This is the fourth and last in a series of blogs that examine how Software Defined Perimeters (SDPs) can significantly improve security and reduce risk associated with the Cyber Kill Chain (or seven phases of attack). This week we will look at the impact of an SDP on “Command & Control” the sixth phase of an attack. Before going further, check out part 1 here to ensure context for Part 4.
Command & Control
In Part 3 we looked at how the SDP provides countermeasures to “Delivery, Exploitation and Installation” (stages 3, 4 and 5 of the Cyber Kill Chain) which refers to how the intruder creates remote access malware weapons, such as a virus or worm, tailored to one or more vulnerabilities. In this case, SDP prevents Delivery, Exploitation and Installation by providing rapid discovery and intervention based on the fact that every connection – from whom, from where, and to what, is known. Any others are not authenticated, unwanted, and rapidly disallowed as they are considered an attack.
Today we will look at phase 6 – Command and Control — which refers to how the intruder’s outside server is communicating with a weapon inside the target system.
In this phase, SDP provides command and control countermeasures by providing automated capture of bad packets thereby containing the ability to detect malicious traffic aimed at, or originating from the protected device which provides a powerful containment method that can also thwart any future command and control mechanisms. Even if there is a weapon inside the network, intruders will not be able to release the weapon onto the network to take down or exploit services, by dropping bad packets to these services
Actions on Objective
The 7th and last stage of the Cyber Kill Chain is Actions on Objective which essentially means that the security mechanism was compromised to the point that exfiltration of data, data destruction or modification was achieved by the threat actor. Reducing the attack surface and hiding critical data stores using SDP, minimizes the risk of data theft from all but the few authorized insiders that behavior analysis can help to thwart.
The coming impact of Software Defined Perimeters and a paradigm shift in cyber security cannot be understated. Currently, organizations are faced with manual analysis of network logs to detect attacks in real-time but it takes time for incident detection using existing tools. Malware can also go undetected. The organizations are spending too much time trying understand who the bad actors are and who the authorized users are. SDP automates this analysis to instantly identify authorized users since all the bad packets are dropped and not able to make additional connections – thereby making incident detection and response less log management-specific. Because each connection is understood and verified, automated action such as dropping connections to thwart weaponization of attacks and data exfiltration is possible.
Over-focus on the Cyber Kill Chain can actually be detrimental to network security. The Cyber Kill Chain, as cool as it sounds, reinforces old-school, perimeter-focused, malware-prevention thinking. And the fact is that intrusion prevention solutions cannot provide 100% protection. A persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, to operate in your network unobstructed. With SDP, they cannot see, and therefore cannot know where to go, no matter how determined they might be. With network security controlled by SDP protection mechanism, organizations can now focus on the insider threat authorized to operate within the perimeter. This is a tractable problem to handle.