- This is the second in a series of blogs that examine how Software Defined Perimeters (SDPs) can significantly improve security and reduce risk associated with the Cyber Kill Chain (or seven phases of attack). This week we will look at the impact of an SDP on “Weaponization.”
Before going further, check out part 1 here to ensure proper context for Part 2.
In Part 1 we looked at how the SDP provides countermeasures to “Reconnaissance” (stage 1 of the Cyber Kill Chain) by delivering proactive protection using the SPA packet and a “deny all” gateway. In a nutshell, because the infrastructure and applications within an SDP are essentially invisible to hackers, bad actors cannot reconnaissance what they cannot see.
Stage 2, “Weaponization,” refers to how the intruder creates remote access malware weapons, such as a virus or worm, tailored to one or more vulnerabilities. It is this pairing of remote access malware with exploit into a deliverable payload e.g. Adobe PDF, Microsoft Office files, etc. that enables the attack.
In the event that a bad actor, typically an insider, succeeds in gaining access to your infrastructure, SDP provides weaponization and delivery countermeasures with the automation of action that blocks all connections from this bad actor to any other areas of the infrastructure to spread malware payloads. SDP only allows connections from authorized users on authorized devices so that malware payloads and cannot be easily spread from this compromised infrastructure. Moreover, future network-based weaponization and delivery countermeasures can also be prevented using this method regardless of the various mutations that malware and viruses assume. In a nutshell, malware and viruses cannot be easily propagated from compromised infrastructure to cause major damage.
Currently, organizations are faced with manual analysis of network logs that takes time for incident detection and can allow malware can get in undetected. The organizations are spending too much time trying understand who the bad actors are and who the authorized users are. SDP automates this analysis to instantly identify authorized users since all the bad packets are dropped and not able to make additional connections – thereby making incident detection and response less log management-specific. Because each connection is understood and verified, automated action such as dropping connections to thwart weaponization of attacks is possible.
Over-focus on the Cyber Kill Chain can actually be detrimental to network security. The Cyber Kill Chain, as cool as it sounds, reinforces old-school, perimeter-focused, malware-prevention thinking. And the fact is that intrusion prevention solutions cannot provide 100% protection. A persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed. With SDP, they cannot see, and therefore cannot know where to go, no matter how determined they might be.
Check back next week when we examine the relationship between step 3 of the Cyber Kill Chain, Delivery – transmission of weapons to the target, and the Software Defined Perimeter.