The field of information security is rapidly shifting and evolving with the trends of adversary behavior and the tools available to them. Over the last few months, multiple supply chain attacks on NPM packages have rocked the industry and reiterated just how complex our internal attack surface is. These supply chain attacks impact even trusted third parties such as CrowdStrike and remind us that no matter how close an eye you keep on the intelligence landscape, emergent threats still come out of “left field” before you even know to look there.
These recent trends around NPM compromise and even subsequent agentic agent-based reconnaissance are concerning, ominous, humbling, and perfectly-suited to remind us of some of the most basic building blocks of a strong security program. If you don’t have a complete handle on every possible attack vector into your organization you are almost certainly…a human being in the cybersecurity space. Welcome. Pull up a chair, and let’s talk about it.
Home Soil: Defending Your Kings & Queens
The modern enterprise consists of thousands of external software dependencies, cloud services, and most importantly people. Unless you have the smallest and simplest of environments it is all but guaranteed there are attack vectors present in your environment known only to threat actors. This is a reality that mature security programs both understand and account for. Known threat avenues are great items to focus defensive measures on, but true program maturity is grounded in deep-seated understanding of the wider playing field.
Cybersecurity is a vast game of chess. This may seem oversimplistic or daunting if you’re not a chess fan but bear with me—this works in your favor, especially if you’re in the defense game. A chessboard represents numerous attack possibilities, far too many to memorize or plan for entirely. You can research specific types of moves from prominent and highly advanced chess players and learn to identify them in play but more often than not every opponent you face will be different and holds no requirement to only play using techniques you’ve heard about.
Flipping this on its head, there are finite moves in chess and all players can only move specific pieces in ways permitted by the rules. This will always hold true (unless you’re playing against a five-year-old, topic for another time). This knowledge of the rules your opponent must abide by, combined with your knowledge of your high-value pieces on the board, gives you a viable defense strategy against even the most novel attack techniques. An opponent’s bishops will always move diagonally, and they will always be after your king, either directly or indirectly by providing support to the other pieces. Your opponent is not able to pick up their queen and throw it as hard as they can to create an airborne projectile to knock out your king and other pieces. This collection of information about your adversary’s limitations and your asset value is the foundation of a robust defense strategy that does not dissolve with inevitable changes in opponent strategy.
Law of the Land: The OSI Model & Least Privilege
Just as many new chess players attempt to memorize all the different attacks their opponents can use, many immature security programs fall into this same trap, spending large amounts of time on IP addresses and hash values (the “sediment” at the bottom of the “Pyramid of Pain”). While it’s worthwhile being able to identify a well-known attack attribute, it’s generally low-value compared to higher-level strategy and your valuable time and resources should be allocated accordingly.
Just as certain chess pieces can only move across squares in certain ways, there are specific “rules” that an adversary must abide by when conducting an attack. Knowing this and using it to your defensive advantage is a key attribute of “Defense-in-Depth”. There are many sets of rules when it comes to cyber intrusions depending on the targeted environment type but one of the most foundational in today’s networked world is the OSI Model (Open Systems Interconnection Model).
The OSI Model is a modular framework by which all modern networks operate. Because most attacks are conducted remotely over a network, this dictates the rules of engagement for everyone on the board, especially the adversary. This is also one of the best ways to enforce the concept of “Least Privilege” in a networked environment. This is akin to you setting rules on your own chessboard. Allowing an adversary to move any direction they please without restriction creates a welcoming environment for initial access and lateral movement, perfect for staging a check mate against your “king”; be it a domain controller, sensitive file share, etc.
Excluding insider threats, all adversaries begin outside your network. Imagine drawing a red line at the halfway point of the chessboard that opponent pieces cannot cross. This strong ingress policy limits an adversary’s ability to directly mount an attack from outside your network. Unlike a chessboard however, your “pieces” need contact with the outside world unless you’re functioning in an air-gapped setup. This takes the form of email, external software, web browsing, etc. This creates other avenues for an adversary to sneak in, such as malware attached to phishing emails, SEO-poisoned watering hole sites, or supply chain attacks on software vendors. This abuses external resources trusted internal users access and lets them do the heavy lifting of carrying the threat inside instead of an adversary having to mount a full frontal assault on locked down network infrastructure from the outside.
