Know your enemy
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." (Sun Tzu, The Art of War, TUTTLE Publishing, chap. 3, 18).
This powerful maxim, which has not aged a day in 2,000 years and whose applicability, along with that of other maxims from Sun Tzu’s "The Art of War," a Chinese manual of military strategy, has extended to the business world, must be embraced by everyone in everyday life, especially in the battlefield of the internet when it comes to defending against cyber-attacks.
The stage is set: your IT Infrastructure is the target of attackers, and you, in your role as the general responsible for defending the position, must take all necessary measures to withstand the attacks and emerge victorious because in such a battle, there is only one winner, and it’s better if it’s you.
And if you want to win, you must plan ahead before the battle is engaged. "The general who wins a battle makes many calculations in his temple before the battle is fought. The general who loses a battle makes few calculations beforehand. Thus do many calculations lead to victory and few calculations to defeat: how much more no calculation at all! It is by attention to this point that I can foresee who is likely to win or lose." (Chap.1, 26). Pre-planning is indeed essential to develop an effective security strategy.
So, you must be prepared before hostilities begin, and since every war is based on deception, you need to deceive the adversary, denying them what they seek (Chap. 1, 18; Chap. 6, 8).
As the general in charge of defending your computer system, you are the fortress, and if your defense is complete in all respects, your computer system will be strong. Otherwise, it will be weak (chap. 3, 11).
Your goal, which is the "highest form of command," must be to thwart the adversary’s plans so that you can later attack (Chap. 3, 3). Is the best defense not offense (Chap. 4, 5), to dominate the enemy by imposing your will rather than enduring theirs (Chap. 6, 2)?
As the general responsible for the defense of your computer infrastructure, you have at your disposal a set of tools that, if used properly and implemented before an attack occurs, will allow you to resist effectively and ensure protection against defeat, even if you cannot be certain of victory (Chap. 4, 3). In a battle, one is never 100% certain of emerging victorious - that’s an important reality to acknowledge - but you can increase your chances of success through smart and thorough preparation, including an appropriate incident response plan.
But before anything else, it is essential to know yourself, to understand the strengths and weaknesses of your computer system’s defense. This assessment cannot be done in isolation but by considering how its security can be compromised. For that, you need to know your adversary, their operating methods concerning what you need to protect, and their likely intentions. Knowing your adversary allows you to better target your defenses.
One can outline the stages of a cyberattack as follows, regardless of the attacker’s affiliation and objectives:
The attacker begins by collecting information about you, your company, your infrastructure, and your systems. This can include online research, monitoring social networks, and other methods.
2. Entry Stage or Vulnerability Research and Identification:
The attacker may then search for known or unknown vulnerabilities in systems, software, or applications. This can be done by analyzing source code, using automated vulnerability scanners, or studying public information about security flaws.
The attacker tries to exploit a vulnerability or weakness in your system to gain initial access. This can be done through techniques such as phishing, social engineering, malicious code injection or software security vulnerability exploitation and will scan for potential vulnerabilities in your protection system. This could include IP address, domain names, your employees, etc.
3. Development of Exploitation Code:
After identifying vulnerability, the attacker creates specific exploitation code to take advantage of it if he does not already have it otherwise he will find it on the Darknet. This code can enable the attacker to execute commands, take control of your system, or access sensitive information, depending on their goals.
Vulnerabilities can take different forms and exploitation methods vary depending on the nature of the vulnerability.
4. System Infiltration:
To exploit vulnerability, an attacker typically needs to penetrate a target system and inject exploitation code.
5. Execution of Exploitation Code:
Once the exploitation code is introduced into the system, the attacker triggers it to exploit the vulnerability, which can lead to various consequences, such as system takeover, data exfiltration, or disruption of normal operations.
6. Establishment of a Foothold:
Once the attacker gains initial access, they seek to establish a permanent or persistent foothold on your system. This may include installing malware, creating administrator accounts, or modifying configurations to maintain access.
7. Privilege Escalation:
The attacker may aim to obtain higher access rights to access sensitive information or gain full control of your system, often by exploiting operating system or software vulnerabilities.
8. Stealthy Navigation:
After gaining access, the attacker discreetly explores your system to locate valuable data or resources. This may involve searching for sensitive files, databases, passwords, or other critical information.
9. Data Exfiltration:
The attacker then transfers stolen data from your system to a location controlled by them, often discreetly to avoid detection.
To avoid detection, the attacker may attempt to cover their tracks by erasing traces, modifying activity logs, using obfuscation techniques, and more.
11. Eventual Attack:
The ultimate goal may vary depending on the attack, including stealing sensitive data, data destruction, sabotage, extortion, or other malicious objectives.
After achieving their objectives, the attacker will attempt to exit your system without leaving traces. This may involve uninstalling malware, erasing tracks, or moving to a new target.
In some cases, the attacker may leave mechanisms in place for future access to return later or maintain continuous access.
In other words, the attacker must penetrate your network (phase 1) to insert exploitation code (phase 2) without which they can’t do anything. Once this code is inserted, they must trigger it (phase 3), and depending on their goals, they may encrypt your data (forcing you to pay a ransom if they insert ransomware) or steal it by transferring it to their servers if they engage in industrial or state espionage (phase 4).
