Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Scrap the DMZ – How a Security Zone Paves the Way for Proactive Cyber Security

By Using a True Security Zone, Defenders Can Take Initiative Away From the Enemy and Shift the Success of Close Battle in Their Favor.

By Using a True Security Zone, Defenders Can Take Initiative Away From the Enemy and Shift the Success of Close Battle in Their Favor.

According to US military doctrine, a demilitarized zone or DMZ is an area devoid of military forces. It is designed to separate opposing forces to prevent hostile actions. Yet it is the term that cyber security practitioners have been using for years to describe the place on our network where we most often engage our cyber enemies.

The DMZ in most networks is segmented from the majority of the enterprise through a firewall. It normally hosts online web services accessible by remote users and customers. A cyber DMZ is the first layer of defense into a network and is anything but demilitarized. In this article, I offer an alternative approach for security professionals to contend with this space. I will introduce the concept of a security zone within the cyber area of operations.

Proactive Cyber Security ImageThe US Army Operations Field Manual 3-90 defines a security zone as the “Area that begins at the forward area of the battlefield and extends as far to the front and flanks as security forces are deployed. Forces in the security area furnish information on the enemy and delay, deceive, and disrupt the enemy and conduct counterreconnaissance.” It further defines purpose of the operations in the security area “to provide early and accurate warning of enemy operations, to provide the force being protected with time and maneuver space within which to react to the enemy, and to develop the situation to allow the commander to effectively use the protected force.”

As shown in Figure 1, the Security Zone is a component of defense in depth through the battlespace. It is an area to which a commander can assign responsibility and specific tasks. In this way, he provides focus to his subordinates and allows for mutual support between elements. Although linear battlefields are not as prevalent in combat operations today, I would argue that networks are very linear in nature. And even though a mobile workforce and their supporting devices are a factor to contend with, the topology of the network can be designed to preserve defense in depth. This simplistic battlefield model will serve as a basis to begin the discussion on a complex topic.

Figure 1: Basic Military Operations Battlefield Management

Basic Military Operations Battlefield Management

Figure 2 depicts the translation of this military concept to practice within network defense. Again this is a simplistic depiction of a network, but it is illustrates the concept well.

Military Graphics with Basic Network Security Overlay

Figure 2: Military Graphics with Basic Network Security Overlay

As shown, firewalls, intrusion protection systems and web proxies are some of the tools in the security area to identify enemy reconnaissance attempts to protect the network and give time to react.

Advertisement. Scroll to continue reading.

In military operations, security zone operations are some of the most complex that can be undertaken. First, the primary mission is counterreconnaissance. In other words, you work to identify and eliminate the most clandestine efforts the enemy has to find you and pinpoint your key assets. Second, security operations are normally an economy of force mission. This means that the limited forces combined in use to maximum effect. Traditionally, this mission has been reserved for modern Cavalry units. These units are typically elite, very well trained and have the best weapons platforms available. Third, they must also coordinate and rely on assets outside of their organization for success to include higher echelon formations, national level intelligence and close air support from a variety of aerial platforms. In most cases, the winner of the counterreconnaissance fight wins the battle because they will have the upper hand in understanding what is happening on the battlefield.

As it relates to cyber, the security zone is the ideal region to locate and destroy enemy scans and probes. If shaping operations are successful, most of these attempts should be redirected to honeynets/pots, blackholes or through other techniques to obfuscate the network and supporting activities. A network defender should assign a team or in some cases an individual to fight the security zone battle. That team will focus their efforts on locating threat reconnaissance techniques by starting with their Intelligence Preparation of the Operational Environment. Their resources should include external sensors and log files and external threat intelligence to understand capability, intent and adjacent activity. This information will inform the team to think like the threat and determine the best counter to their actions. Knowing the type of attack will allow the counter recon efforts to tune their technology to detect recon attempts and defeat them in the security zone. The team must have a strong understanding of port and protocol scanning tools and subsequent signatures must be used to identify recon activity.

The security force must also work “on net” to purposefully look for signs and symptoms of threat activity. It must also have the authority within any organization to kill or minimally “cage” identified malicious behavior. A vulnerable friendly asset can be turned into an enemy asset, so the team must be provided rules of engagement of how to handle that threat. This team must also be able to determine what information about the configurations, operating systems, topology, technology associated with an enterprise is available through open source research and work to obfuscate or eliminate that data from being leaked.

As discussed in previous articles, just having the people or technology to defend a network is not good enough. By using a true security zone as part of a defense in depth strategy, network defenders can begin to take initiative away from the enemy, defeat enemy reconnaissance efforts and shift the success of close battle in their favor.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...