End users are human, and despite rigorous training, they still occasionally fall for psychological manipulation as emotion is a powerful weapon to cloud a victim’s judgement when they consider whether or not to open an email attachment “from the CEO” for an “URGENT FAVOR”. Assuming they do, the adversary has crossed that red line and is now on your side of the board with your precious royalty.
The question now is if they have a clear shot to your king or if there are additional red lines separating internal areas of your side of the board from each other. This is the secondary network implementation of least privilege (internal). If your defense program is well-developed, you’ve planned for this already. There are likely several additional internal red lines (network segments) the adversary has to cross to reach the king and only the bare minimum level of access is allowed across them. This internal segmentation is critical to limiting internal access when an adversary gains access to your internal network and forces their traffic to route (or attempt to) between segments which ensures the traffic can be seen, logged, and alerted on.
Assuming an adversary has compromised an end user workstation (we’ll call this a pawn), the strategic value of that compromised asset to the adversary can be immensely limited by network-based least privilege access controls. If there are entire subnets of hosts that the compromised endpoint has no business usage contacting, they shouldn’t be able to. A great example of this is file backups for an organization. The average employee’s machine may use software to back up files to an on-prem web service but should have no need for network access to the related server’s RDP or SMB login. Only IT staff should be able to access and modify those resources via restricted network access. With network access control enforced, the “pawn” workstation controlled by the adversary cannot contact anything on the subnet for the backup server outside the permitted web service, let alone any ports or contained services above that in the networking stack. This denies access even before authentication/authorization come into play. This means that even if the adversary had credentials to an account with sufficient permissions they would be blocked from using them at the network level.
Authentication-Based Least Privilege: Who Goes There? And Who Doesn’t?
Authentication is another important area for least privilege access control. This security control sits at Layer 7 of the OSI Model (application layer). While authentication is a powerful control in a networked enterprise, it should be secondary to the controls farther down the OSI model, such as physical, data link, network, and transport. Access controls should be applied as far down on the OSI model as possible because blocking access at Layer 3 (network) prevents access and exploitation at every level above that all the way up to Layer 7 (application). While blocking entire network access to an internal web server (Layer 3) may not be viable, slightly more granular access control can be applied at the transport layer (Layer 4) by restricting access to 80/TCP and 443/TCP. This ensures users can access the services on the host they need to use, but don’t get access to remote access ports such as SSH on 22/TCP. Note that many of these services like SSH have their own authentication as well, but access control at Layers 3 and 4 provides overriding risk reduction as application layer vulnerabilities can allow authentication to be bypassed.
A good way to think about these concepts of layering and segmentation is by using a security checkpoint in a building as an analogy. Checkpoints are usually right at the door on the first floor. After being authenticated by ID badge, if someone is not authorized entry, they don’t get past the front door, let alone any of the floors above that where they could have more resources at their disposal to stay hidden and gain further access. Additionally, even people allowed inside are restricted from bringing certain items with them to further reduce risk. Even after you get screened by security and leave your prohibited items at the door, the rest of the building’s interior is segmented, requiring you to scan your badge to get out of the elevator on a certain floor or even to individual rooms on that floor. This exemplifies how multiple security controls layer on top of each other to limit access to only what is needed while allowing permitted access to occur without restriction.
Once at the application layer, authentication allows for more granular control to systems and services and can be applied on a per-account basis, especially where users are roaming networks and working remotely. This suite of access control mechanisms is as diverse as the application layer itself, but let’s start at the foundation: passwords.
Passwords are one of the oldest authentication mechanisms. Strong, complex passwords that are changed often, and not shared or kept on insecure mediums, are the foundation of account security. While password keychains and rotation policies generally keep these safe, they can still be lost or stolen in data breaches or infostealer infections. Multifactor authentication adds another layer of security by requiring a push notification or PIN match from a trusted device an adversary does not have physical access to. While extremely robust, this can also be bypassed with complex phishing kits, called Adversary-in-the-Middle (AiTM) attacks. Finally there are newer options, such as physical authenticator devices, biometric scanners, and passkeys that allow users to easily authenticate but enforce domain-binding and secrets that users cannot be tricked into sharing.
Using the latest authentication mechanism available for your environment, and device-binding session protection in addition to IP/geographical allowlisting, ensures accounts stay secure and out of the hands of adversaries. Beyond this, restricting the permissions for accounts that control which services and applications the account is authorized to access reduces attack avenues that stem from unneeded access levels, especially for low-level user accounts.
