Post

Our Boards are worried

Posted
By Ryan Aspden 15 min read

Our Boards are worried – and rightly so.

An overview of the cyber threat landscape as of March 2024

A cursory glance at the global (cyber) landscape reveals a formidable and omnipresent threat that is facing every part of our digitally enabled society. From individuals surfing the web through to providers of critical infrastructure and governments – bubbling under the surface of the World Wide Web we face an Internet that is openly hostile to a functioning society.

From my vantage point there is a trifecta that creates a perfect storm for critical infrastructure providers:

  1. Global tensions are rising and state-based threat actors have huge incentives to infiltrate the IT networks of their adversaries.
  2. The software we’ve come to rely upon don’t seem to be getting more secure (or at a minimum, don’t seem to be keeping up with the times).
  3. Time-To-Exploit has, and will continue to rapidly decline. Threat actors are moving faster than most organisations and patching – by itself – is no longer effective when faced with this modern threat landscape.

Long story short, the landscape is dire.

What are organisations to do?

Whilst the picture I paint is grim, in practice, it’s not all that bad for organisations that choose to manage the risk well. Risk – the balance between performance and conformance – is the language that drives most decisions in an enterprise setting, and when it comes to managing cyber risk, approaching the modern threat landscape with a defence in depth strategy is one way to balance risk and reward. It also happens to be a strategy that I passionately believe in.

What is defence in depth?

In its simplest form, defence in depth is a multi-layered strategy – organisations assume that a breach will occur at some point in time and as a result choose to adopt multiple layers of defence (a.k.a. risk mitigations) to protect against this inevitable attack.

Defence in depth could be likened to a steeplechase race. Racers (i.e. threat actors) want to speed towards the finish line (i.e. their nefarious goals) with as little friction as possible. Each of those measures and controls your organisation has implemented are like those hurdles that are placed along the track. Each hurdle imposes costs (i.e. time, effort, exploits) and serves as an opportunity to prevent or discourage further activity. More importantly, those hurdles create an opportunity where threat actors are likely to stumble, make noise, and draw the attention of security staff who can intervene before harm is done.

Whilst no organisation can guarantee absolute immunity from cyber threats, maintaining a defence-in-depth strategy means you can have high confidence that your organisation will remain resilient when faced with the modern threat landscape AND that the likelihood of a sophisticated threat actor “living covertly” deep within your core/critical systems is likely to be low.

How might defence in depth play out?

How you choose to implement a multi-layered defence-in-depth strategy will depend upon the context of your business and your risk appetite. Your strategy will cover people, process, and technology, and because the technology aspect is the easiest to translate between organisations, it is the bit I will focus on in this section.

Applying a multi-layered approach starts with understanding:

  1. What are your organisation’s “crown jewels” – Knowing what constitutes your most important assets will help you understand what is likely to be targeted by threat actors.
  2. What kind of threat actor is likely to target your crown jewels, and why – Knowing your adversary will allow you to review their tactics, techniques, and procedures and understand if you have controls to defend yourself.
  3. What is the ‘path’ that a threat actor is likely to take – Similar to the point above, knowing potential (and probable) pathways through your network will help you understand if you have controls in place to raise alarm bells and allow you to defend yourself.

The last point is usually somewhat difficult to predict, but there are tools and strategies that can help:

  1. If you know the kind of threat actor that is likely to target your organisation, then you can use tools such as the Mitre Attack framework to map potential paths.
  2. The FAIR framework has a saying that I believe in… Whilst most risks are POSSIBLE, only some are PROBABLE. Spend your time focusing on the latter.
  3. Nothing beats mapping things out on a whiteboard. Sit down with your team, subject matter experts, and enthusiasts within your organisation to plot potential pathways through your IT/OT eco-system and then ask yourself if you have controls to prevent, detect, and respond at key points along the way.

A worked example

If your organisation is a critical infrastructure provider then you might determine that Volt Typhoon (a state-sponsored threat actor) is one credible threat that you must defend against. Based on Volt Typhoon’s modus operandi, if they chose to target your organisation, then it is likely that their objectives include gaining access to your crown jewels, after which they’ll seek to disrupt operations at a time of their choosing.

Whilst there are many ways that Volt Typhoon could compromise your organisation, and each PROBABLE path must be explored, let’s say they compromise one of your Internet-facing corporate systems and use this as a beachhead to move deeper into your environment, ultimately worming their way into your SCADA system.

Defence in depth on the edge

Your organisation’s public edge - the systems straddling the space between the public Internet and your private networks - is the exterior shell of your digital estate that’s open for attack. Every minute, of every day, your edge systems are being scanned, indexed, and probed for weaknesses.

