Composing Defences
2018-07-10
Often, in the information security community, we bandy about terms like “defence in depth” or “layered defences.” Most of the time, it’s just a platitude for “buy more stuff.” It’s worth exploring the way these terms evolved, and how we should think about defensive architectures in the world defined not by physical space, but by network connectivity.
In the flat space of military defences in the pre-WWII area, defence in depth would refer to one of two concepts. In the first mode, it was a set of defences which interlocked in some form -- consider a castle wall, a moat, and a set of guards atop the wall. Each of these defenses, individually, was trivially defeatable, but together, they multiplied. While an adversary was busy crossing the moat, they were easy to shoot at. The moat made it hard to scale the wall. The wall gave defensive cover to the guards. In the second mode, it was about depth in distance - consider the depth of the Soviet terrain as they fell back in World War II, and the lengthening of the attacker’s supply lines as weather set in. “Never get involved in a land war in Asia” is good advice for a reason.
Integrating defences relies on some basic features of the physical world. Adversaries occupy space across a period of time. Defenders can trivially observe adversaries - the Mark One eyeball is generally ubiquitous across history. But when defences integrate, it may be easier to think of them as stacking – defence in height.
When defences fail to integrate, allowing an attacker to sequentially defeat them – consider a set of hurdles in a line – then depth may be the correct way to consider the dimension. Consider a pair of identical, locked doors, with a small, unmonitored space between them. While an attacker may take more time to defeat the doors (either using lockpicks, slides, or a purloined key), neither defence is actually made harder by the presence of the other.
Sometimes, defences don’t even stack. Defence in breadth represents a set of defences that present a choice to an adversary, where they can opt not to engage in a defence, by going around it. The postern gate provides an alternate path for a spy than the front gate; the Maginot Line could be gone around; any of a dozen servers in a network DMZ can be breached to provide access to an intranet.
The lesson for defenders is to understand both the system you’re defending, and how its defences work – or don’t – together. Increased complexity may be an indicator of defences in breadth, often with “layered” defences where the defeat of one could go undetected. Our goal should be to create defence in height, where we know how our defences work together towards defeating adversaries.
How do we approach improving our defences?
One way is to flip our mental model, and consider ourselves as attackers, and the adversary as a defender. In the same way an adversary might conduct surveillance on our defences, we need to surveil the adversary as they defeat our defences. We should consider our boundary systems as the adversary’s, and ask, “How can we see the adversary conducting an operation?” While an adversary’s dwell time inside our perimeters might not need to be long to accomplish their goals, how can we observe artifacts of their presence?
Another approach is to understand that our perimeters are almost always wider than we understand. When we try to govern our systems, we often start from the best maintained systems and work outward; adversaries will start from our worst-maintained systems and work inward. We need to aim to operationalize the same visibility and maintenance practices across our entire perimeter stack, so that we understand our risks, and not bury them deep as a footnote in our assessments.
A third approach is to reduce our perimeter entirely. Simplifying our defensive models makes them easier for us to understand, and reduces the possibilities for adversaries to penetrate through unknown ways. This may involve partitioning our system clusters, so that lateral movement is restricted, and each network architecture becomes understandable.
All of these approaches have value in improving our defenses, and restoring height to our walls in meaningful and helpful ways.
In the flat space of military defences in the pre-WWII area, defence in depth would refer to one of two concepts. In the first mode, it was a set of defences which interlocked in some form -- consider a castle wall, a moat, and a set of guards atop the wall. Each of these defenses, individually, was trivially defeatable, but together, they multiplied. While an adversary was busy crossing the moat, they were easy to shoot at. The moat made it hard to scale the wall. The wall gave defensive cover to the guards. In the second mode, it was about depth in distance - consider the depth of the Soviet terrain as they fell back in World War II, and the lengthening of the attacker’s supply lines as weather set in. “Never get involved in a land war in Asia” is good advice for a reason.
Integrating defences relies on some basic features of the physical world. Adversaries occupy space across a period of time. Defenders can trivially observe adversaries - the Mark One eyeball is generally ubiquitous across history. But when defences integrate, it may be easier to think of them as stacking – defence in height.
When defences fail to integrate, allowing an attacker to sequentially defeat them – consider a set of hurdles in a line – then depth may be the correct way to consider the dimension. Consider a pair of identical, locked doors, with a small, unmonitored space between them. While an attacker may take more time to defeat the doors (either using lockpicks, slides, or a purloined key), neither defence is actually made harder by the presence of the other.
Sometimes, defences don’t even stack. Defence in breadth represents a set of defences that present a choice to an adversary, where they can opt not to engage in a defence, by going around it. The postern gate provides an alternate path for a spy than the front gate; the Maginot Line could be gone around; any of a dozen servers in a network DMZ can be breached to provide access to an intranet.
The lesson for defenders is to understand both the system you’re defending, and how its defences work – or don’t – together. Increased complexity may be an indicator of defences in breadth, often with “layered” defences where the defeat of one could go undetected. Our goal should be to create defence in height, where we know how our defences work together towards defeating adversaries.
How do we approach improving our defences?
One way is to flip our mental model, and consider ourselves as attackers, and the adversary as a defender. In the same way an adversary might conduct surveillance on our defences, we need to surveil the adversary as they defeat our defences. We should consider our boundary systems as the adversary’s, and ask, “How can we see the adversary conducting an operation?” While an adversary’s dwell time inside our perimeters might not need to be long to accomplish their goals, how can we observe artifacts of their presence?
Another approach is to understand that our perimeters are almost always wider than we understand. When we try to govern our systems, we often start from the best maintained systems and work outward; adversaries will start from our worst-maintained systems and work inward. We need to aim to operationalize the same visibility and maintenance practices across our entire perimeter stack, so that we understand our risks, and not bury them deep as a footnote in our assessments.
A third approach is to reduce our perimeter entirely. Simplifying our defensive models makes them easier for us to understand, and reduces the possibilities for adversaries to penetrate through unknown ways. This may involve partitioning our system clusters, so that lateral movement is restricted, and each network architecture becomes understandable.
All of these approaches have value in improving our defenses, and restoring height to our walls in meaningful and helpful ways.