The Limitations of a Protection-Only Approach to Cybersecurity

Introduction: The Castle Mentality Persists in Modern Cybersecurity

From the 9th through the 15th centuries CE, castles dominated as the primary style of fortification in Europe. However, with the advent of gunpowder in the 16th century, castles became vulnerable. Walls alone couldn't withstand heavy projectiles launched at high speeds. The same holds true for modern cybersecurity. While larger organizations may possess advanced detection and response capabilities, many small to mid-sized businesses still rely on creating strong barriers. Firewalls, antivirus, authentication, and patching are the equivalent of the castles of yesteryear. Each protective control does create an additional obstacle that an attacker must evade if their attack is to be successful and many attackers, when faced with multiple such obstacles, will elect to find an easier target. As a result, protective controls are often the focus for security teams, serving as the only line of defense. But simply relying on protection is not sufficient.

The Need for an Effective Security Strategy

In the world of cyber threats, relying solely on protective controls is a recipe for failure and compromise. Before exploring a more effective security strategy, it's essential to understand why protection alone is inadequate.

Vulnerabilities in Protective Controls

Protective controls, like any technology, are complex programs created by distributed teams. They consist of thousands or even millions of lines of code, making them susceptible to bugs and vulnerabilities that attackers can exploit. Techniques such as control panel or CPL side-loading, DLL side-loading, code injection, and userland API hooking, for example, are often used to evade Endpoint Detection and Response (EDR) solutions. This type of vulnerability is particularly dangerous because protective controls tend to be static and uniform within a given computing environment.

Protective controls are static because they run a specific version of code that doesn't change unless an update occurs. They are also uniform because organizations commonly use the same technology throughout their environment. As a result, once an attacker bypasses a specific instance of a control, they can likely bypass all instances of that control due to its uniform and static nature.

Misconfigurations of Protective Controls

Misconfigurations represent another reason why protective controls fail. Weak passwords for authentication, overly permissive firewall rules, improper access controls, excessive permissions, and incorrect control placement are examples of misconfigurations that compromise security.

For instance, network traffic filtering is often focused on inbound or ingress traffic, leaving internal network traffic unfiltered. This oversight allows attackers who compromise a single internal system to move laterally within the organization without encountering filtering measures. It also enables them to establish outbound connections to command-and-control systems. Allowing weak passwords is another example of a misconfiguration that leaves organizations open to password guessing and password cracking attacks.

Identity Compromise

Cybersecurity involves not only blocking unauthorized access but also enabling authorized access. To fulfill mission or business requirements, legitimate users must be able to bypass protective controls. If an attacker gains access to valid authentication credentials, they can appear legitimate and bypass protective security controls. As long as the attacker uses valid credentials, expected tools, typical protocols, and behaves similarly to authorized users, they can go undetected.

The Problem of Resistance

Attackers face a challenging task when attempting to compromise our networks. Successful breaches often involve many failed attack attempts before a successful approach is discovered and each of those failed attempts generates resistance for the attacker. When an attack is successfully blocked by protective controls, however, there are typically no consequences for the attacker. This lack of consequences means the attacker can try again and again. Worse, the resistance encountered during failed attempts provides the attacker with valuable intelligence. Each failure allows the attacker to refine their approach and enhances their knowledge of what doesn't work.

It's crucial to differentiate between target-of-opportunity attacks and targeted attacks. Target-of-opportunity attacks involve automated approaches that expose attack methodologies to multiple targets, making them easily thwarted by protective controls. However, falling victim to such an attack can still occur due to the presence of a single vulnerability at the wrong time. Targeted attacks, on the other hand, involve attackers who specifically select a target and adapt their strategy to bypass encountered protective controls using the resistance they encountered during targeted their attacks to make themselves more effective. Both targeted and target-of-opportunity attacks represent real threats. Falling victim to a target-of-opportunity attack can boil down to the presence of a single zero day vulnerability while, when it comes to targeted attacks, our protective controls actually make determined attackers better.

The Need for a Comprehensive Approach

Protective controls like firewalls and endpoint security solutions are essential components of any organization's security strategy. They raise the bar for attackers and may be sufficient for stopping less skilled attackers or target-of-opportunity attacks. However, when facing more sophisticated adversaries or encountering vulnerabilities at the wrong time, protective controls alone are insufficient. In fact, they may inadvertently provide the intelligence attackers need to succeed. Therefore, protective controls must be combined with detective controls and an incident response program to form a comprehensive security strategy.

Conclusion

In conclusion, a protection-only approach to cybersecurity is inadequate. Vulnerabilities, misconfigurations, identity compromise, and the problem of resistance all undermine the effectiveness of protective controls. A comprehensive security strategy that includes both protective and detective controls, along with an incident response program, is necessary to effectively address modern cyber threats. In the next post, we will explore the challenges associated with detective controls and delve into strategies to enhance cybersecurity.