Recently I wrote about Defense in Depth and the importance of layering multiple security controls to reduce the risks any one control failing.
A related idea is to look at a system from the perspective of an attacker trying to get in, and trying to find the possible (and easiest) ways in as sequences of steps.
This idea is alternatively called “attack trees” or “attack paths”, or as “thinking in graphs”. For context – “trees” and “graphs” are essentially “if this, then that” flow charts. Attack trees provide a map for getting from where the attacker is to where they want to be.
The below graph provides an example of an attack tree, with the goal at the top and possible starting points below.
(Original by Michael Henriksen, published under MIT license.)
The Defensive Difference
In contrast, typical defensive process is list-based –
- Update all the systems on this list
- Train these users
- Add multi-factor authentication to these accounts
In other words, to defend against cyber attacks, the one defending is normally trying to protect everything and cannot cut any corners, but the attacker only has to find the lowest hanging fruit.
This leads to outcomes such as “you have to be successful all the time, attackers only have to be successful once.”
This is not a very positive scenario – can we do something about that?
Changing the Approach
If the optimal attacker’s process is to find the easiest way in, the defensive response should be to remove the easy paths if possible, and make the remaining paths more difficult.
Some of the possible strategies include:
- Divide systems to prevent “island hopping” between unrelated systems
- Reduce the number of administrative accounts and use multi-factor authentication for all such users
- Reconsider “flat network” designs
Doing this requires an in-depth understanding of what your High Value technological assets are and how they can be accessed, and this requires collaboration between business and technology units.
Interested in seeing your low hanging fruit from an attacker’s point of view? Learn more about Penetration Testing.