Call: 1300 422 542

Recently I wrote about Defense in Depth and the importance of layering multiple security controls to reduce the risks any one control failing.

A related idea is to look at a system from the perspective of an attacker trying to get in, and trying to find the possible (and easiest) ways in as sequences of steps.

This idea is alternatively called “attack trees” or “attack paths”, or as “thinking in graphs”. For context – “trees” and “graphs” are essentially “if this, then that” flow charts. Attack trees provide a map for getting from where the attacker is to where they want to be.

The below graph provides an example of an attack tree, with the goal at the top and possible starting points below.

cyber attack tree

(Original by Michael Henriksen, published under MIT license.)

 

The Defensive Difference

In contrast, typical defensive process is list-based –

In other words, to defend against cyber attacks, the one defending is normally trying to protect everything and cannot cut any corners, but the attacker only has to find the lowest hanging fruit.

This leads to outcomes such as “you have to be successful all the time, attackers only have to be successful once.”

This is not a very positive scenario – can we do something about that?

 

Changing the Approach

If the optimal attacker’s process is to find the easiest way in, the defensive response should be to remove the easy paths if possible, and make the remaining paths more difficult.

Some of the possible strategies include:

  • Divide systems to prevent “island hopping” between unrelated systems
  • Reduce the number of administrative accounts and use multi-factor authentication for all such users
  • Reconsider “flat network” designs

Doing this requires an in-depth understanding of what your High Value technological assets are and how they can be accessed, and this requires collaboration between business and technology units.

Interested in seeing your low hanging fruit from an attacker’s point of view? Learn more about Penetration Testing.

Share This Post
Share on facebook
Share on linkedin
Share on twitter
Share on email
Subscribe To Our Newsletter

More To Explore

Calibre One EOFY Awards 2021
Events

EOFY Awards 2021

At Calibre One, we are as dedicated to our core values as we are to the growth and happiness of our staff. Our annual End

Read More »
Windows 11 New Features
Office365

Introducing The New Windows 11 and the Top Features!

Are you prepared for the new Windows 11 rollout? In this blog, we uncover some of the most exciting new features and how to best migrate your current version of Windows 11 over. Learn more about our favorite new features, and our tips for migration and adoption.

Read More »

Find out what our team can do for your business.