Written by Nick Defoe, OSCP, Director of Information Security, US Signal
When it comes to securing modern technology environments, it’s common for practitioners to seek a magical silver bullet that will remedy all their security problems. This might take the form of a new “blinky box” such as a firewall, a security information and event management (SEIM) solution, or a cloud-hosted endpoint defense and response (EDR) solution. Unfortunately, these kinds of services and technologies never quite live up to their promises. Security holes remain to be exploited, or attack patterns evolve past the current state of protection.
A more effective approach is to look at security from a holistic perspective and build a system that minimizes the impact of any one protection being bypassed. Defense in Depth (DiD) is a mindset along those lines. It builds multiple layers of controls that complement each other in protecting critical data.
What is Defense in Depth?
The main idea behind DiD is that if any one security control protecting critical systems or information is compromised, another control is in place to stop or limit the impact of the attack. This is also referred to as “layered security,” but the DiD model is generally more thorough in that it requires looking at how systems work together to offer protection, rather than simply putting one control behind another.
Thinking of this in terms of a basic network, this could mean having the following controls in place that must be bypassed to compromise critical data:
1. An EDR solution that uses continuous monitoring, real-time visibility, behavioral analysis, and actionable analysis applied to endpoints to prevent an incident from turning into a breach.
2. A firewall on the network edge that restricts access to certain ports or limits what data can leave the network.
3. An IPS system that detects potential attacks and blocks attackers.
4. Network traffic analysis on the internal network to detect and alert on threats moving inside the network.
5. Multifactor authentication on any systems that are internet-facing or have administrator privileges.
6. A segmented internal network which limits access to internal systems.
7. Authentication on internal systems using strong passwords.
8. Logging and alerting on systems near the ‘crown jewels’ that monitor unusual or unexpected activity.
With this many security controls, adversaries are faced with a complex obstacle course to navigate from the network edge into the inner sanctum. Included are different types of controls — preventive, detection, and responsive, providing multiple choke points to contain the threat, or at a minimum provide alerting that malicious activity is occurring.
This highlights the main advantage that defenders have when it comes to the security posture of their organizations: the network (or systems) can be built to be hostile towards attackers. These additional defenses, each with a different strength or perspective, increase the amount of work it takes attackers to get to what they want and results in a security win for the organization.
Phishing Through the Lens of Defense in Depth
In an email phishing attack, a single click can lead to disaster. So how can controls be architected so that if any single control is circumvented, the system remains safe? Let’s look at different security controls that can be in place in a modern email environment to see how they work together.
Email Security Gateway – Preventive Control
An email gateway filters out phishing emails based on various sets of rules, heuristics, and other more advanced means such as Machine Learning or artificial intelligence. While these systems are good at eliminating commodity-grade SPAM from inboxes, they can still be bypassed by spear phishing attacks or other social engineering campaigns
Link Tracking for Email – Detective Control
Link tracking technology is a newer control that helps defenders by allowing for visibility into the links that are clicked within email messages. For example, an email with a malicious link makes it past the email gateway and a user clicks that link. The purpose of link tracking is to be able to determine retroactively who within the organization may have visited that site.
User Awareness Training – Preventive Control
Since email gateways aren’t perfect, it’s necessary to educate end users on how to identify malicious emails. Especially where social engineering is involved, it can be challenging for automated systems to verify threats. Ideally, users also need a mechanism for reporting malicious messages that make it into their inboxes.
Automated Email Pullback – Responsive Control
Let’s say another email gets through the email gateway, but it’s identified by a user as malicious. It’s flagged as a potential phish. Usually, the act of flagging removes the email from the inbox to prevent further interaction with the message. Taking this a step further, some email systems will then look for the same message in other user’s inboxes and pull it back to protect those other users from clicking.
Two-Factor Authentication – Preventive Control
Even the best security mechanisms sometimes fail. Let’s say a social engineering email made it past all of the protections in place, and a user-entered his or her credentials into an Office 365 credential phishing website. That could be disastrous. But if that user’s inbox requires two-factor authentication (2FA), the attacker wouldn’t be able to gain access into the email box. Microsoft has advised that 99.9% of O-365 account compromise attempts are stopped when multifactor authentication is used. (Source: (microsoft.com))
Browser Isolation – Preventive Control
A newer type of protective control that’s been gaining traction is browser isolation. In a scenario where a malicious email gets delivered to a user who clicks the link, browser isolation can protect the system. It will open the link in a remote web browser rather than on the actual user’s own system. This moves the risk of compromise away from the more sensitive information on the user’s PC.
Endpoint Detection and Response – Preventive Control
Let’s say that an attacker sends a phishing email prompting the end-user to visit a website, designed to look legitimate, and input his or her credentials. If the attacker successfully gains the user’s credentials and then tries to use it to log in, the EDR monitors the activity, identifies it as suspicious based on AI and machine learning, sends an alert, and prevents any malicious activity before it occurs—even when it is under the guise of a legitimate login.
SSL Decrypting Firewall and Network Traffic Analysis – Detective Control
Consider this scenario: a malicious payload made it past the email gateway and the user’s suspicions. It evaded the endpoint protection when run on the user’s PC. There are still opportunities to halt this malicious activity. If the network has SSL decryption and network traffic analysis in place, the defenders should be able to identify the Command and Control (C2) traffic on the network and remediate the problem swiftly.
You can see how different mechanisms layer together to form a much stronger overall security posture than when any one technology sits in one point in the mail flow, looking at things from a single perspective. That’s the essence of DiD.
US Signal is Here to Help
The solutions that US Signal offers can be a part of a comprehensive DiD strategy and contribute to a more resilient architecture. Among the services to consider: Vulnerability Management as a Service, Endpoint Detection and Response, and Managed Firewall.
An assessment of your organization's current security posture is a good place to start to determine what is needed for fortifying your overall defenses. US Signal’s advisory and assessment services are available on a one-time basis or can be set up as an ongoing engagement. They include: