The defence-in-depth approach to cyber security involves placing multiple layers of defence across an organization's network and endpoints to stop attacks more effectively - if not at the initial stage of an attack, then at one of the later stages. Cyber attacks are usually carried out in multiple stages, starting with the attacker getting initial access to an enterprise environment, to escalating privileges, moving laterally across the network, establishing command & control, and finally reaching the company's crown jewels and encrypting or exfiltrating data. This means that threats that aren't stopped at the network perimeter or at the initial stages on an attack can be blocked at a later stage if there are effective controls in place. If one security control or tool cannot detect and block the attack, there are other controls placed at deeper layers that will catch it.
With computing environments getting more complex and widely spread out, and data sharing increasingly taking place over the cloud, advanced threats entering enterprise networks has become inevitable. Organisations can protect against these threats by taking a proactive approach to security and a strategy that covers detection at all stages of the attack lifecycle, thus minimising attackers' chances of success.
In this post, we try to illustrate how a multi-layered defence strategy works, with the help of an example. A cybercriminal attempts an attack against an organization, starting by sending a malicious email to an employee to get initial access.
The attack starts with a malicious email sent to an employee of the targeted organisation. The first layer of defence in this case will be a secure email gateway which, if it detects a malicious email, will block it before it reaches the user's inbox.
If the email does make it into the inbox, a cyber-aware employee who is vigilant and can spot inconsistencies in the email will either delete the email without opening it or report it to the IT security team, thus averting the attack.
If the user cannot detect the phishing attempt, opens the email and clicks on the malicious attachment (or link) triggering the malware, then the payload will be delivered. This is when the endpoint protection tool or antivirus kicks in. If it's a known malware strain with IOCs fed into the endpoint protection tool, then the tool will instantly block the malware and avert a bigger attack.
However, if it's a newer or more advanced threat designed to bypass such detection then the attacker will be able to establish a connection with the user's system and attempt command and control. A good firewall will detect and block this unusual outbound connection at this point and the attack will be stopped.
If, on the other hand, the attacker succeeds at establishing a reverse shell, then a behavioural analytics-based Endpoint Detection and Response (EDR) tool will detect the anomalous behaviour and alert the Security Operations Center (SOC) team. The SOC will then take action to investigate and neutralise the threat.
This may not be the exact sequence seen in all attacks but it does illustrate how multiple controls at different points in your environment can detect and stop different kind of cyber threats. The threat landscape is complex and attackers can be persistent, but organizations can still stay one step ahead by being proactive, preempting attack steps, and using multi-layered defence to make the attacker's job either impossible, or so difficult that the effort isn't worth it.
Cyber security experts at LinearStack help organizations across industry verticals design, build and manage multi-layered security architecture for protection against all kinds of cyber attacks. We provide a range of cyber security services to businesses in New Zealand and Australia, and can help you build or redesign your security infrastructure based on a zero trust, defence-in-depth approach.
Call us at 0800 008 795 or email us at info@linearstack.co.nz to book a free consultation.
Read more about our Technology Architecture and Implementation service.