I started this mission back in 2015, and now 4 years into it I am now more convinced than ever the mission is worth while and will continue to protect the enterprise far into the future.
The most important and fundamental principle of the mission is securing your enterprise by reducing the attack surface. This one principle will dramatically reduce the risk of being a victim of the next ransomware attack, or some data exfiltration.
What is the Attack Surface? Well this attack surface is at the L4 on the 7 ISO network layer, yeah you got it, the network layer where TCP and UDP protocols reside. The two protocols that allow connectivity for all of the internet. For example if you send a TCP SYN packet to a web server on port 443 the server will reply as part of the TCP RFC with a SYN/ACK and then the sender will finish the 3 way handshake with a final ACK. Once the basic handshake has taken place then data can be sent and receive, and more importantly an attacker can compromise the web server with a known or zero day vulnerability.
The mission is to make sure this web server does not reply and does not communication unless you are already authenticated. This method can be achieved using BlackCloud SDP technology, see my earlier post on this topic.
So you might now be thinking this is what VPN does, you authenticate then you get network access, but we are still missing two major parts of being truly dark, when a user authenticates with VPN they also get network access, the full IP protocol including the dangerous ICMP that can be used for reconnaissance in the attack phase. This allows the attacker to probe there way around your network and data center, or even worse allow some ransomware to find its next target when propagating laterally.
The last part is direct IP communication, so you can simply connect to the server by IP address, this allows an attacker to port scan various subnets to obtain a full list of services that are open on the server. This can be mitigated by only allowing connections when a valid DNS request and port number has been made and you have been grant the privilege.
You can’t attack what you can’t see, this is the fundamental principles behind BlackCloud SDP. Enterprises should be measuring the attack surface from the user perspective and making sure to reduce it to near zero. The client will still need to connect to a trust broker that has already established cryptography trust, so this becomes the only attack surface.
If you scan your entire enterprise network you will find that some port numbers like 445, 3389, 137, 135, 138 having the largest attack surface, you can thank Microsoft for this, a standard windows client and servers will have these listening ports open by default.
One simple way to get started on this journey to zero attack surface is to close the local windows firewall for all incoming services and make sure only trusted incoming connections from the connector is allowed.
In the wake of ransomeware like wannacry and not Petya we must not allow peer to peer communication between clients, the risk is far too high for the gains, it is very rare the client requires inbound connectivity, 99% is outbound.
What about servers, how do we reduce the attack surface I the data center, well first you ensure only brokers can connect into the data center from the user perspective. Then you need to work out how to reduce the peer to peer within the Data Center, that’s where SDN comes into play like Cisco ACI and VMWare NSX. It is more difficult to place trust brokers between servers, so for now SDN is your best method of reducing this attack surface.
How do you measure the progress of your mission? Start with simple port scan of the entire access and data center network segments. This measure should become a key KPI for your CISO, simply just count the number of replies for each host on each port with a port scan, and make sure that every week this number goes down, the lower the number the lower the attack surface thereby reducing the risk of compromise of your company.
It is not something you can just complete within a few months, is will take a lot of hard work and many years, and most importantly you will need to be a evangelist and get people onboard to move in this strategical direction.
Once all you application access is via a secure overlay SDP overlay and the attacks surface is zero then you can spend your time on other important initiatives like application vulnerability testing and remediation, and not worry about the network layer attacks or the next worm or heartbleed vulnerability.