Not who, not how…but where
Across the globe, organizations are being attacked by well-funded hacking groups who succeed in breaching traditional perimeter defenses. These attacks serve to remind us that we can no longer rely entirely on preventive security measures. The reality is that if a group is well-funded and determined enough, they are likely to identify an organization’s vulnerabilities and slip through the net of their perimeter defenses, often without us even noticing.
So then, how can organizations strengthen their defense posture? I am a firm believer that we should start with the notion of terrain in cyber space and Dr. Raymond eloquently explains why:
If you look back through history, successful battles often saw the strategic and effective use of terrain. For example, in 480 B.C. Persian forces invaded Greece. They deployed massive forces into the Gulf of Malia where they were required to negotiate the Pass of Thermopylae. Just 300 warriors from Sparta were waiting for them and held them off for several days. Many members of the Persian army died.
Another example is Alexander the Great, who in 326 B.C. initiated several campaigns to conquer India. He split his army to deal with the mountain ranges that posed tremendous challenges for maneuvering. His army had challenges with the Khyber Pass which is situated at an elevation of 1070 meter and is 53 kilometers long. The terrain had consequences and ultimately changed the course of history.
Fundamentally, if you do not know your terrain, you do not know what to defend and if you do not know what to defend, then there is no way for you to be able to institute protections for a robust defense.
Knowing Your Terrain
Let’s start with knowing your terrain. First an organization must understand the terrain and have visibility of all critical assets. A frighteningly small number of organizations actually know about all the assets that they have on their networks – do you know about all the assets your predecessors brought into the organization 5 years ago? 10 years ago? More? Which of these is software, hardware? Building a complete picture of these assets including BYOD, test systems, guest, IoT devices, along with shadow IT is crucial to identifying blind spots. If you cannot do this then you are running blind, unaware of what to protect and defend.
There are several ways you can identify the assets on your network and numerous products out there – but I will shamelessly plug Fidelis Network Sensor because the beauty with the product is that it is plug and play and will automatically discover networks and assets, as well as classify them to build your asset data base (i.e. your terrain picture). You are achieving number 1 and 2 of the SANS CIS Basic Controls right out of the box: inventory your hardware and software in your enterprise. The result is a fully accurate view of your network and what is on it, and you can even start calculating the attack surface.
Computing Your Attack Surface
With the asset database intact, you can actually calculate a type of risk score that is the percentage of the total assets that have vulnerabilities within your environment: a macroscopic measure of the static, non-moving, and non-shifting Attack Surface. With the Fidelis ecosystem you can easily compute assets intersected with common vulnerabilities and exploits (CVEs). This means organizations can identify their exploitable terrain and understand exactly what they need to defend. Here is the calculation:
Now that you have a clear picture of the assets on your network(s), you can take action to reduce risk. The best place to start? Use your understanding of your terrain to inform your cyber security strategy: validate your sensors are placed appropriately – you would be surprised by the number of organizations who have absolutely no idea where their sensors are. Are sensor rules configured properly to block, alert, and monitor per your security model (obscurity, zero trust, etc.)? Once the sensors are where they need to be based on systematic analyses of what is exploitable vs. what is not, visibility and awareness should increase leading to an improved security posture.
In summary building a terrain-based defensive strategy is a critical key to success for organizations large and small. It means increased visibility to facilitate detections and improve the efficacy of operational effects. Defense goes to the next level by changing the paradigm for the attacker with deception. Check in next week for my next blog as I explain this in detail.
You can also learn more by joining one of my recent SANS webinars, ‘Game Changing Defensive Strategies for 2019’. During this presentation SANS Principal Instructor, Alissa Torres, Fidelis expert, Tom Clare and I discuss terrain-based defense strategy in more detail.
 Attack surface calculations are simplified in this blog to illustrate the concept. They do not include factors that account for shifting or moving as detailed in section 5.1 of Zhuang, R., DeLoach, S.A., Ou, X. (2014, November). Towards a theory of moving target defense. In: MTD’14 Proceedings of the First ACM Workshop on Moving Target Defense, 31–40.