“Our adversaries our in our networks, exfiltrating our data, and exploiting the Department’s users.”

So reads the humbling introduction to zero trust guidance recently released by the Department of Defense (DoD). It acknowledges in the very first line that cybersecurity has failed on almost every front. Then it makes a complete commitment to zero trust as the solution.

Many were waiting on this guidance and wondering what, exactly, it would entail. It comes following an order from the Biden administration 18 months ago to strengthen America’s cybersecurity in a big way. Many changes and long-overdue improvements have come out of that order. But by far the most significant is a commitment on the part of all federal agencies to adopt a complete zero-trust posture by 2027.

We now have a road map for how the government plans to get there. I will cover that shortly. Before that, let me highlight a few reasons I think the latest guidance (and the strategy that prompted it) are worth paying attention to.

First, that strategy will form the backbone of U.S. cybersecurity, which in turn will play a critical role – or may even be the cornerstone – of continued national security. Cyber attacks will be the most accessible, most common, and most devastating kinds of attacks in the future, so how countries defend themselves against this massive risk really matters. I have been writing about national cyber defenses from a few lenses recently. What makes the US approach unique, from my perspective, is the insistence on not just applying a cyber strategy consistently across all agencies but focusing it so specifically on zero trust. Some will call it practical, even mandatory, to make zero trust the guiding principle of cybersecurity in a decentralized world. Others, however, might view it as putting too many eggs in one basket. Time will tell.

Which brings me to my second observation, which is that the US government is embarking on the biggest experiment in zero trust ever undertaken. Keep in mind that the phrase “zero trust” has barely existed for more than a decade, and few large-scale, trust-free environments are actually up and running. Despite widespread zero trust adoption across the private sector, the government is by far the biggest trailblazer on this front, and the road ahead will be illustrative for all. What will it take to eliminate trust from the whole of the federal government? And once 2027 arrives, how secure will the government really be? This test case could cement zero trust as the centerpiece of cybersecurity moving forward – or it could reveal zero trust to be just the latest flawed fad. I suspect the answer will land somewhere in the middle. But unpredictability is the dominant feature of cybersecurity, so who knows what will happen? It will be important no matter what.

The Next Five Years in Zero Trust

A 2027 deadline to standardize zero trust across all federal agencies creates a lot of work to finish in a short five years. To its credit, the DoD seems to be fully aware of that fact because the roadmap is systematic and comprehensive to an extreme degree. Since there are so many different agencies with so many levels of cyber maturity – along with existing zero trust deployments – the guidance aims (and largely succeeds) at being accessible and universal. Which is a bonus for the private sector because companies can then easily adopt the government’s zero trust strategy as their own.

The roadmap has four distinct goals:

• Zero Trust Cultural Adoption – Everyone in the DoD understands and commits to zero trust principles (trust nothing, verify everything, encrypt automatically, segment risks etc).

• DoD Information Systems Secured & Defended – All new and legacy systems follow the DoD zero trust framework and put prescribed capabilities in place. Further guidance on this is forthcoming.

• Technology Acceleration – The DoD and its vendors get faster at scaling, innovating, or replacing new technologies as new threats and new tools emerge in the coming years.

• Zero Trust Enablement – The zero trust framework has the resources and support it needs to remain a robust and consistent effort.

Each of the goals has multiple objectives considered imperative for achieving the desired outcome. Overall, the DoD identifies 45 capabilities and 152 total activities required for framework compliance. I would encourage anyone to peruse the framework – it’s heavy on jargon but also a valuable visualization of how the disparate components of zero trust fit together to form a cohesive security strategy. It’s not just MFA and encryption (though the framework calls for both of those things). Perhaps more important to realize, it’s not just about security or IT either – it’s a whole new way for information to move.

As such, what the DoD has set out to do (and the timeline they have committed to) is fairly remarkable. Whether it will succeed is debatable. Whether it’s interesting, important, and impactful for everyone in America isn’t. It will be a fascinating five years.

I would like to straighten the defense of the web application by talking about Intrusion Detection and Prevention Systems (IDS and IPS) as the third member of this security trio defense: WAF, RASP, and IDPS. In the previous articles, I talked about security defense technology Runtime Application Self-Protection (RASP) and Web Application Firewall (WAF).

What are IDS and IPS?

Intrusion Detection Systems and Intrusion Prevention Systems are used to detect intrusions and, if the intrusion is detected, to protect from it.

First, I will focus on explaining the differences between the WAF, RASP, and IDPS.

