In the past, information systems security often focused simply on perimeter defense, wrongly assuming that a strong perimeter was the only defense needed. Then, as regulations became more complex and more legal, infosec became more “compliance-centric”, trying to pass the security audits required by law. Compliance oriented security produces reams of paperwork and reports and can accomplish good security, but too often seems to loose track of what the attackers are doing and how they do it. Now we are facing increasingly intelligent and sophisticated attackers who have studied defensive tactics and tools and regulations and understand the weaknesses in the defense better than the defenders. They have learned that is often easy to penetrate the perimeter and then the game changes from penetration to digging in for a long term presence without being discovered.
Defensive agility requires the ability to react quickly to threats and compromises and changing conditions. US Air Force Col. John Boyd taught his philosophy of OODA loops that he developed as a fighter pilot to describe the dynamics of an aerial dogfight. When two aircraft get tangled in mortal combat in the sky, the dynamics change rapidly and the pilot that can adapt faster and take advantage of the changing state before the opponent does the same thing is more likely to live longer. OODA stands for:
- Observe – take in data about events in your environment
- Orient – translate the event data into a framework that makes sense
- Decide – reach a decision about what to do next
- Act – take action on the decision
(lather, rinse, repeat…)
Boyd’s theory shows how the combatant that cycles through this process faster, reaches each stage before the other combatant and in a short amount of time (at least in a dogfight) generates a large advantage. In aerial combat, this can evolve in a few seconds to an advantage that produces a kill. OODA loop theory can be applied to all forms of combat, competition or contention.
Cyber security is no exception. Cyber attackers can measure the response rate of defenders and plan their attack accordingly so that they have moved on to the next stage of the attack before the defenders take action to defeat them. In order to stay alive in this cyber dogfight, the defenders must learn more about the attack tactics being used against them and know when they need to accelerate their response or change their tactics. This is called AGILE DEFENSE.
NIST SP 800-53 based security controls are too often associated with the worst of “compliance” style defense, but in fact, they offer an incredible range of protections and response tactics if you take the time to study them and know them well.
NIST security controls that can be used to create an agile defense:
- OBSERVE – Monitor
- CA-7 CONTINUOUS MONITORING – of the effectiveness of security controls should produce an awareness of the security “posture” that makes transition through the OODA loop faster
- SI-4 INFORMATION SYSTEM MONITORING – real time monitoring of inbound, outbound and interior traffic to find the anomolies that allow detection of an attacker
- SI-3 MALICIOUS CODE PROTECTION – monitoring your Anti-virus performance shows you how well protected your systems are at this layer. It can also reveal trends in attacks.
- SI-7 SOFTWARE AND INFORMATION INTEGRITY – this is critical for exposing successful penetrations.
- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – this area won’t reveal much most of the time, but it can be highly automated and is critical for building a profile of how an attack proceded.
- PE-6 MONITORING PHYSICAL ACCESS – physical attacks can defeat all your other fancy protections. Compromising an insider (blackmail?) with physical access permission gets the attacker the keys to the kingdom. How can you tell who did what?
- SC-31 COVERT CHANNEL ANALYSIS – once an attacker is on your network, they will most likely be trying to ex-filtrate some form of data, at least command and control stuff. Can you find it?
- ORIENT – Correlate
- IR-4 INCIDENT HANDLING (CE-4) correlation of incident and response information
- RA-5 VULNERABILITY SCANNING – scan for vulnerabilities so that they can be patched before an attacker finds them
- RA-5 VULNERABILITY SCANNING (CE-9) penetration testing is another form of assessing vulnerabilities.
- RA-3 RISK ASSESSMENT – you must decide how much real risk is present in the threats and vulnerabilities.
- CM-4 SECURITY IMPACT ANALYSIS – how fast can you predict the risk involved in making changes to your system?
- ACT – Respond
- IR-4 INCIDENT HANDLING (CE-2) dynamic reconfiguration as part of IR capability
- IR-4 INCIDENT HANDLING (CE-3) define classes of incidents and responses
- SI-4 INFORMATION SYSTEM MONITORING (CE-3) integration of IDS tools into access control and flow control to create rapid response mechanisms
- SI-2 FLAW REMEDIATION – patching, making configuration changes, and removing components can remediate flaws.
- CP-2 CONTINGENCY PLAN – do you have contingency plans for every kind of failure and do you know how long they take to implement and under what conditions they will be triggered?
[note - CE stands for Control Enhancement]