Security Experts:

Effective Security Needs to See and Interrupt Every Step in an Attack Chain

The best defense in depth strategy should not include loading up your network with a plethora of point solutions

Too many people outside of the cybersecurity profession see security as a series of binaries. Networks are under attack or they are not, cybercriminals are targeting a network or they aren’t, and security tools either see and stop threats or they miss them. But the reality is much more complex, as anyone who has spent time digging through log files or analyzing indicators of compromise can tell you.

True, a network can be directly attacked. But it can also be indirectly impacted by an event happening somewhere else. A critical server may be taken down as the result of a cascading chain of events, causing a segment of a network to go offline when it was never a target or under attack. End users can inadvertently spread malware when interacting with compromised devices. Preparing for such eventualities requires implementing a comprehensive and holistic security strategy. 

The idea behind defense in depth today is about much more than just having solutions from different vendors in place to catch each other’s mistakes. It involves interconnecting networks and unifying security devices and technologies to see and respond to both known and unknown threats in real time, thereby breaking the attack sequence. 

Threat mitigation is all about identifying even the most complex, multi-stage attacks and stopping them before they can achieve their objectives. To break an attack sequence, security solutions need to detect and rapidly adjust their security posture to effectively stop threats, even zero-day attacks, that are still in progress. These trusted insights also help threat hunters focus, as well as provide recommendations for next steps—preferably automated—when needed. 

Understanding and interrupting the attack chain

An effective security strategy needs to be able to see and interrupt every step in an attack chain, and do so in time to thwart an attack. In some cases, a response may not even happen in the same step that you detected the attack—highlighting even more the need for coordinated prevention across your organization’s extended footprint. Achieving this is easier said than done. It requires understanding the steps of an attack and mapping them to solutions that can respond in a timely manner to both known and unknown attack variations and components. While the steps in an attack chain may vary, the following are its general components, along with the tools needed to stop them:

Reconnaissance: This includes things like harvesting email addresses, searching websites and social media, probing network edge devices for exploitable vulnerabilities, and scanning ports and traffic looking ways to breach defenses. Security strategies need to include things like NGFWs, web application firewalls, and IPS systems to detect and respond to things like scans and probes. It is especially important to prioritize IoT- and OT-aware technologies and leverage deception technologies to make it more difficult for an attacker to identify legitimate devices, ports, and traffic.

Weaponization: This step generally involves building an exploit to target a known vulnerability, such as targeting a known, published vulnerability before a patch can be applied. But it can also involve targeting a zero-day vulnerability with a sophisticated ransomware or other malware-based infection, making detection much more difficult. Security systems need to include advanced threat protection (ATP) technologies, like sandboxing, to detect, analyze, and prevent newly created malware designed to bypass traditional security methods. And it requires consistent AV capabilities that can span network, endpoints, and clouds that have been tuned to the latest vendor and community threat intelligence. 

Delivery: The most common malware delivery mechanisms are still infected email and compromised web pages. Secure email gateway and web security solutions need to able to detect and block infected attachments, links, and websites. Credential theft prevention and active training of your workforce for phishing attacks will help reduce the attack surface even more. As highlighted, attacks increasingly occur as part of a larger attack strategy, so these security capabilities need to be employed consistently across networks, endpoints, and clouds.

Exploitation, installation, and communications: This is where the ability to orchestrate multiple technologies centered around the same dataset is the most critical. Once malware has managed to breach a target, its goal is to begin exploiting vulnerabilities to execute code on a target’s system, establish command and control communications, and then move laterally across the network. Technologies like IPS, AV, sandboxing, web and video filtering, C2, and DNS can all be used to break the attack sequence. The bigger question is, how fast can your sandbox analysis results be pushed to your AV, C2, and DNS technologies to stop a newly discovered attack? In addition, your SOC team can benefit from advanced technologies like Endpoint Detection and Response (EDR) and eXtended Detection and Response (XDR) tools to see and detect lateral movement across endpoints, networks, and clouds.  Advanced AI, deception, and SOAR are key to helping your teams detect and respond in time. 

Spreading and Exfiltration: Once in, an attacker looks to establish a beachhead, spread laterally across the network, identify valuable data, and begin exfiltration. This step may be automated or it may involve direct action from an intruder who is actively directing an attack or targeting systems. Solutions such as behavioral analytics can help detect unauthorized actions, and deception technologies can be used to confuse attackers and force them to trip alarms, thereby eliminating their ability to dwell inside a network for an extended period of time. 

Why so many security strategies are ineffective

The challenge with most security strategies is, first, they are only able to recognize and respond to a handful of the steps in an attack chain because solutions either operate in isolation or only have access to a limited data set. Second, many of the security events described above were also designed to evade detection. They do this by either operating below the radar, so they don’t trigger an alarm, or by coming at a network using multiple vectors to either confuse disjointed security systems, create distractions so the actual attack is obfuscated, or slip past defenses unnoticed (and reassemble once on the inside) because each attack element on its own seems to be benign.

There is a third aspect to this challenge as well, and that is the inability of disparate security solutions to effectively correlate threat intelligence. Without the ability to share and leverage common threat intelligence, coming up with that “one plus one equals three” equation that indicates that your network is under attack and then determining the right way and place to disrupt that attack becomes nearly impossible.

The need for a unified security platform

Resolving these issues requires implementing three key elements, built around a single requirement: the need for a common security platform. 

1. A single security platform enables different solutions, whether from a single vendor or multiple manufacturers, to see and correlate a variety of events. Of course, such a security platform needs to be able to be deployed broadly—to every network edge and device. This ensures common visibility across the organization’s operational environment (network, endpoints, and clouds), as well as across the attack chain. It also needs to oversee both networking and security elements so it can easily adapt to dynamic network and application environments. And lastly it needs a common security and management framework for monitoring digital performance end-to-end and to enable unified threat intelligence that can be easily found, automatically shared, and centrally orchestrated.

2. This security platform must also ensure deep integration between its various security elements to enable true interoperability between solutions. This can be done by either leveraging a common operating system or by using common standards and open APIs. And further, this integrated platform approach must enable every solution deployed across the network to function as part of a single, unified system. This will enable security teams to effectively see, share, correlate, and respond to threats in a coordinated fashion.

3. And finally, this platform needs to be able to leverage automation. At the end of the day, speed to prevention is the key to your security. Doing all of the above perfectly but responding too late, after the attack has achieved its objectives, will not help. Including well-trained machine learning and artificial intelligence leveraging unified data sets across endpoints, networks and clouds to detect, investigate, and respond—including reconfiguring your security posture with newly available threat data—means your security can function at digital speeds. Enabling effective and comprehensive automation is the ultimate objective of any security platform, and it is especially critical when dealing with expanding networks and overburdened security teams.

Defense is depth is not a new concept. The reality, however, is that the best defense in depth strategy should not include loading up your network with a plethora of point solutions. Instead, it is one that enables multiple tools, deployed across the distributed network—including endpoints, clouds, and applications—to work as a unified solution to detect and respond to threats anyplace in the organization and anywhere along the attack chain. And the best way to achieve that is by building a comprehensive security architecture using a common security platform.

view counter
John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.