What is the difference between WAF, RASP, and IDPS?

I have already explained in previous articles the difference between WAF and RASP. Still, I will introduce IDPS and show you exactly why a combination of this trio is the best security choice.

Summary: IDPS is used to detect intrusions and protect from them. WAF will detect and block attacks based on rules, patterns, algorithms, etc. RASP detects the application runtime behavior using algorithms.

Why is it best to use both IDS and IPS?

To better understand why it is important to use both systems, we need to know what each of them does and doesn’t do and how combining them gives more effective protection. Each of those systems has its own types, which will be explained below.

Location and Range

These two types of security systems operate in different locations and have different ranges.

Facts:

·   IDS works across the enterprise network in real-time by monitoring and analyzing network traffic.

·   IPS works in the same network location as a firewall by intercepting network traffic.

·   IPS can use IDS to expand the range of monitoring.

By knowing this and using both IDPS, you can cover more range.

Host-based IDS and IPS

There are a few types of IDS and IPS. I will mention them so you can know which one targets what, but there is plenty of online documentation for more information.

Host-based IDS (HIDS) is used for protecting individual devices. It is deployed at the endpoint level. It checks network traffic in and out of a device, and it can examine logs and running processes. HIDS protects only the host machine. It does not scan complete network data. Similar to this type, IPS has its own Host-based IPS (HIPS). HIPS is deployed on clients/servers, and it monitors the device level as well.

Network-based IDS and IPS

Network-based IDS (NIDS) works on monitoring the entire network. It looks out at every network device and analyzes all the traffic to and from those devices. On the other side, IPS has its own type, called Network-based IPS (NIPS), deployed within the network infrastructure. It monitors the complete network and, if needed, tries to protect it.

**NIDS and NIPS are very important to network forensics and incident response because they compare incoming traffic to malicious signatures and differentiate good traffic from suspicious traffic.

Wireless IPS

IPS also has Wireless IPS (WIPS) type that monitors radio waves (wireless LAN) for unauthorized access points, which you can use to automate wireless network scanning. Techtarget site provided ways of using WIPS in enterprise in this article. Check it out!

Protocol-based intrusion detection systems (PIDS) and Application protocol-based intrusion detection systems (APIDS)

Both protocol-based systems are the type of IDS. They both monitor traffic to and from devices. The only difference is that PIDS monitors one server and APIDS group of servers.

Network behavioral analysis (NBA)

Network behavioral analysis (NBA) is the type of IPS that looks for unexpected behavior within patterns of a network itself.

IDS and IPS modes

IDS is generally set to work in inline mode. As for IPS, it is set to work in the network behind the firewall. It can operate in both modes: as an end host or in inline mode.

Most used IDS/IPS tools in 2022

According to softwaretestinghelp.com, the list of most used IDS tools is this:

·   SolarWinds Security Event Manager

·   Bro

·   OSSEC

·   Snort

·   Suricata

·   Security Onion

·   Open WIPS-NG

·   Sagan

·   McAfee Network Security Platform

·   Palo Alto Networks

For more info regarding pricing, pros, cons and features of these tools checkout the softwaretestinghelp site.

Also, spiceworks.com provided the list of the most used IDPS tools:

·   AirMagnet Enterprise

·   Amazon Web Services (AWS) GuardDuty

·   Azure Firewall Premium IDPS

·   Blumira

·   Cisco Secure IPS (NGIPS)

·   Darktrace Enterprise Immune System

·   IBM Intrusion Detection and Prevention System (IDPS) Management

·   Meraki MX Advanced Security Edition

·   NSFocus Next-Generation Intrusion Prevention System

·   Snort

For more info regarding pricing, pros, cons and features of these tools check out the spiceworks site. This research will also help you choose the right IDPS solution based on these tools’ features.

What is Next-Generation Firewall (NGFW) or Unified Threat Management (UTM)?

There is a modern type of technology that combines IDS and IPS with firewalls called Next-Generation Firewall (NGFW) or Unified Threat Management (UTM).

NGFW includes:

·   Standard firewall features (packet filtering, stateful inspection, and VPN awareness)

·   Integrated Intrusion Prevention (IPS)

·   Application awareness of threats

·   Detect and block risky apps

·   Threat intelligence

·   Upgrading security features (such as future information feeds)

·   New techniques that help to address new security threats

Researchers for nomios site have gathered information and made a list of the top 5 vendors for NGFW in 2022. Also, they gave suggestions on what you should look for when choosing the right NGFW tool. Check it out!

