Eliminate the Soft Target, Harden the User
When I was leading convoys as a soldier in Afghanistan, we drove the roads in heavily armored trucks. While we remained in our vehicles we were about as protected as we could be given the environment. When we would get out of our trucks to conduct any number of missions, we were also wearing a good amount of protective equipment. Again, we were protected as well as could be expected given the environment. In other words, defensive capabilities were made to be portable with the soldiers whether we were in our vehicles or on foot. In cybersecurity terms, why don’t we develop our defensive strategies to center on the user?
It is well known that corporate users tend to be the weakest link in a network’s defensive posture
In March of 2018, Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint technical alert warning about impending attacks by Russian APTs against U.S. critical infrastructure. News of the attacks carried out by the group Energetic Bear sent utility providers into a state of deep concern over whether or not their networks would be safe. The big question remaining, what can we do to protect our infrastructure?
The first part of answering this question is to understand the nature of the attack. When I was a soldier we used to use the term avenues of approach to describe the pathway we or an adversary could use to make an offensive operation (attack) successful. This could be a road, a footpath, a dry creek bed, anything that could be used to move people and equipment. Understanding this concept, we can apply the logic to securing the enterprise. In doing so, we look at how a threat actor could attempt to gain access to our networks through weaknesses in our people, our processes and our technologies.
Analysis of the recent Russian attacks against the U.S. energy sector revealed the tactic used was to establish two types of targets. The first target is a staging target and the second target is the intended target. The staging targets are trusted third-party organizations with systems less secure than those of the intended targets. These staging targets were exploited for the purposes of gaining access to the intended targets’ networks. Access was achieved by acquiring legitimate credentials through phishing efforts. After obtaining these credentials, the threat actor could move around the intended targets’ networks. People were the primary avenue of approach in these attacks. As such, sophisticated border defenses and end point protection were likely defeated because the adversary was using user credentials or identities that are known to be legitimate to the organizations’ systems.
It is well known that corporate users tend to be the weakest link in a network’s defensive posture. The approach of applying cybersecurity awareness training, phishing simulators, advanced email security, advanced threat protection at the end point are all tactics that are part of a strategy that is meant to secure the end user at the end point or client workstation. Although the application of these technologies is vital to establishing a strong defensive posture, one might consider taking a slightly different approach.
It is no small task or cost to maintain the myriad of technologies (firewalls, intrusion prevention and detection, antivirus, etc.) that are utilized in defending sensitive data and systems. Users tend to be well protected while they are in the workplace. As the attacks by Energetic Bear demonstrated, that while the users’ computers were protected by the organizations technical defenses their identities were fully in the hands of the users themselves.
Therefore, consider adjusting the focal point of the organization’s defensive efforts of focusing primarily on sensitive data and systems to that of inclusion of the employees themselves to be considered as a sensitive system and a high value access point. With little change in effort or spending, we now have a strategy that centers on the users and how we validate the users’ authenticity. In short, this approach makes identity and access management the center of our defense. As a technology IAM allows management to more easily control users access to sensitive systems and information based on role, and it can be used to require users to prove they are who they claim to be through the authentication process. Typical IAM solutions will provide the ability to validate user logons by means of two factor or multifactor authentication (2FA/MFA). Making this shift requires organizations to invest more in IAM technology over other technologies, but it could go a long way toward thwarting attacks that are dependent on stolen or exploited user credentials.
Committing to an IAM product does not have to weaken another defensive effort. If organizations consider centering defense-in-depth on the identity, it may be a matter of looking at how current technologies are arrayed and how they can be utilized to provide layers of defense on the user. For example, if a user is fully authenticated to an application or system that is integrated with the IAM technology, the perimeter firewall is present to protect the overall enterprise from unwanted inbound connections and any access outbound the user is requesting with the application or system during their session. The only thing that has fundamentally changed in this scenario is the users’ account privilege and authenticity has been validated by the IAM.
In the case of the attacks carried out by Energetic Bear, it is possible that utilization of an IAM with 2FA/MFA may have defeated the efforts of this group to access the intended victims’ networks. At a minimum, it would have forced the threat actor to use a different attack vector. In thinking about this problem like a soldier, hardening the employees’ identity reduces the effectiveness of the human avenue of approach potentially driving attackers back toward more difficult to defeat next generation technologies.