A field of landmines: layered resiliency in security

Defense in depth is a structuring of IT security that attempts to slow or stop any given attack with multiple mechanisms across the cyber kill chain. Ironically, “depth” is the “high ground” for security teams in the battle against cyber-attackers. No single mechanism is perfect, of course. As the adage goes, the attackers only need to be successful 1 out of 100 times—businesses need to be right 100 of 100 times. 

The attackers are smart, innovative, and operating at high volume. If businesses must always succeed against the barrage of badness and no security mechanism is perfect, what can we do? Layered resiliency, aka defense in depth.

Success for an attack involves five key milestones.¹ Let's briefly outline those for context:  

• First, the attacker must deliver their attack.
• Second, this attack must exploit a vulnerability (person, software).
• Next, that exploit enables the installation of the attacker's bad software. 
• This installation allows the command and control centers of the attackers to connect to the compromised environment. 
• At this point, the final state of the exploitation can occur where the ultimate goals of the attacker have been met.

Implementing a single mechanism of defense for each key milestone will provide depth of coverage. Multiple mechanisms within each add a breadth of coverage. Both depth and breadth are straight forward concepts in theory, but not simple in implementation.

Generally speaking, attackers could start their attack via any of the three main pillars of cybersecurity: email, network, or endpoint. Achieving true defense in depth means that each of the key attack milestones have a defensive mechanism to slow or stop an attacker regardless of which pillar acts as the origin of delivery. Layers upon layers upon layers are needed. If the first protection mechanism misses, the second mechanism will not; if the second mechanism misses, the third will not. 

The key objective is to turn your enterprise's infrastructure into a field of landmines. The attackers have to tread slowly and carefully to traverse your enterprise or risk hitting a landmine. With each detonation, the attacker is slowed while more visibility is reported back to a centralized cybersecurity platform that lets the security team know of the attacker's location and details of their actions. With enough time and resources, a sufficiently motivated attacker will nearly always succeed (targeted attacks vs opportunistic attacks). Our goal as defenders is to continue to put out so many landmines that we understand the nature of attacks (where the landmine was detonated), while doing our best to be a target of choice, not the target of opportunity.

There is no be-all /end-all security mechanism. Even with multiple attacker successes in the first few milestones, an incident can still be prevented from becoming a full compromise with defense in depth.

¹ "The Cyber Kill Chain," Lockheed Martin, lockheedmartin.com.