There’s no escaping the number of breaches occurring daily, our media is full of them. As practitioners it feels like we’re pushing rope uphill as we try to convince organizations to adopt the basic security practices that will help thwart attacks. At the same time we’re fighting for the budget to secure the organization well and make sure it remediates threats…yet always under pressure to reduce spend.
If over 80% of breaches tie back to identity and users’ devices then it makes sense to double down on the basics of identity and device hygiene.
Forethought Remediates Threats
If you read the Verizon Breach Report you’ll understand that there’s a lot of threat actors, threats, risks, outcomes and they change depending on the demographics and industries. So to keep things a little simpler and digestible we wanted to introduce what we consider the more important ones. Which is where CISOs/CSOs tend to invest their budget, because these may be in the media more or may be where vendor marketing teams spend a lot of money??
Allow @Banyan Security to introduce the Threat Framework (4x4x4):
4 Actors, 4 Risks & 4 Outcomes
- Threat Actor (Initiator) (outsider 98%, insider 2% – page 25 VDBIR)
- Naive Insider (email link, website link)
- Malicious Insider (disgruntled employee, rogue contractor)
- Outsider posing as Insider (bought credentials on dark web)
- Outsider (brute force attack, mistakenly open to internet)
- Risky Activity
- Get Phished for Credentials -> gather user info for impersonation
- Install Malware -> compromises device, enabling ransomware, spyware, etc.
- Introduce Vulnerability -> tamper with supply chain, misconfigure systems
- Unauthorized Access -> log into unapproved systems
- Resulting Outcome
- Denial of Service -> shuts down system
- Lateral Movement -> compromise other devices and systems, obtain elevated privileges, additional credentials
- Exfiltrate Keys -> access to admin accounts, etc.
- Exfiltrate Data -> download sensitive data
One of the more common attack scenarios is the threat actor being an outsider, leveraging credentials bought on the dark web or launching a phishing campaign. With the resulting outcome being that user devices become compromised and malware is installed.
Another scenario that became more common during 2022 was hacker groups contacting privileged users (usually contractors) and paying them to share their credentials for a short duration of time.
The extortion-focused hacker group LAPSUS$ have risen in fame in their “smash and grab” style data theft with their go to initiation being buying credentials on the dark web or offering employees money for their credentials. Brian Krebs wrote an excellent article on this.
As ransomware became more prevalent the availability part of the CIA triad (Confidentiality, Integrity, and Availability) suffered, with victim companies most often losing the ability to deliver service.
Traditional Defense in Depth
There’s of course many strategies people have used over the years from training against phishing and social engineering to email filtering and of course the outdated method of funneling all the traffic via a network-based choke point to prevent access to bad URLs and domains. Network security was relatively straightforward when everyone was on the network, but that’s no longer the case.
With more workers being remote and more applications being cloud-based then forcing traffic to go into your corporate network so you can add some security only serves to increase cost and complexity.
These strategies as well as MFA and least privileged access aren’t exactly saving our bacon. I’m not suggesting you don’t need to invest in these areas, these are table stakes. What I am suggesting is that these need some extra whizbang added on top…the icing on the cake!
That’s why in 2017 our Adobe ZEN strategy was to consider the device and its identity and posture critical in our defense in depth approach.
New strategies that work
Whizbang you say? What is whizbang? Well, being Scottish I’m a huge Craig Ferguson fan, so Google him, then watch, learn and laugh.
For me it’s a little icing on the security cake, here’s what I consider the new table stakes:
- Device Registration – Imagine I told you my username and password and just for fun agreed to hit the MFA accept. Oh wait, or the bad actor bought your credentials and performed an MFA fatigue attack… either way. By registering the device it means no one can login as you unless they are on a device you previously registered. This removes the ability for a bad actor to access your cloud services or gain network access via the VPN on your behalf.
- Device Posture – Enabling the ability to enforce a minimum security posture is huge, especially for devices you don’t manage like BYOD or 3rd party vendors. This means we can require things like disk encryption, latest OS and patches, and an approved set of applications (like an EDR solution). If a device doesn’t meet the posture then they aren’t given access to the application or service.
- Removing VPN access – Sorry network security folks, but VPNs are not good for security. The model is usually to enable full network access which means your device can now access all the devices in the corporate network. Another flaw is enabling access at the network level increases the cost of operation, including having to manage IP tables that are complex and not intuitive. The better strategy is to publish applications to the web which uses the same directory-based access controls and does not allow unfettered access to your corporate network.
- DNS/URL filtering – Leveraging a threat feed enables us to turn your endpoint into an edge security device. Preventing a user from clicking on a URL that takes them to a malicious site or downloading malware is a game changer. Everyday our users click links and visit sites, it’s like we’re playing Russian Roulette…
The reality is we are all under attack, the basics help and it’s clear that user and device identity is on the front line of the battle. We’ve evolved from the big security battle being a network-level game to the network being anyone’s network and no longer a trust boundary.
The result being is if we are to apply trusted policies and controls that protect our workforce and data it needs to be simple. The one thing all data should have in common, and is within your control, is the authentication mechanism. So, adjust that workflow to include all the device trust whizbang I mentioned above.
If you’re still struggling then drop us a line; Banyan Security is here to help…