Least Privilege Network Designs
Re-purposed Former Cold War RAF Station
We are seeing an increasing number of businesses that appear shocked by the devastation caused by an attacker, once they have managed to breach their single perimeter layer, e.g.
The attackers well know that most organisations rely on outdated 'Flat Network' concepts, so will be constantly on the prowl, seeking to identify vulnerabilities to breach the perimeter and enable them to reek havoc, once inside.
This is a lesson that has been fully understood by the military and, as a consequence, for many decades they have avoided the use of 'Flat' architectural designs.
The physical design of the military bases employ a 'Zero Trust' / Least Privilege approach, whereby just because you might be authorised to enter the military establishment does not give them the automatic rights to go anywhere inside the base.
A Zero Trust approach applies the following tenets:
All data sources and computing services are considered resources. A network may be composed of several different classes of devices. A network may also have small footprint devices that send data to aggregators/storage, software as a service (SaaS), systems sending instructions to actuators, and other functions. Also, an enterprise may decide to classify personally owned devices as resources if they can access enterprise owned resources.
All communication is secured regardless of network location. Network location does not imply trust. Access requests from assets located on enterprise-owned network infrastructure (e.g., inside a traditional network perimeter) must meet the same security requirements as access requests and communication from any other non enterprise-owned network. In other words, trust should not be automatically granted based on the device being on enterprise network infrastructure. All communication should be done in the most secure manner available, protect confidentiality and integrity, and provide source authentication.
Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. This could mean only “sometime previously” for this particular transaction and may not occur directly before initiating a session or performing a transaction with a resource. However, authentication and authorisation to one resource will not automatically grant access to a different resource.
Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioural attributes. An organisation protects resources by defining what resources it has, who its members are (or ability to authenticate users from a federated community), and what access to resources those members need. For zero trust, client identity includes the user account and any associated attributes assigned by the enterprise to that account or artefacts to authenticate automated tasks. Requesting asset state includes device characteristics such as software versions installed, network location, time/date of request, previously observed behaviour, and installed credentials. Behavioural attributes include automated user analytics, device analytics, and measured deviations from observed usage patterns. Policy is the set of access rules based on attributes that an organisation assigns to a user, data asset, or application. These rules and attributes are based on the needs of the business process and acceptable level of risk. Resource access and action permission policies can vary based on the sensitivity of the resource/data. Least privilege principles are applied to restrict both visibility and accessibility.
The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible. No device is inherently trusted. Here, “most secure state possible” means that the device is in the most practicable secure state and still performs the actions required for the mission. An enterprise implementing a Zero Trust Architecture (ZTA) should establish a CDM or similar system to monitor the state of devices and applications and should apply patches/fixes as needed. Devices that are discovered to be subverted, have known vulnerabilities, and/or are not managed by the enterprise may be treated differently (including denial of all connections to enterprise resources) than devices owned by or associated with the enterprise that are deemed to be in their most secure state. This may also apply to associated devices (e.g., personally owned devices) that may be allowed to access some resources but not others. This, too, requires a robust monitoring and reporting system in place to provide actionable data about the current state of enterprise resources.
All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication. An enterprise implementing a ZTA would be expected to have Identity, Credential, and Access Management (ICAM) and asset management systems in place. This includes the use of multif-actor authentication (MFA) for access to some or all enterprise resources. Continuous monitoring with possible re-authentication and re-authorisation occurs throughout user interaction, as defined and enforced by policy (e.g., time-based, new resource requested, resource modification, anomalous user activity detected) that strives to achieve a balance of security, availability, usability, and cost-efficiency.
The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture. An enterprise should collect data about network traffic and access requests, which is then used to improve policy creation and enforcement. This data can also be used to provide context for access requests from subjects.
Does your business network infrastructure apply the same or similar practices & principles?
Security Through Obscurity
The outdated approach of having 'Flat Networks' is almost like the business is relying on the concept of 'Security through Obscurity' - making the inner architecture so complex that the threat actors will get bored (DELAY)), prove to be too difficult (DETER) or that they create so much noise in the network that their activities are observed (DETECT) - before they can do too much damage.
However, this is far from being reality and with average 'Dwell Times' of
56 days, that leaves them a great deal of time to identify where your your most critical IT assets reside or to gauge what actions they can launch to cause disruption to your business operations.
Remember, An attacker is not always seeking to compromise the Confidentiality and Integrity of sensitive data but will seek to cause financial damage, through the unavailability of business critical systems.
Reliance on a single robust perimeter significantly increases the risk, as you need to ensure that NO malicious threat actors are able to manipulate ANY vulnerabilities, in order to gain unauthorised access to your inner network architecture.
The Threat Actor only needs to find a ONE exploitable perimeter vulnerability.
You need to ensure that ALL perimeter vulnerabilities are NOT exploitable.
With today's increasingly digital and mobile work forces, it becomes increasingly difficult to ensure that EVERY vulnerability will be remediated before a threat actor is able to breach your network perimeter.
