait to detect a hacker who has penetrated your perimeter defenses, and is moving laterally through your network. Finally, a good log consolidation system, such as Splunk, can correlate information from various system logs, and generate alerts for suspicious activities. 

Endpoint

This is the layer that resides on your users’ workstations. It is the first line of protection against malware, user downloads, malicious web sites, etc. It is important to use products that can be managed centrally and will report malware back to a console so that alerts can be issued. It also helps to have an endpoint product that that can communicate with other layers of your defense strategy, such as McAfee or Cisco AMP. 

Don’t forget your mobile devices connecting to your network, because they have many problems of their own. Include a good mobile device management system, such as VMware’s AirWatch. 

Bottom line — your employees will ultimately shoot you in the foot, either accidentally or intentionally. You can’t do anything to stop that. You can and should, however, deploy defense-in-depth strategies to protect from such events.