Defend Your AO: A SpiderLabs Play in One Act
Area of operations, any theatre of combat.
The past, present and/or future.
All right guys, here's the AO. Corporal Smith, take your team and establish the external boundaries. Concertina wire, and land mines as per unit SOP. Set ingress and egress points, and OP/LP.
Corporal Jones, you and your team set up the internal perimeter. Make sure to stagger ingress and egress points with Corporal Smith. You also got the guard roster.
And Corporal Jones...
Don't forget to add yourself to the roster this time. Being SOG is a privilege, not a right. Lead the way, hoough?
CORPORALS SMITH and JONES
Corporal Davis, you've got commo. Get jump freq from Battalion, and challenge and password rotations. Zulu time hack is in 15 mikes.
You can talk about us, but you can't talk without us, Sarge.
I'll set the fire points, get the Sherriff freq, and set evac routes. Here, on the map I've marked rally points Bravo and Charlie. If the enemy finds our position we defend, call the Sherriff and get a sitrep. If the Sherriff is more than 1-0 mikes out, we roll to Bravo. If Bravo is blocked, head to Charlie. Corporal Thomas, you've got OPFOR. Make sure paths to Bravo and Charlie are clear. Also, give us an external view of the AO. See if we missed anything. If so, get with Jones and Smith and correct it.
Alright, guys, you've got your orders...check or ho?
CORPORALS JONES, SMITH, DAVID and THOMAS
Let's get hot!
(END OF SCENE)
You may expect a conversation like this to come from the front lines of combat, or a Tom Clancy novel, and you would be right. In fact, as a former Army Reconnaissance Sergeant, I had multiple conversations just like this one with my team on different occasions. Great, so, how does any of this involve cyber security? I'll get to that as I break down the conversation one piece at a time.
Setting The Scene: The AO (Area of Operations)
The Recon Sergeant and his team are establishing a defensive posture around a fixed position. They’ve occupied a piece of land and will perform combat operations from there. They expect an attack and need to defend the area.
Comparison–Your company's IT infrastructure
You have digital assets; servers, laptops, mobile devices, networking equipment and data. This is your area of operations–what you need to defend from an expected cyber attack.
External Boundaries: Concertina wire, land mines per unit SOP (Standard Operating Procedure),ingress and egress points and OP (observation point)/LP (listening point)
With these instructions, the team will set up the external perimeter, defensive components and points from which they can monitor their AO.
Comparison–Your firewall, intrusion detection or prevention systems (IDS/IPS), and security information and event monitoring (SIEM) solution
Most organizations use firewalls to control the flow of traffic to and from their networks. Through the use of Access Control Lists (ACLs), firewalls can prohibit unauthorized traffic from making it into the internal network while permitting business critical traffic through to its intended location.
Having security solutions such as a firewall or IDS/IPS is a great idea, but someone needs to watch the generated alerts from these security controls in order for them to be useful. If Corporals Smith and Jones established the perimeter but failed to establish a roving guard to monitor it, the enemy would advance past the security measures and attack! That scenario is comparable to not implementing some sort of SIEM solution! It is the means by which you will know if you are under attack–it is your roving guard.
Commo (communications): jump freq (frequency) and challenge and password rotations
Our recon Sergeant has instructed Corporal Davis to establish communications with the rest of their company and their next higher headquarters.. As a remote AO, they need to know what is happening at their level and the level above them. To accomplish this, Corporal Davis is told to get something called, "jump freq," the secure communications protocol used by the military to send and receive messages. Only radios with the proper programming can access the secure network. Radios outside the secure network will not be capable of transmitting communications taking place on it.
Corporal Davis is also ordered to obtain challenge and password rotations. Even with the secure network in place, his team is using a secondary authentication mechanism to ensure secure communications are taking place.
Comparison–Your remote administration protocols and password rotations
Your IT assets need a means by which they can communicate with each other and with you. This is done through various protocols such as Secure SHell (SSH) and remote desktop (RDP or Termserv). Making sure these communications occur in a secure manner is essential as it not only prevents third parties from viewing your remote administration actions (for use in man-in-the-middle attacks), but also prevents an external attack from using your remote administration protocols against you.
If secure radio communications were not established in our example, the enemy could both listen to what the recon team was doing and pose as a legitimate member of the team. If your remote communication protocols are not properly secured, an attacker can do the same thing.
To establish two factor authentication, the recon team combines something they have, Battalion jump freq settings, with something they know, the challenge and password rotation. They don’t rely on the radios to provide the level of security they know that are going to need, rather, they ensure they are using passwords that rotate on a regular basis.