In the face of this, what do you have?
Knowing the adversary’s tactics, as a good general and defender of your computer infrastructure, you will certainly have taken appropriate measures to protect yourself at all points against any enemy attempt, and you conduct your routine inspections.
To protect against any intrusion, which is phase 1 of the adversary’s tactics, you will have applied the rules of good internet usage to yourself and your staff. Education and knowledge of the adversary’s tricks are indispensable in your defense system. Since it is not sufficient on its own, especially as it is the weakest link in any defense system because, as everyone knows, to err is human, you will have placed a Next-Generation Firewall in the front line of defense, one that extends its protection well inside the defensive lines and allows you to visualize the progress of the attack to intervene and take appropriate measures at any time, in real-time.
In the second line of defense, as a good cunning tactician should, you will have certainly deployed a honeypot to deceive your adversary so that anything that could have penetrated the first line gets lost in a maze of fake accesses to your system.
With the first two lines of defense in place, you turn your attention to the third line of defense that you have installed, and you will verify whether the rules you have set up in your Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are well-suited to prevent your adversary from proceeding further and successfully executing the second phase of their attack.
This is about preventing them from introducing exploitation code into your infrastructure, and to ensure success in this task, you will have certainly enhanced the efficiency of your IDS and IPS by adding a deep packet inspection system (DPI) (a packet is a portion of data conveyed by the Internet) This system will penetrate the camouflage systems that your enemy may have used to evade your vigilance. Your enemy cannot succeed in carrying out phase 2 of their attack in any way.
But, as experience has taught, with incidents like SolarWinds, Microsoft Exchange, MeetMindful, Facebook, Volkswagen, Audi, Colonial Pipeline, Kaseya, and many others, the list of ransomware victims is endless, and one is never sure of anything. You leave nothing to chance, ensuring that your adversary cannot execute any malicious code they may have managed to introduce into your infrastructure. They absolutely cannot win the third round of the battle, and you are fully aware of that. This is also why you have integrated a defense-in-depth strategy composed of anti-malware, antivirus and endpoint security solutions and that you have verified that your detection and prevention systems are sufficiently well armed to prevent and block any execution of malicious code in your infrastructure.
Since you have also taken regular backups of your data and developed a disaster recovery strategy, even if the attacker manages to encrypt your data, you can easily access your backups and restore affected systems. You have not forgotten to check that your backups are functional and that you can restore all your data at any time.
Finally, you have wisely ensured that your databases and file servers are highly secure and that you have strong authentication mechanisms and access controls.
Unfortunately, with the endless imagination they possess, attackers, who are also aware of the principles of The Art of War, could, despite all precautions taken, win the third phase, leaving you defenseless against their intentions. In that case, you will have to resort to improvisation to minimize the extent of the damage they could cause, if not prevent it in some way.
But, as you have already planned for everything, your network’s MICRO-SEGMENTATION system, created in a ZERO TRUST mode and complemented by a VPN server, will significantly limit the negative impact of the adversary’s attack, especially if each segment is protected by your Next-Generation Firewall equipped with IDS, IPS, and DPI. You have also cleverly implemented security group management policies so that only those who need access to a resource have access to it to prevent unauthorized connections and keep intruders away. And as you have also planned to prevent any unauthorized data exfiltration, even if you are not the victor, you will not have lost the battle, winning the fourth and final round.
With all these precautions in place, implemented, and regularly updated, you can confidently await the inevitable battle, being certain of your ability to withstand it and being guaranteed against defeat, even if you cannot be sure of victory (Chap. 4, 3).
And if, as a knowledgeable general concerned about the security of your infrastructure, you are not completely sure of the effectiveness of your protection system, you can always inquire, research and compare existing solutions on the market.
PT SYDECO can certainly help you, by providing you with a global and complete solution for the defense in depth of your infrastructure thanks to the ARCHANGEL Integrated Protection System which includes 3 New Generation Firewalls equipped with the most advanced detection and prevention instruments, regularly and automatically updated, assisted by intelligent agents capable of thwarting attackers’ hijacking and camouflage maneuvers, also preventing any unauthorized exfiltration of data from your computer system. The ARCHANGEL©2.0 New Generation firewall is flexible and adapts to all situations. It can protect both the entire infrastructure and each of its sectors, even in a unidirectional mode essential to protect the most sensitive areas.
Since the inspection of your defense system has enabled you to check your state of education and preparation in how to use the Internet and that of your agents as well as the implementation of the various lines of defense and their update which must successfully counter any malicious intrusion and any execution of malicious programs within your infrastructure, you can consider yourself the best general of your generation.
You have indeed understood that IT security is an ever-changing field with attackers constantly developing new tactics and that it is important to keep your defenses up to date and have an incident response plan in place in case of breach of security and you have made your own the essential components of computer security which are Education, Planning, Defense in depth and Responsiveness.
In summary, your defense against cyberattack relies on a comprehensive strategy based on knowing the adversary, implementing security controls, monitoring and analyzing activity, responding to incidents and improving without discontinuity. Your ability to successfully defend yourself depends on your willingness to continually adapt and respond to new threats and tactics while ensuring your fundamental security principles and controls are strong and effective. With this defense strategy, you can win the battle for your system security and emerge victorious.