Article - Medieval Network Security from a Military Tactics Perspective
Recently I started looking at the state of network security from a military tactics historical perspective and I’ve got to say I’m appalled at the state of our industry and how we approach the threat securing our corporate networks.
Obviously we’re constrained fiscally, but it goes beyond that. We still have not fundamentally changed our security methodologies and practices to an evolving threat. We’re still using first generation tactics while the enemy has evolved and has access to large armies (botnets) is well funded and has the ability to apply modern tactics. We have to get beyond our one dimensional response driven mentality.
Brute Force attacks
When we look at network security, most product solutions seem to focus on brute force approaches. I would refer to these are classical siege warfare from the medieval times. Basically focus a force on a single point of contact. Think of battering rams at the gate and it’s easy to think of our firewalls and DoS (Denial of Service) approaches. However, I would say it’s even worse than this. These approaches are noisy and highly visible, but only if there are sentries at the gate. How many firms today diligently check their firewall logs or have alerting in place? Beyond that, in the old days suspicious carts would be inspected at the gate with a pitchfork for example, we don’t even do that. Our data passes mostly unhindered as long as the data payload is wrapped in an appropriate port to an authorized destination. We’re talking trojan horse days. Yes, some folks inspect for virus patterns at the gate, but not all traffic generally and this approach is fundamentally flawed. Today, I would say we’re still at the siege or trench warfare approach, either with or without sentries and observation posts.
Recommended security countermeasures: Layered security, defense in depth, alerting, strong protection against DoS attacks. Use of next generation firewalls.
Flanking Attacks
Lets move forward to other tactics. I haven’t seen or heard of a lot of flanking tactics, but I would expect to in time once siege warfare can no longer be used to penetrate data networks. Thinking of World War II (WW2), a great classical example is France and the Maginot Line, which was a line of concrete fortifications, tank obstacles, artillery casemates, machine gun posts and other defenses. This is roughly analogous to our perimeter approaches. Just like in WW2, there are flaws in simple perimeter approaches, most folks can’t see the various other flanking entry points. Wireless networks, unauthorized wired connections (even backup circuits including at branch or remote offices), VPNs directly into the core network (what were you thinking...), ad-hoc networks, insecure wireless bridges, etc. We haven’t seen a lot of flanking approaches, I suspect primarily because the extra effort and expense in time isn’t warranted when the front gate approach is still so effective. However, I am concerned about the ease and invisibility of a flanking approach. Fact is this method requires more research and time to discover a weakness when so many other cost effective attacks can be used and that’s our saving grace, for now.
Recommended security countermeasures: Ongoing assessment to validate topology, segmentation of VPNs, segmentation of key servers, review of all layer 3 devices, wireless assessments. Tripwires to detect access to sensitive data or systems.
Diversionary Tactics
We’re starting to hear more about diversionary approaches, but I think this is a poorly understood method. For you older, correction, more senior talent out there, think of the A Team TV show. If you have a small force, use a diversion (flash bang, explosion, shock and awe) or any other kind of misdirect. Basically the idea is to create a lot of “noise” which can be electronic as in DoS (Denial or Service) and get the attention and security resources to focus on the diversion while the real attack and target are masked. This works exceptionally well. Almost all network security personnel today and their tools are based upon finding the highest priority threat as defined generally by the greatest “noise.” Essentially enlist a botnet army to target a resource and then within the midst of that attack carry on the real attack while everyone is focused on the visible target. Brute force attacks serve just fine. We all share the blame on this one, we have all been trained to prioritize on the greater perceived threat and we all have upper management breathing down hard saying to focus on the visible attack and timely restoration of services, unaware that in fact there is a secondary attack underway.
Recommended security countermeasures: Strong logging solutions, training simulations of two or more attacks in progress, executive sponsorship to allow resources to be allocated to main the attack and for review of a possibly masked intended target.
Stealth or Covert Attacks
Basically this is the attack you never see. This can also include breaches that have already occurred and backdoors have been successfully installed. They are more difficult to protect against because it is the absence of “noise” where there is no indication that anything is wrong. Usually only detected later via various credit card fraud detection and other methods that are traced back to a common data source for all stolen card numbers for instance or loss of some physical asset(s).
Recommended security posture: Assessments and penetration testing, tripwires. Extensive review and assessments of outgoing traffic and firewall policies. Heavy scrutiny of all outgoing sessions and destinations. Use of honeypot systems and data.
Other effective techniques
I’m a big fan of social engineering and basically any attack that doesn’t require technology. Whether it be lack of security mindset in users, weak password control or excessively strong password control, lack of control over removable media or just trading chocolate for passwords, there are a variety of extremely easy ways to circumvent security. One of my favorites I read about is sprinkling infected USBs either in a parking lot or on desks. When it comes to social engineering, helpfulness and curiosity are powerful human traits that can easily be exploited. Remember, a thief only needs one entry point and just for enough time to take whatever the target is.
Recommendations security countermeasures: Security awareness training, external testing via social engineering techniques, same as stealth or covert attacks.
Other recommendations
Situational awareness - Logging and alerting are a requirement. If you have no visibility you are clueless and cannot begin to understand let alone to respond.
Containment - Limit the damage, contain the threat.
Training - Train for each type of threat and test responsiveness.
Encrypt - Encrypt the data to minimize the damage.
Focus on data at rest and data in transit
Enlist executive support for dealing with brute force attacks with a focus on looking for other masked attacks.
Focus effort and energy on protecting high value targets and using specialized solutions (e.g. web application firewalls)
Author: Werner Schmidt, CISSP
Date: January 2009
Read the rest of the articles. Please contact us for more information!
