ATP Attacks and Single Point of Failure

We are all following the development of the “SolarWinds incident” but one comment comes to my mind (see also this Advisory from NSA).

There is a very difficult trade-off between management of IT in general but also of IT security, and security itself. To manage IT, from network to servers to services, and IT security it is definitively more effective to be able to do it from a central point, adopting a single strategy to manage and control everything in the same way and at the same time (the “holistic” approach). This means to have a single/central console/point to manage and control all of our IT systems and services, a single point in which to authenticate all users (eg. Federated Single Sign-On) etc. This approach is becoming more and more a requirement as we are moving  towards a service-based IT where services can be anywhere in Internet, access requires a Zero Trust approach, and security is applied at a very granular level to all systems and services.

Doing this we can vastly improve the security of each single system or service, and gives the possibility to monitor each single access or transaction. But in doing so we concentrate in single points activities crucial in particular for security: What can happen to systems and services if the central management console is taken over? What can happen to systems and services if the central authentication service is infiltrated?   

Thoughts on Blue/Red/Purple Teams and defending from Targeted Attacks

Defending against Targeted Attacks (and even more against Advanced Persistent Threats, APT) is difficult and usually quite expensive. 

We all know the basis of IT security, from cybersecurity awareness and training to anti-malware, firewall and network segmentation, hardening and patching, monitoring and vulnerability assessments / penetration tests (VA/PT),  third-party cybersecurity contract clauses, etc.

But this is not enough. We need also Single-Sign-On (SSO, or even Federated Authentication) and Multi-Factor-Authentication (MFA), Zero Trust architectures, tracing of all local, remote and mobile activities (networks and hosts), SIEM data collection/management and SOC analysis, a cybersecurity Incident Team and an Incident Response plan.

But to defend against Targeted Attacks we need to go another step further. We have designed and implemented all security measures we could think of, but are they enough? Did we forget something? For sure we are ready against an everyday malware attack, but a Targeted Attack which could take months to study us and be implemented?

To answer this question it seems that the only possibility is to think and act as the attacker and look at our IT environment from this point of view. It is here that Blue, Red and Purple teams enter into play as they play the roles of attackers and defenders on our IT environment to test our cybersecurity standing to its limits. They will find holes and access paths we did not think about or even believe possible, but also smarter ways to defend ourselves.

But … what about a Risk Based approach to Security?

In other words, how much is it going to cost us?

Can we afford it?

Finally, is it worth going “all out” or, by accepting some risks, we can continue to do what we have been doing all along in cyber/IT-security? And in this case, how do we evaluate these “Risks” we need to accept?

PS. The last is partly a rhetorical question on my side.