By Christopher Baldwin, System Director, Information Security, Hartford HealthCare
My previous article on the Cyber Maginot Line explained how any cybersecurity strategy that does not realistically consider the possibility of compromise, however fortified and well-conceived — is dangerous. News media regularly report on a lack of adequate cybersecurity preparedness throughout the nation. Large and small companies must defend against cyber-attacks perpetrated by sophisticated threat actors (TA). According to Global Threat Report 2022 by Crowdstrike, there was an 82% increase in ransomware-related data leaks last year. This article explores strategies for expanding layers of cyber safeguards that are now essential given today’s threat landscape.
Private Cyber Battlespace
Military strategy is an appropriate analog for cybersecurity. Foreign criminal enterprises and nation-states are perpetrating many of today’s sophisticated cyber-attacks. In modern warfare, the term ‘battlespace’ depicts a unified military strategy to integrate and combine armed forces in a military theatre of operation, combining air, information, land, sea, cyber and outer space to achieve military objectives.
The concept of a private cyber battlespace is one way to conceptualize an effective cybersecurity strategy. This paradigm implies a broad array of safeguards to reduce the overall cyber-attack surface of an organization and thwart an advanced cyber-attack at any point along the pathway of the attack.
Defend in the Cloud
At the outermost perimeter, keep “the battle” away from the network(s) where the most sensitive assets are located. Tactics can be employed to expand the defensive perimeter so that cybersecurity workloads execute in the Cloud. Web browsing and links in email messages can be inspected, filtered and if necessary, blocked in the Cloud with tools such as browser isolation and URL rewriting. Domain Name Systems (DNS) filtering allows for Cloud inspection and blocking of “known bad” websites. These techniques enable threats to be blocked without ever reaching a network firewall. Much like the defensive perimeter, the Navy establishes a battlegroup around an aircraft carrier and the threats are kept distant from the most valuable assets.
Zero trust is now a common term used to denote the concept that highly reliable authentication techniques must be established before “trust” is granted and access is allowed through any perimeter defense.
Defend the perimeter
Defending the immediate network perimeter with a firewall is a basic cybersecurity safeguard. But building an effective perimeter strategy requires a thorough assessment of all means of ingress and egress to understand the vulnerabilities in network fortifications. No need to find a way through the firewall if a user’s personal computer can be hacked in their home through a virtual private network (VPN) connection. This is an acute concern given the current work-at-home paradigm. Contemporary standards for perimeter security now include next-generation firewalls, multifactor authentication (MFA), and mobile device management (MDM) software for cell phones and tablets. Zero trust is now a common term used to denote the concept that highly reliable authentication techniques must be established before “trust” is granted and access is allowed through any perimeter defense.
Detect and eradicate threats on the inside
What if the unthinkable happens? An advanced TA gains access to a private network and executes a “cyber kill chain” attack, a term coined by Lockheed Martin in 2011. The kill chain begins with penetration and access to a network-connected device. Command and control (C2) is established to the TA’s external C2 server on the Internet from which the attack can be directed. The TA conducts reconnaissance to locate the network’s most sensitive assets and proceeds to move laterally and escalates the level of privileged access using techniques such as “pass the hash” and remote desktop (RDP). Finally, the TA deploys ransomware, exfiltrates valuable data and gains control over sensitive technology assets.
To build an effective defense against this level of attack, it starts with a realistic assessment of vulnerabilities relative to the cyber-kill-chain scenario and developing and deploying countermeasures. Preparedness starts with basic cybersecurity hygiene, including patch management, elimination of end-of-life technology, and education to foster a security culture. But today’s advanced TA leverages standard utilities – referred to as “living off the land” – that do not contain software flaws and necessitate more advanced defensive tactics. Network segmentation is an important network design concept that can minimize the TA’s movement once inside the network. Much like transverse bulkheads in ships that prevent the movement of water after a breach, network segmentation techniques quarantine and restrict lateral movement of the TA in the network. Advanced endpoint detection and response software uses artificial intelligence (AI) to detect and eradicate sophisticated malware. Of paramount importance is having an incident response apparatus that is capable of the response and recovery actions that are critical.
Testing is critically important. Unless defenses are regularly tested, there could be unforeseen flaws stemming from misconfigurations or heretofore unknown vulnerabilities. Red and purple teams are “ethical hackers” that probe and test cyber defenses. These teams formulate attack strategies just like an actual TA. Given pre-established boundaries, they attack and attempt to penetrate. They provide invaluable learning for the cybersecurity team. In addition, they foster an improved understanding of how cyber defenses will stand up to a real-world attack.
This article describes a framework – a private cyber battlespace – to help understand what is needed to thwart advanced cyber threats. These cybersecurity challenges can seem overwhelming. An effective cybersecurity program starts with conceptualizing a strategy that includes a layered array of defenses at all points along the TA’s cyber kill chain and prioritizes investments in safeguards based upon an accurate assessment of an organization’s underlying cyber risk.