You Cannot Defend Against What You Cannot See

It is often claimed that the U.S. National Security Agency has a saying: “Never trust a cipher which was designed by someone who hasn’t broken ciphers”.

Whether this is true or not is hard to verify outside the multiple ringed fences of Fort Meade, but it highlights something that is often forgotten in many areas of security: The dichotomy of attacker and defender is often a false one. A defender unfamiliar with the techniques used by an attacker is likely to do a poor job keeping an experienced attacker out. An attacker unfamiliar with his target’s defensive capabilities will soon be detected.

Good attackers know this well.

Since 2010-2011, information about how skilled attackers behave has become widely known. Lockheed-Martin’s Cyber Kill Chain™ and other Computer Network Defense (CND) methodologies have highlighted the broad strokes of advanced cyber operations, often honed in years of experience defending government and Defense Industrial Base clients.  This experience, and years of watching attackers in action, is now becoming known in enterprise and commercial fields, who are facing advanced attackers as well.

For this blog post, I will use the Lockheed Martin Cyber Kill Chain to describe attack phases. Just as mature organizations know to expect attacks, a good attacker will expect a good defense. This highlights the dual role: The attacker must also defend themselves. In the early reconnaissance phases of an attack, most will use both public and private information to understand the likely defensive capabilities they will face. Some fairly common examples:

• LinkedIn searches to understand who is currently employed in security architectural and operational roles
• What experience those staff have, and what tool sets are they claiming to use
• Vendor “win” information: Are vendors claiming this organization as a “win” or a reference site?
• Commercial databases compiled by marketing organizations, indicating the IT products purchased by specific organisations, based on phone surveys
• Searches on specific email addresses in security forums, revealing issues and advice from company employees to others on the forums

This list is not exhaustive, and represents a purely passive reconnaissance phase. An active reconnaissance, whereby direct contact may be made to the company via various anonymized channels, can be even more effective, although it carries a higher risk to the attacker. Once armed with an understanding of the sophistication of the target’s defense, the attack will proceed through the weaponization, delivery, exploitation and installation phases. Once the command and control channel is deployed, the attacker is inside. It is at this point that a good attacker will immediately become defensive. They are likely to do two things in quick succession:

1. Immediately baseline their environment and start the process of mapping the lateral movement that will achieve their objectives
2. Start planning the establishment of a second ingress point, should their attack be detected and repelled

So why baseline the environment?  Simple: they are trying to detect if they’ve been seen. Establishing a SPAN port, deploying tools on servers, putting interfaces into promiscuous mode are all clues that will tell the attacker they may have been seen. Once they suspect this, they will go to ground, shut down C2 channels with a timed restart in the future, and stop all operations. Finding them will be exceedingly difficult.

As an architect of a CND architecture suitable for a modern, sophisticated enterprise, enabling as-need visibility into the entirety of your network is absolutely essential. This visibility must be deployed strategically, but available to be used tactically at any time. It must:

• Enable access to any CND tool at any time for any part of your network
• Necessitate no changes to the existing infrastructure when tactically deployed, which includes hardware, software and configurational changes
• Be able to deploy relatively slow tools on very fast networks
• Be able to feed network traffic to as many tools as is needed, in parallel
• Be totally invisible to an attacker

A Gigamon Visibility Fabric™ meets all of these requirements. Functionally, a visibility fabric operates like a data diode: network data can only flow from network ports attached to attacker-invisible TAPs to tools. This unidirectional traffic flow means that no matter what tool you deploy, the attacker cannot see it. As a defender, you have complete visibility. Your attacker has no visibility of that defensive capability.

Indeed, the Gigamon Visibility Fabric on a fibre network can work fine with the transmit lights on the network ports completely unplugged, and the receive lights on the tool port also unconnected. The tools can be deployed in a security zone which is highly protected. For maximum security these tools can be air gapped from the network entirely, with data transit only on physical mediums. Where this is impossible, the use of tightly configured firewalls between the rest of the network and this zone is strongly recommended.

At Gigamon, one of the most common things we hear from security customers is “I wish we had more visibility for incident response.” Gigamon can deliver that to any organization.

So let’s all stop thinking about just defense and embrace the duality in becoming an attacker as well. At Gigamon, we often say that you cannot defend against what you can’t see. If your attacker doesn’t see your tools, doesn’t see your capability and doesn’t see your response until it lands upon them, then you have made their job much harder for them.