From all we’ve learned in the wake of last month’s WannaCry attack, one startling fact truly stands out: too many organizations are still operating unsupported, past end-of-life or unpatchable servers.
These weak links expose myriad organizations to cyber threats beyond the WannaCry and potential tools leaked by the Shadow Brokers.
In the fight against cyber threats, every weak link in your infrastructure, no matter how small, can become a serious liability if left unaccounted for. Maybe you’re forced to run an outdated OS simply to use some legacy application, or you haven’t had the IT budget to upgrade some old networking equipment and it’s no longer getting updates. Regardless of the reason, to limit exposure and potential damage from the next WannaCry type event, organizations need to consider building out the cyber defense in depth of their security program to reduce the risks posed to, and by, these systems.
Defense in depth is the concept of ordering your defenses in a way that they can defend each other when attacked. This allows each line of defense to compensate for the weaknesses of the others while benefiting from their strengths – effectively increasing the average level of protection system-wide.
Building for Cyber Defense in Depth
If a security program is only as good as its weakest link, then that’s the best place to start: assessing the most vulnerable systems and arranging defenses to compensate for their exploits. To effectively do this, a few key questions need to be answered:
- Does the organization currently support any legacy systems?
- Where are these systems located within the network?
- What protective measures are already in place to minimize exposure of these systems? (Both to the world at large and within the organization.)
Defense in Depth vs. WannaCry
For a real-life application of defense in depth, let’s look at how this approach could have minimized the effects of WannaCry on an organization with vulnerable machines.
- Firewall (External) – Firewall rules can be used to restrict access from the internet to internal resources. By only allowing inbound traffic to the minimum number of servers/services the attack surface of your organization can be minimized.
- Network Segmentation – By dividing network resources into segments (either through the use of additional firewalls or utilization of vlans) and restricting communications between these segments, the spread of worms, such as Wannacry, within an organization could have been minimized (OR “can be minimized”) or prohibited.
- OS Hardening – Even if you can’t have the latest patch, you can disable unneeded services. Doing so reduces the number of potential attack points that exist on your systems and limits an adversary’s options for movement, should a compromise occur.
- Firewall (Host-Based) – Firewalls on endpoints can also minimize the number of services exploitable from within an organization. If you can’t segregate the network utilizing vlans or internal firewalls, host-based firewalls provide a means to prevent compromised systems from being used to spread laterally.
- Anti-Virus Software – No anti-virus software can catch everything, but including one on each system that can support it serves as an additional hurdle for an adversary to overcome. Even if an attacker successfully exploits a system, anti-virus serves as a last line of defense, able to detect known payloads.
Preparing for the Next Attack
With the promise of future leaks by the Shadow Brokers, it’s only a matter of time until the “next shoe drops.” Keeping your software and servers up-to-date and patched is a security best practice. However, there are times when the resources to buy new software or perform patch integration testing may not be available. In these cases, the use of cyber defense in depth principles can at least decrease the likelihood that these insecure systems are affected.