Thursday, October 23, 2014

The Defense Chain


If you're reading my blog, you're probably already familiar with the Kill Chain (KC).  Briefly, it's a generalized model of the stages an adversary has to go through to carry out a targeted attack.  It's been around for several years now, and just seems to become more popular over time.  It's a great model that captures a complex subject and presents it in a simple way.  I'm a big fan.

I've been thinking recently about the process that we as defenders have to go through to protect our networks against attacks (targeted or otherwise).  Many papers and articles have been written on the subject, and most of us probably know the highlights: we make policies, we enforce the policies using both technical and non-technical means, we monitor our networks and we respond to incidents.  The process is actually quite complex, though, and I began to think of how I would create a model to show it visually.

After a bit of pondering, it struck me that I was essentially trying to create the defender's counterpart to the Kill Chain.  That is, we already know the stages an attacker has to go through to carry out an attack; now we need a model that shows the stages a defender must go through to protect against these attacks.  One of the reasons the KC is so popular is that's it's very straightforward.  I mean, literally, it's a line.  So I thought, what would it look like if I applied it to defense?

The Defense Chain

The result is what I (rather clumsily) termed, "the Defense Chain" (DC).

The Defense Chain
Like the Kill Chain, the Defense Chain has seven phases (pure coincidence, but I admire the symmetry).  I should probably mention that the DC is not just for detection and response.  It includes all of your management and protective controls as well.  Of course, detection and response each get their own separate phases, which I think underscores their importance.  You can't get to the end of the chain if you're missing a link!

Let's examine the phases in more detail.


Before you can begin to protect your network, you first must figure out some key things, like what exactly you wish to protect, and what you're trying to protect it from.  In the Plan phase, you do things like identifying your assets and creating your security and incident response policies to help protect them.  This is also where you begin to decide what types of protective controls you will need (firewalls, endpoint protection, network proxies, etc), how you will deploy them, how you will monitor the entire system (because prevention always fails), and who's going to do all this work.

If you've ever been involved in the creation of a security program before, you'll know there are a lot of things to plan here.  So many things, in fact, that I'm not even going to try to list them all.  Just know that the planning phase is probably the most important piece of the Defense Chain, because everything else depends on it. 


Compared to planning, building is often fairly straightforward.  During this phase, you assemble teams, learn skills and create or acquire the technical tools necessary to carry out your plans.  

Did you catch what I just did there?  It's vitally important that you build teams and skills *before* you try to build the technical parts of the solutions. Not everyone needs to be an expert, though you certainly need a few of those to guide you, but everyone involved needs to have enough of a background to know what they're doing and why they're doing it.  

It's also worth pointing out that the "Build" phase isn't something you just do one time and then forget about it.  Rather, you should be constantly growing your teams' skills and experience.  You also need to have someone looking over your controls to be sure they are operating efficiently, and to update and improve them as needed.


The monitor phase is where you actually operate the technical solutions and perform periodic reviews and drills to exercise your policies and plans.  This could include just making sure the endpoint security solution you chose is working well, ensuring that packet loss on the NSM/ESM systems is within acceptable levels, or running table top incident response exercises to make sure everyone knows what to do.  

This phase is probably where you spend the majority of your time.


I probably don't need to explain this phase much to my readers.  The detect phase is where you check the output of your NSM/ESM systems, validate the alerts or do some proactive hunting through the data to find evil.  This could also include fielding user queries about "weird" things on their computers or suspicious emails they received. 


This is another phase I probably don't have to explain much here.  Once you have found evil, you need to exercise those incident response plans you developed in the Plan phase.  Investigate, contain and remediate!  Kick out the bad guys and bring the affected assets back into normal operation.


The Report phase is all about gathering information about your successes and failures, analyzing it to make recommendations for improvement, and communicating this to the right people.  Typically, reporting is a followup to an incident response, but you would also do this for other reasons (e.g., to review a red team engagement or an auditors' findings).  

Not everything is a formal report, either.  Sometimes your "report" might be a presentation, a post to an internal blog, or even an email.  The key is that you communicate findings and recommendation to the right people in whatever way makes it easiest for them to digest the information.


Security programs are not static!  You need to constant improve you skills, your tools and your procedures to keep ahead of the bad guys.  That's what this phase is all about.  After the successes, failures and recommendations have been documented and reported, you need to make sure you act on them. So many organizations skip this step, and although it might make less work in the short term, it makes more work in the long term as they play keep-up with threats that have advanced beyond the organization's ability to protect themselves.


There you have it.  In 10 minutes or less, my thoughts on a model of how an organization successfully defends itself against attacks.  I don't claim that the Defense Chain model really contains anything new.  Rather, I hope to just provide a simple visual guide to all the things you need to do, in rough order, and layed out in a way that makes it easy to visualize how all the phases flow and work together.  

I know my readers deal with these sorts of things every day.  Please, leave a comment below to let me know what you think.  I'm eager to hear comments, questions and criticisms!