Your public edge is one element in your multi-layered strategy that deserves close attention. When thinking about defence in depth, you could start with…

Defence in depth on the edge of your network

  1. Knowing your organisation’s public exposures – Whilst most organisations will have a rigorous process in place to control what systems are ultimately exposed to the public Internet, these processes should be backed by systems that can autonomously (and continuously) scan your domains, IP address space, and/or ASN’s to generate an inventory your organisation’s public-facing assets. More importantly, this tool should report any known vulnerabilities uncovered in each of those assets.
  2. Protecting your public exposures – Protecting your systems starts with asking the question “Is there a genuine need for this system to be accessible from the public Internet, or are we being lax?” If there is a genuine need then standardise on those architectures that are used to publish your systems on the Internet. It is infinitely more difficult to protect and manage systems if there are a multitude of ways in which users can access them from the public Internet. Similarly, you should never expose management interfaces to the public Internet – keep administrative protocols like SSH, RDP, WinRM, etc. off of the public Internet and hide them behind a VPN connection.
  3. Isolate and segment systems – Hosting technology has come a long way in the past 4-6 years and it is now a trivial task to apply strict firewall (or security group) policies that prevent unauthorised network traffic to and from your computer systems. Your edge systems should be heavily segmented and your firewall policies should only allow the bare minimum in terms of permitted inbound/outbound connections. There is never a good reason for a public web server to have RDP access to an internal server, so block this access using a firewall.
  4. Harden your edge devices – Turn off unused services on those computer systems exposed on the edge, remove unnecessary software, disable default user accounts, install application allow-listing software, and for public-facing computer systems, and think twice about joining these systems to your core Windows Active Directory domain (if it is a Windows computer under the hood).
  5. Use captive portals – For those web applications that are accessible from the public Internet, consider placing them behind a captive portal. Microsoft’s Azure Application Proxy places a Microsoft login portal in front of your web application, which means web crawlers, threat actors, and cyber criminals looking to access your application are all met by a (nearly) impenetrable wall that “hides” your genuine application.
  6. Use Web Application Firewalls (WAFs) with meaningful policies – If a captive portal is not appropriate for technical reasons, then apply a WAF with access control policies that; a) prevent access from countries where your customers/users are not located, and b) block known botnets and ‘low-reputation’ IP addresses, and c) block the most common OWASP top-10 attack vectors (e.g. SQLi attacks, cross-site script attacks, etc). Geo-location, IP address and client restrictions help keep details of your web application out of web crawlers and public vulnerability database tools that are known to be monitored and used by threat actors when looking for potential targets.
  7. Relentlessly protect VPN appliances or go Zero Trust – Similar to the point above, relentlessly protect your VPN appliances and patch them aggressively. Too many horror stories have emerged that start with vulnerabilities in public-facing VPNs and end in your corporate systems being encrypted in a ransomware attack. Better yet, if your organisation can adopt it, go down the route of a Zero Trust Network Access (ZTNA) solution that removes the VPN from your Internet edge.
  8. Require that staff use decent passwords – Educate staff to use strong and unique passphrases for each of your digital services, and apply custom “block lists” to prevent the use of phrases and/or words that are common in your organisation or industry.
  9. Make use of MFA and device posture – Apply meaningful multi-factor authentication policies wherever it’s possible to do so. For some of your ‘sensitive’ applications, you may require users to access from a trusted device AND complete an MFA challenge every time they access that application. For other applications, you may choose to only require MFA if the users’ sign-in attempt is deemed to be ‘unusual’ based on their usual patterns of behaviour.

Defence in depth inside your private network(s)

Beyond your organisation’s public edge, your interior networks and the computers connected to them, are the next aspect that needs to be considered in your multi-layered strategy. Unlike an egg that has a hard exterior, but is soft inside, we also want layered controls within our private IT/OT networks.

Defence in depth inside your network

Here your multi-layered strategy should consist of:

  1. Continued isolation of your systems and networks – Devise a meaningful strategy to isolate your computer systems and segment your networks. You may decide to build several network security zones to house each class of system (i.e. Corporate, SCADA, IoT, Infrastructure, etc) and then further segment each security zone based on any number of variables. e.g. the criticality, function, or expected user base of a system, or the sensitivity of the data likely to be held within.
  2. Religiously apply your base controls – Base controls are risk mitigations that broadly apply to systems across your entire digital estate, and meaningfully reduce risk at scale. These are controls like your Intrusion Detection Systems (IDS), Endpoint Detection and Response (EDR) systems, Vulnerability Discovery, Management & Response (VDMR) systems, logging systems, decoy systems, and backup/restore systems (to name a few). These base controls represent the most basic level of security hygiene at your organisation.