Consequently, it is important to design your inner architecture with inner secure silos to help enforce improved opportunities to enforce the 5 Ds of Proactive Defence:
Unless you are able to prevent any inbound or outbound network traffic entering from the untrusted internet 'Badlands', into the corporate network, it is safe to say that any network traffic on the corporate network should be treated as being 'untrusted'.
Therefore, you need to add inner secure silos, with robust logical access controls (based upon least privilege, Need-to-Know & Role Based Access Control (RBAC)) to make things more difficult for an opportunist attacker, should they breach your perimeter.
Perimeter Access Control
Inner Network Segment (Secure Silo)
Inner Access Control (e.g. Firewall/Router policies)
Inner Secure Silo
A 'Flat Network' makes it extremely difficult to proactively defend your business' most critical assets and to identify the ABNORMAL from the NORMAL activities, happening within your network.
As a consequence, your attackers have a greater opportunity to gain a clandestine presence (aka Dwell Time) within your corporate environment, waiting for the chance to compromise the IT assets that are most valuable to your business operations.
Look at your corporate network, much like a military establishment, to ensure that your business valuable assets are suitably safeguarded.
NIST Asset Definition: Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).
Have you visualised these assets to show network connections and data flows (e.g. High-Level Network diagrams (Corporate Network & Secure Silos), Detailed Network Diagram (Secure Silos) and Data Flow Diagrams (data flows through the corporate network).
Have you automated the asset discovery (e.g. ExtraHop RevealX) to confirm the network connections?
Have you categorised your assets, based upon their importance to your business?
Are assets strictly restricted, based upon legitimate needs?
Do you understand what your most valuable IT assets are and where they reside within the network?
Do you understand what network systems are (and which are not) allowed to access your secure silos?
Do you understand which users are granted authorised access into the secure silos?
Do you understand the risks to your business and is this monitored and regularly reviewed (e.g. Acuity STREAM)
Do you have defined firewall rulesets to restrict network connections between network zones?
Are your most valued assets adequately protected, ensuring that they reside on hardened systems within segmented areas of your corporate network?
Do you understand the vulnerabilities associated with these assets (e.g. Monthly vulnerability scanning and Specified, Measurable, Realistic, Timebound and Realistic (SMART) remediation (e.g. Using a SCAP product), enabling you to apply timely remediation based upon their perceived values?
Are the number of users strictly limited?
Is the use of privileged user accounts strictly limited?
Do you restrict user access from the ORANGE to RED zones, based upon timebound and legitimate requirements
Do you carry out regular security awareness training with your users, authorised for access to the ORANGE and RED zones (e.g. KnowBe4)?
Are you able to easily detect suspicious/malicious or unusual activities?
Are you able to quickly identify attempts to gain unauthorised access to the secure silos?
Are you able to identify unauthorised escalation of privileges?
Does your network monitoring enable you to easily differentiate the NORMAL from the ABNORMAL?
Does your monitoring easily detect the deployment of unauthorised/malicious software?
Does your monitoring solution rely on a fully manual process to detect the ABNORMAL or have you incorporated the benefits of Machine Learning (e.g. CyberEasy).
Do you have an established audit trail, capable of identifying a specific asset against defined locations, times, etc?
Have you considered the various incident scenarios (based upon your business specific threats) and established regular familiarisation training/exercises for your incident response teams?
Does your corporate network design enable your incident response to intercept malicious or accidental activities, before they are able to present an impact on your valuable business assets (e.g. intercepted in the ORANGE zone, before being able to breach the RED zones).
Do you carry out periodic collaborative exercises with your highly-skilled Penetration Testers (e.g. Pentest Partners, OnSecurity, etc.), to confirm the effectiveness of your network defences and your capability to detect and respond to suspicious, malicious or accidental activity?
In the unlikely event that an attacker manages to evade your military grade network defences, have you consider what measures you will need to have in place to rapidly return to normal business operations, so as to minimise the potential impact from the event.
If you are liking the aforementioned concept, I would highly recommend that you check out the following resources:
A cyber attack is an ever-present danger and, in the event of a compromise of the corporate network, this can cause significant financial impact (loss of systems/data) and significant damage to an organisation's reputation (shareholder value, trust, etc.).
However, by applying a sensible and integrated approach (based upon the perceived risks) organisation's can help to reduce the opportunities for the 'have a go' (unsophisticated) or highly-skilled (sophisticated) attackers and thus reduce the risks.
By layering your network defences and integrating this into your defensive efforts, you can help to avoid cyber criminals being able to 'hop over' your perimeter fence and to disrupt, impact your business operations, or to walk 'straight in off the street' to steal your most precious assets.
You don't need to become the next victim of an 'Un'-Sophisticated attack
2013 - Target (initially reported as being highly sophisticated attack).
2015 - TalkTalk (initially reported as an increasingly sophisticated attack).
2018 - British Airways (initially reported as a sophisticated, malicious criminal attack).
2020 - EasyJet (yet to be confirmed as being a highly-sophisticated attack).