Knight to 3389/TCP: Check Mate, Adversary
Back to the chessboard, we’ve now covered the theory behind both network and authentication-based least privilege and how limiting both external ingress and internal movement limits an adversary’s ability to get onto your side of the board and move freely once there. Prevention and risk reduction aside, another topic mentioned above was the concept of visibility. This relates to network segmentation, especially as crossing segments require traffic cross networking hardware that both sees and logs the traffic. This enables event logging to a SIEM (Security Information and Event Management) system, where alerting can happen.
Strong logging policies and detection use cases in the SIEM are a requirement for any security program and ensures known threat activity, like internal scanning and unauthorized authentication activity, gets escalated so it can be addressed swiftly. This is great, but depending on your environment hygiene, might lead to alert volume inconsistent with swift countermeasures. Busy networks with thousands of users can lead to a plethora of login and network activity every day, and this can be difficult to tune out as many legitimate programs perform network discovery scanning out of the box and users authenticate to numerous internal resources to perform their jobs.
Log visibility and alerting is the groundwork to identifying adversary activity, even in busy networks, but it can feel like an uphill battle sometimes, with users travelling and using personal devices with VPNs. Even with more advanced risk-based alerting mechanisms (RBA), busy environments with noisy baselines can be difficult to monitor for true adversary activity. Thousands of chess pieces on thousands of different squares, all moving constantly around the clock.
Thankfully, there is one major advantage on your side in this fight: it’s your board, and you make the rules. Anyone who has seen Home Alone knows this concept. Home-turf advantage means you know your environment better than the adversary, and there is no rule against playing dirty. Deception tech is one of the most under-leveraged tools in the game of cyber defense, but many commercial products are starting to include it such as Zscaler and Microsoft Defender. Even without paid commercial products, one of the best ways to distinguish business from adversary activity is to remove the business portion. Creating an RDP service on the network via a virtual machine with nothing on it but a SIEM forwarder is an easy way to set a trap for an intruder. Creating an additional decoy account and leaving the credentials to it in the documents folder of key systems ensures that adversaries or insider threats seeking to move laterally find and use the credentials, which then triggers a critical security alert.
This idea of setting traps on the board is one of the easiest ways to create 100% fidelity security alerts and can function much like a canary in a coal mine, notifying you of danger before anything else and even taking action such as network-containing related hosts and accounts to stop the adversary in their tracks.
Defending in Depth: Mastering the Board
If you take anything away from this article, let it be this: take a step back and watch the board. Named threat groups come and go, and tactics shift. However, prioritizing a holistic, multilayer defense strategy ensures you spend your time playing true defense and not building dirt mounds in front of your opponent’s pawn on D4 because that is who is targeting your industry vertical right now. Watch your front perimeter, but don’t neglect the interior, assume the adversary is already one step ahead of you and be one step ahead of that. Keep an eye on new and emerging threats but don’t forget the simple, low-hanging fruit. Even with a well-documented list of preferred techniques, no adversary will turn down an easy win and will happily take advantage of internet-exposed RDP with default credentials if given the opportunity.
Thoughtful cyberdefense is as theoretical as it is technical and the first step to getting there is remembering what it is you’re ultimately defending. Starting from the “crown jewels”—file servers and domain controllers—and the common entry points like email, endpoints, and perimeter enables you to connect the dots of where an adversary is likely to enter and subsequently be headed from a strategic perspective. Tracing these attack vectors ahead of time lends to intentional security design and gives you the opportunity to construct as many layered defenses as humanly possible on that route. So lock that front door, ice those stairs, and heat that doorknob on the outside, but don’t forget the matchbox cars, marbles, and Christmas ornaments on the inside in case the adversary hasn’t had enough by that point and is “thirsty for more”.
Sources
https://www.attackiq.com/glossary/pyramid-of-pain-2
https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi
https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/seo-poisoning
https://www.zscaler.com/products-and-solutions/deception-technology
https://learn.microsoft.com/en-us/defender-xdr/deception-overview
Ben started his career as an analyst before moving into the Cyber Intelligence and Research realm where he has performed hands-on simulations and research for cutting-edge threats to bolster coverage and uncover emerging patterns in the cyber threat landscape. Since 2022 he has been working in threat research to better understand the most urgent threats facing organizations and ways to identify and counter them. Most passionate about “playing in the dirt” and obtaining organic data from adversary tools and infrastructure, his organic research engagements have helped surface previously unknown threats and methods of detecting them in the enterprise.
Share