Thinking back to the path taken by the threat actor

With your defence-in-depth strategy now in effect, you can step through a likely chain of events that may help you better understand how each of these controls (i.e. each of those hurdles in your steeplechase race) would work to your advantage.

A probable threat path

One probable threat path could be…

  1. You have found yourself on Volt Typhoon’s target list through no fault of your own. They begin their recognisance phase by scanning your public infrastructure – they’re collecting details of what systems are exposed on your public edge, what software versions those systems run, and what weaknesses may lie within. Thankfully for you, you’re prepared.
  2. Those systems that are protected by a captive portal are impenetrable. Volt Typhoon decide the cost to overcome this defence is to high, so they continue looking at your other systems.
  3. Those systems that are protected by a web application firewall (WAF) are slightly different. With no captive portal in place, threat actors can move one step closer to their objectives. They start to probe and test each of these systems. Logs from your WAF are compared to threat intelligence feeds within your SIEM. This comparison raises a low-priority / low-fidelity alert indicating that an IP address associated with Volt Typhoon has been seen probing the systems sitting on your public edge. This garners minor attention from your security team as these alerts are common.
  4. Volt Typhoon finds a previously unknown vulnerability and breaks through your WAF protections. They try to install an unauthorised software package on your public-facing web server, which is denied by your allow-listing software (as the package is not authorised to run on this computer) and raises alerts within your EDR platform if the software is suspicious enough.
  5. Volt Typhoon are persistent in their efforts. They find a way to “live off the land” using existing tools to establish a remote control mechanism that starts beaconing home to their command and control (C2) servers. Your perimeter firewall and IDS both detect C2 tunnelling and raise a high-priority / high-fidelity alert for your security team to investigate.
  6. They’re moving quick. So quick that your Security Team hasn’t yet noticed those security alerts waiting to be triaged. With access to the underlying computer, they pivot onto the database server linked to the web server. From there, they cause a “wobble” (an issue) on the database server.
  7. Moments later, a diligent system administrator logs into the database server to proactively address what caused the system to wobble. Straight away, Volt Typhoon captures the administrator’s legitimate domain credentials. Depending on how the credentials were captured, your EDR tooling detects (and prevents) this activity, raising yet another high-priority alert for the Security Team to investigate.
  8. With administrative credentials, Volt Typhoon attempts to move off of the database server, and onto other systems to creep ever closer to your Crown Jewels.
  9. Your highly segmented network, coupled with restrictive firewall rules prevents them from moving anywhere else. Equally, your Intrusion Detection System (IDS) raises an alert as it detects an unusual pattern of behaviour for the database server (i.e. it has seen that a database server is trying to establish several connections to systems wholly unrelated to itself, which based on previous patterns, is highly unusual).
  10. Oh dear, they’ve found a misconfiguration! An overly permissive firewall rule has inadvertently allowed RDP access to a legacy application hosted privately within your network. With the admin credentials they stole earlier, Volt Typhoon is able to jump onto this machine and begin to probe their next target(s).

This pattern repeats itself with Volt Typhoon attempting to steal credentials, elevate privileges, probe systems, and move deeper into your network as they step ever closer to your Crown Jewels. Along each step of the way, your layers of defence; prevent them from trivially achieving their goals, raise numerous alarms for your Security Team to action, and slow them down such that Incident Responders have a chance of catching up.

This is the power that employing a defence in depth strategy can bring to an organisation, this is why this strategy is crucial given the current threat landscape.

What can act against your defence in depth strategy?

I want to end with a final thought, and that is of organisational entropy – it is the notion that all ordered systems tend towards disorder and chaos if not actively managed.

Organisational entropy will erode your position – it can be death by a thousand cuts if it’s allowed to be! Governance, culture, and people who care are the remedy.

With cyber security, it is usually the small things that undermine your approach. Things like…

  • I don’t need to worry about using a strong password as our organisation requires MFA, so that’ll save me”, or the
  • I’m going to relax this firewall rule as it’ll save me time and because our Intrusion Detection System would detect anything unusual”, or the
  • Our SCADA vendor said to add this entire C:/ drive directory to the exclusion list in our EDR system, such that it won’t monitor or prevent any activity within”.

Be mindful of organisational entropy – maintain a culture that values security, understands why controls are in place, and the role that having multiple controls plays. For any organisation, let alone critical infrastructure providers, it’s essential!

Cybersecurity, Defence In Depth
cybersecurity risk management defence in depth
This post is licensed under CC BY 4.0 by the author.