"Been dazed and confused for so long..."
-Led Zeppelin
A former NSA Director said nearly a decade ago that we must start building systems, assuming the bad guys are sitting next to us in the room.
We all glazed over that as we did all this beautiful integration "leveraging the directory" and designed elegant, well-thought-out networks with a coherent naming convention.
Life was good.
In October, I discussed how the security world is moving from purely focusing on keeping the bad guys out to the reality that no matter how hard you work and how good your security posture is, sooner or later, "you will be breached." There will be some crack or zero vulnerability or some irresponsible or even malicious user that will put the bad guys inside your network.
While we can't be any less vigilant on our current defenses, we must direct our attention to how we know the bad guys are standing in our house. How do we see them tiptoeing around your network? How do we kick them out promptly before any damage is done or before anything is exfiltrated?
My default answer is always "eyes on glass" of the Security Operations Center (SOC). Yesterday, our friends at Blackpoint Cyber gave us an awesome presentation. They are the best at seeing the inside of your network. If you missed that presentation, contact Lisa for a recording link.
However, a task all of you can do today, for free, is to make it harder for the attackers to understand what is going on in your network and where your "holy of holies" are. Here are some easy examples:
Please change your computer and server names from obvious, meaningful names like "DOT Computer" or "Supt-Laptop" or "Payroll-Comp01" to obtuse names.
Use network segmentation to deny visibility to your most critical machines and servers to unnecessary places. Can the high school library see into the central office? Can the Kindergarten machines in an elementary school see into special ed? There is no functional need to do that.
Can an authorized VPN user see your entire network from home when they only need to get to one machine?
Can you see your backup server from the middle school?
Can you sign in to dissimilar systems with your Active Directory credentials?
These are things that are easily resolved.
The 2025 design principle is to keep the attackers "dazed and confused" about your network.
Where things are.
How to find resources.
How to access those resources.
This forces the attackers to take greater risks in discovering what they want. That means they have to make more noise and work harder.
Making more noise means you are more likely to see their activity, especially with a security operations center (SOC) watching over your network.
Since these are generally financial crimes of opportunity vs. state actors hacking your network, they don't want to work hard.
In every breach/incursion/event I have been involved with, when the attackers realize there is an active defense on the network, they completely disengage and find someone else to hack.
Noise creates confusion and uncertainty.
We need to leverage that in all our designs.
If you need help figuring all this out, please call us.
-Scott Quimby, Senior Technical Advisor, CISSP
Acture/CSI
You must be logged in to post a comment.