Contrary to the promises of the various security appliance providers, there is no single solution in information security to defend against the various attack vectors available to threat actors (TAs). However, we recommend that businesses adopt Defense in Depth, a strategy of applying multiple layers of defensive mechanisms to better protect an organizations’ valuable digital assets — so where one layer may fail, another is there to deter TAs.
The Federal Bureau of Investigations (FBI) reports staggering rates of cybercrime that are only further increasing on an annual basis, meaning companies can no longer afford the fire-and-forget approach of throwing in an unconfigured firewall and wiping their hands clean. Most organizations already have the necessary hardware to implement a robust Defense in Depth solution where only the controls need technical adjustments.
There are three main controls in the Defense in Depth framework that can enhance a company’s information security in today’s daunting cyberworld: technical, physical, and administrative. Augmenting these controls can assist an organization’s competency with the CIA triad of data security, which comprises of confidentiality, integrity, and availability.
Technical controls construct the majority of layers in the Defense in Depth model, consisting of the software, hardware, and network components of the organization’s infrastructure.
Arguably the most dominant aspect of Defense in Depth, technical controls are imperative to implement for early detection and prevention against today’s emerging threats, including the relentlessly evolving ransomware we see plaguing unprepared small- and medium-sized businesses.
Examples of technical controls include:
- Properly configured firewalls — software or hardware — installed for both cloud and on-premises organizations. However, the emphasis on properly configured, state-of-the-art next generation firewalls with improper logging, whitelistings, port configuration, or GEO-IP filtering prove to be of little worth against sophisticated attacks. After proper configuration, subscriptions are provided by most firewall vendors for organizations with appliances that require additional protection not limited to web-facing services and applications.
- An antivirus (AV) or endpoint detection and response (EDR) solution that provides visibility into the health of workstations and servers. EDR can be seen as next generation AV, which utilizes a database of known signatures from common exploits and compares them to programs on the machine. EDR incorporates a heuristic approach — both signature-based and behavioral analysis is included — where malware may not be detected from matching signatures. Instead, the abnormal behavior it exhibits is detected using artificial intelligence and machine learning algorithms. EDR contains and eradicates the malware, generating the post-event alert available within the EDR’s centrally managed console. The data is then analyzed, and operational threat intelligence is gleaned. This type of behavioral endpoint defense combats the latest emerging threats and zero-day attacks.
- Multi-factor authentication (MFA) is both simple to deploy and markedly effective at preventing unauthorized access to user accounts. Almost all organizations that utilize one of the “big name” providers for their directory services — such as Microsoft Azure AD or Google Directory — have access to MFA with their baseline subscriptions. This can include Google’s business starter and education standard licenses, and anything above or including Azure AD Free tier with access to Office 365, however, this is only limited to the security defaults option and not conditional access. Both Google and Microsoft provide their respective authenticator applications for download on users’ mobile devices for accessing their timed-one-time-passwords (TOTP) used during the authentication process, although other devices and methods for MFA can be configured to fit the organization’s needs. Password complexity policy and MFA are powerful components in preventing unauthorized access, especially critical as vulnerable users’ accounts are abundant and prime entry paths for TAs in many breaches we see.
- Encryption prevents TAs from seeing data in plaintext with unauthorized access. For those organizations with file shares, SMB 3.0 can be set up with (Advanced Encryption Standard) AES-256-bit encryption to prevent man-in-the-middle (MITM) attacks. Encryption can also be used on remote machines that could be prone to theft to prevent a TA from accessing any type of storage device utilizing services like Bitlocker. For files with greater value, encryption can be utilized with authentication protection. Similar to MFA, a TA would require credentials to an account with permissions to the folder/share and must know the folder’s password to gain access to the files within.
- Backup solutions are available from many vendors, although they should all incorporate being available from multiple sources (offsite or offline) and be routinely evaluated for integrity. It can be a challenging conversation informing stakeholders that their backed-up data is worthless as it has been encrypted alongside the in-house primary storage systems during a ransomware incident.
Administrative controls provide policies and procedures to keep internal employees and contractors compliant with best security practices when accessing company assets. These controls will differ between companies as they must be customized for optimal effect.
Privileged access management enforces the principle of least privilege, in which users are only given access to items needed to fulfill their work duties and no greater. In many organizations, it is common to see administrator permissions given to user accounts that do not need it.
Data handling procedures, digital codes of conducts, and confidentiality policies are also examples of administrative controls.
In today’s cyberworld, physical controls tie closer to insider threats. Though a baseline in physical controls is still essential, the majority of breaches are instigated through web access without a physical presence.
Free and open-source monitoring solutions are available to oversee system services and applications. Tying in backups, patching, and endpoint management gives IT administrators and stakeholders a holistic approach to a centralized management system while providing deep insight to the health of their entire environment.
The irrefutable truth is that today’s advanced cyberattacks and emerging threats require a multilayered, proactive approach to defend organizations’ reputations and cyber-operational assets. TAs are targeting, scanning, and enumerating like never before to probe for lax security controls.
Most of us at BinaryLab started our careers as IT admins and know the constant pressure of keeping the metaphorical cyber gears turning, let alone ensuring their protection. Our specialty is the investigation and remediation of the most sophisticated cyber incidents proactively addressing concerns and providing quick response for restoration of operations.
Relevant to Defense in Depth operations, we aid in strategic planning and implementation of stacking security measures custom-fit to meet your organization’s needs.
BinaryLab is committed to protecting clients’ sensitive data by proactively addressing security concerns, as well as providing relevant and timely security expertise. For an assessment or more information, contact BinaryLab at 301-337-3131.
Mike Carlson is a Cybersecurity Remediation Engineer at BinaryLab. He has over six years of experience in information technology, most recently working as a Tier 2 Desk Support with our sister company, BinaryNetworks.