I recently attended an online webcast on “defense in depth.” The presenter alternated the term with the catchphrase “layered approach.” Of course, I was highly disappointed when the speaker made it sound like this was something new. Well, maybe the concept of putting a Web Application Firewall (WAF) in front of your web-facing app is new, but, personally, I find the idea that someone would call “defense in depth” new is actually laughable.
The concepts of defense in depth have been with us for years — hundreds of years, if not thousands. Medieval castles embodied the very concept in their construction. Land was cleared so you could see the attacker coming up the glacis around the castle. The ground was made irregular to make a charge difficult. The castle was surrounded by pits and lined with spikes to make their traverse hazardous, or surrounded by moats if there was a water supply. Walls were tall and steep so they could not be climbed. Embrasures or arrow loops in the walls allowed defenders to fire at attackers from protected locations, as did crenellations along the tops of the walls. Machicolations allowed defenders to fire straight down onto attackers, or drop stones or other objects from the heights of the walls. Bartizans or corner towers covered approaches from the sides and allowed the defenders to flank attackers by firing along the walls. Troops were held in reserve and sent to reinforce other defenders who were under the strongest attack. Sally ports allowed the defenders to raid outside of the walls and retaliate against an opponent who is focusing solely on attacking.
Moats were also great defenses against tunnels. If there were no moat, attackers would tunnel under castle walls in an attempt to bypass the wall, or sufficiently weaken it so that a portion of the wall would collapse. Defenders would dig counter tunnels, and when the two tunnels met, no one wanted to be involved with that fighting, under the ground, in the dirt, in the dark.
If the outside walls fell, other internal walls served the same purpose, and defended the remaining parts of the castle in the same way. Some medieval castles had several layers of defensive works so that an attacker might have to take four, five, six or more concentric walls or reinforced baileys in successive attacks. And inside the heart of most castles were the cathedrals and the keeps, which were invariably fortified and defended as well. So, even if an attacker penetrated all of the walls, they still had to take the central keep to get to the most valuable items – the royal families and the riches.
Defenses were not just static. Attacking siege engines were counterattacked with the castle’s own destructive ballistae or trebuchets. Ladders were repulsed with arrows, spears stabbing from loop holes, stones dropped from the tops of walls, or poles used to push the ladders away and topple the attackers. Rams were built to smash through gates, but arrows and stones were rained on the soldiers manning the rams. The rams were covered with shields or armor to protect the soldiers. In turn, the defenders rained boiling oil on the attackers, or drenched them with hot oil or flaming pitch.
Advance these defensive works into the late 800s (A.D.), when King Alfred the Great built his great burhs across England to protect the Saxon (think “English”) country from the Norse, Danish and Frankish invaders (think “Vikings”). The effect was to build enclaves across the country where English citizens would be safe from the marauding Norse armies that stalked the countryside. The problem was that the Saxon armies were just not big or mobile enough to fight the Norse armies – they never quite knew where the invaders were going to be, and the Saxon armies could not be everywhere. The Norse were often uninterrupted as they prowled England, raiding farms and churches, pillaging the area of its value, while the most important citizens, riches and relics were often protected in the burhs. Yes, the Norse invaders were able to take some burhs, since not all towns were protected, and the people suffered greatly as the Norsemen collected their loot. But without the burhs England would likely have fallen. How much would history have changed if the Norse invasion of England had succeeded in the 800s? I would probably not be writing this in English now.
Attack. Defend. Counterattack. Attack. Parry. Riposte. These are old, old lessons.
The “new” part of this is that we are now facing advanced attacks and threats on an almost continual basis. New zero-day attacks are announced weekly, if not daily. Malware evolves at an alarming rate as toolkits allow attackers to change signatures almost on the fly – malware that was caught at 10:00 AM, and the new version passes that same anti-virus scan at 2:00 PM. Attackers rely on getting a foothold and expanding their reach across the internal environment of their victim.
Maybe we can learn something from those architects of warfare from the Middle Ages, which we can boil down to five rules:
1. Don’t rely on a single security technology. Castles did not rely only on pits that defeat ladders, or on moats that would defeat tunnels. They looked at the variety of different attacks which they could face and tried to address them all with defensive strategies. Use WAFs, and anti-virus, and IDS, and IPS, and firewalls – and use them in ways to address the different types of attacks to which you will be subjected.
2. Use a layered approach. Castles used tiered layers of defense that attackers would have to defeat in succession. Use secure coding techniques to harden your applications. Use a WAF to further protect the web application. Harden the web server on which the application runs. Encrypt the back-end database. Do vulnerability testing on the system, and actually fix all the problems you find. Use strong authentication for logins. Scan the server with anti-virus software. Plan security controls to back up other security controls so that you minimize, or eliminate, single points of failure. REQUIRE an attacker to defeat successive layers.
3. Use enclaves. Layered walls, separate bastions or baileys, and even separate castles helped keep the Norse invaders from having too much success – they simply could not sustain victories. Segregate your environment not just at the IT level, but at the security level. Protect one enclave from another just like you would protect it from the outside world. Truly isolate your sensitive systems from other portions of your network. Internal firewalls and filters can help control attackers trying to move around within your internal network. Monitoring communication between enclaves can help you spot, and halt, aberrant behavior.
4. Evolve your security. Defenders built walls to help protect them from attackers. When the attackers started using ladders, the defenders added ditches with pikes. When attackers started using battering rams, the defenders used boiling oil. Each time the attack evolved, the defense evolved with it. One of the first ways to evolve your security program is to have an effective patch management system that helps eliminate old vulnerabilities (don’t let the moat run dry so attackers can tunnel underneath it – do NOT give the attacker an easy path with an old attack). When technology like a WAF comes out, evaluate whether it can add to your defensive capabilities, and continue to evolve your security program to take the best advantage of new technologies.
5. Don’t get lazy. Don’t stand there and let the barbarians climb over the wall. Send in reinforcements. Watch what is happening. Monitor the security of your environment and react to incidents and indications that attacks are looming. Check your own systems for signs of weakness. Test the vulnerabilities in your environment and maintain an active vulnerability management program that actually helps you close your exposures.
In most cases, the results of failure in cybersecurity are not as dire as they were in the days of King Alfred the Great. The Vikings were well-known for pillaging, looting, and other victory celebrations. But that does not necessarily mean we should take modern cyberattacks lightly. They still have real consequences. Back in 880 A.D., I think Alfred was onto something with this defense in depth thing. So, although the concepts have been around for a while, they are still as valid as ever.