Cybersecurity and cyber threats have been in competitive co-evolution for years, with each side adapting to the other. Historically firewalls, IPS, antivirus, and modern endpoint protection tools have been common elements in the first line of defense to keep the bad guys out. Try as we might, bad things still happen to good networks. Attackers constantly develop new threats, target new vulnerabilities, or bamboozle a busy employee into doing the wrong thing. The first line of defense is never perfect, so it’s critical to develop a solid second line of defense.
For many organizations, the second line of defense amounts to simply recreating the first line of defense in more places. This approach misses the ways threats differ once inside an organization and also ignores some of the essential advantages defenders have at their disposal.
This post briefly revisits some of the high points in the evolution of cybersecurity and cyber threats, looking at what has worked for defenders, where things have gone wrong, and how lessons learned have helped build new lines of defense. Some deep topics will admittedly be oversimplified. The point of this post is not to denigrate any of the great security tools in use today. Instead, the point is to highlight some of the broad trends and inherent issues security teams need to consider.
An Absurdly Condensed History of the First Line of Cyberdefense
Until recently, many organizations thought of the inside of their network as trusted and the outside Internet as untrusted. Firewalls provided a natural barrier and control point for this boundary, denying unsolicited connections from the untrusted outside by default and leaving a few pinholes open for essential services. Trusted insiders, however, could connect to pretty much any outside service they wanted, and that service would be allowed and trusted. While this approach worked to keep random strangers out, it didn’t work if users and assets on the inside were already compromised.
Attackers had countless ways to attack. They could send phishing emails containing a malicious link in an attempt to gain access. If an email security solution was in place and the attacker was unsuccessful, they could shift to a new vector not subjected to email checks such as DNS tunneling. If a DNS-based firewall or perhaps a web application firewall (WAF) was in use, an attacker could pivot to target cloud applications. The cat and mouse game continued, so various methods were needed to detect and prevent threats.
Attackers found ways to slip past detections. Modifying malicious payloads ensured previously known signatures didn’t match while encoding, obscuring, or encrypting helped attacks slip past detection logic without being inspected.
The ever-growing deluge of new vulnerabilities didn’t help. With the recent log4j exploit, setting a username in the apple profile resulted in a new attack vector. Exploiting Microsoft’s hole, a hacker can enter the enterprise by typing something inside the chat window of a video game.
If all else fails for the attacker, one final incredibly effective tool remains – social engineering. Instead of breaking in, an attacker can convince a user to give out passwords or install malicious software in the guise of a valid application or tool.
A New Line of Defense Introduces New Advantages
History has shown the first line of defense is eventually breached, and we must assume adversaries will get in or have already gained access. With access, the attacker typically attempts to move laterally to reach a high-value asset such as a server with all AD credentials, a device with sensitive patient information in a hospital, or a management platform with the ability to coordinate all PLCs on a manufacturing floor.
While this is all doom and gloom, there are ways to detect and stop attackers by shifting focus from chasing an infinite number of threats to focusing on a smaller number of malicious behaviors. For example, there may be hundreds of thousands of variants for a piece of malware, but when it comes to lateral movement, tools like Mimikatz behave the same when performing actions like pass-the-hash.
The same is generally true of all sorts of secondary attacker actions. For example, when an attacker performs internal reconnaissance, it’s easy to detect when a device starts indiscriminately reaching out to a new or large number of devices. Likewise, SMBv1 is at the center of many Windows vulnerabilities and lateral movement attempts. We can now watch all devices speaking SMBv1 and see which system suddenly communicates to many other systems over SMBv1. The same is true for RDP – a protocol designed for remote diagnostics. We can quickly identify excessive RDP usage that falls outside normal administrator behavior.
These examples highlight important advantages for defenders. When an attack has moved inside the network, we can see everything as long as we make an effort to look. When an attacker is still outside, we have almost no insight into who they are, what they’ve been doing, and where they’ve been. When they move to our turf, we see the entire battlefield. Instead of only looking at individual traits or actions, we see the complex behaviors across multiple hosts and how they develop over time.
Instead of making a yes/no decision based on a few milliseconds of analysis, we can inform decisions by understanding the complete history of the network, the behavior of all devices in it, and the collective knowledge of how threats behave. Using inputs like this is how Ordr works.
Building a Second Line of Defense with Ordr
Ordr analyzes network traffic and traits of each host to conclusively identify each device, whether it is a laptop, server, or the wide variety of IoT, IoMT, or OT devices. The platform builds global and local baselines for normal behavior of every device and allows organizations to identify suspicious or malicious behavior quickly. As soon as a risk or threat is identified, the platform can automatically create and implement policies to isolate any affected hosts and prevent the spread of an attack.
Ordr’s capabilities provide a logical approach to building a second line of defense. Every device is identified and protected based on its unique needs and functions, regardless of being managed or unmanaged. The entire environment is monitored for signs of threats and malicious behaviors, regardless of how those threats got in. Thanks to automation, Ordr enables a robust second line of defense at a fraction of the effort and cost of traditional threat prevention tools.
If you want to learn more about Ordr technology, reach out for a deep dive demo.