Jiu-jitsu in the cloud

Jiu-jitsu in the cloud?!

rich gardner / 12.19.17

I think of information security and jiu-jitsu in the same genre, just on different playing fields. When you start on your jiu-jitsu journey, you learn to move differently. Yes, you learn some offense movements but ultimately, the game is defense for the first two to four years. You have to learn what your opponent is going to do and how to defend against their attack.

I equate that perspective to information security also. We learn new techniques that the “bad guys” do all the time and we put in place countermeasures to thwart their offense. Almost all of attacks on information are offensive in nature so the best thing to do is learn a good – if not great – defense.

What I like to call defense (that in-depth work at the workload level) can be easily accomplished with the right mindset. Let’s set the stage: your company has a web-based application that serves your customers for the online ordering of a widget. As a security practitioner, let’s review what an offense move might look like coming from the attacker:

Step 1 – Intelligence gathering. An attacker will start by looking at the domain name system, (or DNS) information, and then reverse the DNS information, IP addresses, and possibly the number of systems that are available to them to scan.

Step 2 – Once they feel that they have enough information to start probing or poking around, they will scan for open ports on the systems that they can see.

Step 3 – Open-port scanning will give a hacker the ability to enter your system and send commands through those ports to see if there are any vulnerabilities.

Step 4 – When (or if) they find a vulnerability, they will work on exploiting that vulnerability. Now here is where it gets interesting.

Step 5 – Once a vulnerability is exploited, they will typically take a couple of different paths: either elevate their privileges and/or transfer a bad program to take control of the system.

Step 6 – Cover their tracks. An attacker would like to go unseen or undetected so they can either revisit the system to take sensitive data OR use it as a launch point for another attack. They do this by deleting logs and disabling security software that they are aware of.

In jiu-jitsu, if you’re just starting out, or your opponent is better than you are, you know if they get your arm around your neck, it’s game over. If an attacker gets to step four  undetected, it’s also game over. They will own your system.

Just like jiu-jitsu, attacks on systems are abundant but it takes a skilled person to pull off a successful attack.. So here are some basic defenses you can use to stop such an attack.

Step 1 – Deploy automated security such as CloudPassage Halo onto all systems. In our example we’re using our own automated security agent. Halo is a lightweight agent (2 megs) and has very little impact on system performance.

Step 2 – Review Halo’s Traffic Discovery module. This will give you the ability to see much more of your attackable landscape.

Step 3 – Review Halo’s Software Vulnerability Assessment (SVA). This will allow you to see what critical CVEs need to be addressed immediately and monitor for new ones as they become available.

Step 4 – Apply a CIS Benchmark policy through Halo’s Configuration Security Management (CSM) module. This will allow you to review if your core operating systems are configured securely and correctly.

Step 5 – Apply a File Integrity Management (FIM) policy that will watch for changes at the OS level. This gives you the ability to respond to any new files or programs installed.

Step 6 – Setup alerts for Security Account Management (SAM). This will give you the ability to see if anyone is trying to elevate pillages or activate a new account.

Step 7 – Tie in the Log-based Intrusion Detection (LIDS) module to your alerting system(s) or Security Operations Center (SOC). With our LIDS module, you will be able to be alerted to any number of things listed in the previous steps every five minutes.

A you can see, and as you likely know, a good defense needs to be one step ahead of the attacker. If an attacker needs to take six steps, you need to take seven.