This should be true of your IT assets and remote administration protocols. You cannot simply rely on your use of SSH or a VPN tunnel to provide the level of security you need. By using strong username and password combinations that rotate on a regular basis, you add an additional, vital layer of security. In fact, we find in our forensics investigations that weak username and password combinations are the number one cause of a data breach. This fact amazes mebecause it costs nearly nothing to enforce strong passwords.
Preparing for Combat: Fire Points,Sherriff Freq, Evac Routes and Rally Points
The recon Sergeant anticipates an attack. As the most experienced member of the team, he knows that an attack on their position is eminent. It may not happen today or tomorrow, but at some point it will. So, he makes preparations as if today were that day by outlining their response plan. He will get orders from his next higher command, establish a defensive perimeter based on the threat and call in subject matter experts (Sherriff). If the response time is too great, he has alternative plans to protect his men.
Comparison–Your incident response plan
Like our recon team, you need a plan of what you are going to do when the day comes. It’s more likely than not that you will experience a security incident if you haven’t already. And if you haven’t, it could be that you just haven’t noticed it yet. In the event of a security incident, who are you going to call? What subject matter experts, both internally and externally, are you going to engage? How are you going to communicate the incident to your staff, to the media, to legal counsel and to law enforcement? Learning to respond to an incident during an actual, live attack is less than ideal (and deadly in the recon team’s situation).
What would happen if the recon team was unprepared? The team would likely stand in the midst of rounds flying, waiting for instructions from their leader. In terms of your organization, are you that leader? In the event of an incident, will your staff standing around looking to you for direction? What will you tell them?
OPFOR (Opposing Forces): Clear Paths to Bravo and Charlie, an External View and Corrections
Once the security perimeter is established, the roving guard is in place, the observation and listening points are up and running and the incident response plan has been created, Corporal Thomas has the responsibility of testing everything to make sure it works as designed. He needs to make sure the paths to both rally points are clear of enemy activity and evaluate the AO from the standpoint of the enemy. This information will give the recon Sergeant a clear understanding of the true nature of his security posture. Once he understands what things look like from the enemy's perspective, he can get with Corporals Smith and Jones and correct the deficiencies. How wise of our recon Sergeant to not simply rely on his assumptions! Instead, a member of his team is tasked with testing those assumptions and make sure the security measures in place will operate as planned.
It’s far better for Corporal Thomas to find a security flaw before the enemy does.
Comparison–Penetration testing and continuous assessment
Investing in a security team, security hardware, firewalls, anti-virus, a SIEM solution and staff to run it all isn’t enough if you don't evaluate your security posture from the perspective of an attacker. You need to know what security measures work, what measures don't and why.
We’ve encountered a number of organizations that think a firewall alone will protect them, or that an incident response plan alone will allow them to limit the repercussions of an incident. It's just not true. You need to see your security controls and incident response plan in action in order to understand the true security of your systems.. This can be accomplished through a penetration test.
For starters, it's important to understand the distinction between a vulnerability scan and a penetration test. Vulnerability scanning takes a high level, external view of your systems and alerts on vulnerabilities it can detect via automation. A vulnerability scan could be compared to Corporal Thomas walking around the perimeter and pointing out all of the things that might be wrong without actually testing them...that's good enough, isn't it? Sure...because that's all the enemy would do, right?
Vulnerability scanning should be included as one aspect of testing your systems, but it certainly shouldn’t be the entirely. A penetration test conducted by a skilled practitioner will give you insight into how an attacker might penetrate your defenses and what data they can compromise as a result. With a clear understanding of what your defense posture looks like from the eyes of an attacker, you can remediate those deficiencies before it’s too late. But of course security is cyclical. Once you remediate the deficiencies, you’ll want to test again to ensure that you fixed them without creating other vulnerabilities.
Looking at security in terms of a military operation can make it obvious what actions need to be taken to establish a perimeter, set up defenses, test those defenses and remediate any deficiencies. Failure to successfully accomplish any of the tasks outlined by the recon Sergeant could lead to the compromise of the AO and potentially the loss of life. Casualties, of course, are less likely in the instance of a data breach, but using the example still fits. The military performing these functions are easily comparable to those performed by cyber security professionals every day. The terminology may differ, but the underlying principles are the same:
- Identify your AO
- Set up a defensive perimeter
- Establish listening points
- Create an incident response plan
- Test your security controls with penetration testing
- Correct deficiencies
- Conduct maintenance testing
Progressing through this process will help you establish a defense-in-depth security posture that should mitigate most attacks and prepare you for the inevitability of a security incident. You will find that anticipating that you will be attacked will help you prepare for it.