Conclusion

You should combine IDS and IPS because of three things: response, protection, and impact. If you decide to use IDS, the testing will stop at the detection phase but using IPS based on settings and policy testing will also include the prevention. Because IPS reacts immediately, it gives a certain layer of protection aside from detecting malicious activity. However, there are false positives possible using IPS that will end up shutting your network.

Organizations often set up Integration Detection Systems to handle the logs and notifications/alerts, routers, firewalls, and servers to fight threats.

A better solution would be using a combination of IDPS and setting it up when planning security. In the future, when the organization grows and needs better protection, it will be possible to use IDS/IPS solutions for additional networks, servers, or devices.

Also, depending on the organization’s security needs and cost restrictions, NGFW can be a good choice too!

Cover photo by krakenimages

#IPS #IDS #IDPS #NGFW

Intro

I want to talk about why you need virtualization/compartmentalization, but through the prism of portable apps. The reason behind this is twofold: I want to outline the potential uses and security benefits that portable apps bring, as well as to talk more about how one would go on about reducing that attack surface, and their respective risk, through compartmentalization and virtualization. These are great methods, and I dare say, it pays at least knowing a bit more about them.

Portable Apps

Portable apps. We all know what these do (probably) but we may not be familiar with the how. This talk is freeform and example-based. Let’s get to it.

For example, you might use compartmentalization with encryption by separating your stuff by its importance, like having an encrypted volume for each of those potential uses, by using different encryption keys for those volumes. You could also use a NAS where each volume is encrypted using a different encryption key. The more secure ones could be accessed on a need-to basis, only decrypting when you need the access to that specific volume, while you would continue using day to day volumes for other data that needn’t be that secure.

This is a very decent way to reduce the attack surface of your data. From the previous articles, you know how important this is, and you also know that the encryption key is not in the memory if the volume doesn’t get mounted. Also, if its not mounted it cant really be attacked. So, by using this type of virtual isolation in conjunction with encryption you’re actually doing quite a bit for your own security/privacy.

You can also make use of the hidden encrypted volumes… one other option for virtual isolation are portable apps, something we’ve all gathered here about. You can download the tools from portableapp.com or pendrives.com doesn’t really matter which one you choose (I’m sure there are others too), what matters is the fact that portable apps are self-contained, don’t require installation, and are not writing themselves inside your system. They are contained within the folder, and you could even copy/paste them to a desired destination and have another instance of the same app, that’s also self-contained, isolated, and more secure. You can even do this for the versions of the said app.

There are many great implications for your privacy/anonymity/security that stems from the portable apps. For example, let’s say you’re using a regular web-browser… all the data related to the browser’s history is contained within your portable app (which is all within its folder) which makes for a great way to quickly even eliminate that if needed, and also, maybe more importantly, not spewing and writing all that forensically important data all over your OS. Simple, and quite secure.

What is nice about this approach is the fact you can gauge it to your liking, having the more ‘paranoid’ setups, and also the more lax ones, all in accordance with your own security needs.

Furthermore, should you just use this portable setup, you can also place that folder with your self-contained app on a more secure device, like for example an encrypted USB drive; and, there you have it, a much more secure setup, that you can also take with you and plug into another device, without having to lose any sleep over it.

Taking all this further, you can even add that hidden partition to your USB drive.

This is even better, as you well know, because the encrypted partition can’t be accessed at all before being decrypted. This little setup including a hidden volume, a self-contained app (stealthy too!) is already ahead of the curve – maybe even when compared to companies, but, the kicker for me here is that you can have 2, 3, or as many as instances of that specific application as you’d like, that are all self-contained, just by doing some copying and pasting. This is vital, because it basically enables you to create different security domains, profiles, aliases, anything you might need really, and it’s all nicely isolated/contained. The options here are many!

For our example with the browser, I’d like to add this also works for profiles so you can set up your browser’s profiles in any way you’d like, and still retain the ability to pop your USB into any machine and basically have your hardened browser available to you. This also works nicely in conjunction with the regular browser – if we’re talking private use – as you can have one that’s for your everyday stuff, and the other that’s ready to go but is living in a hidden place, securely configured, hardened, available for you to do some private browsing, should that matter. This is a great thing, because it might even keep you forensically ‘clean’ should you end up being scrutinized, since you’re not actually doing anything that’s of importance to anyone, right?

Another thing I want to mention that you can do all of this through the cloud-offered services, by storing your ready to go app in a cloud of your choice.This is a great way to have your app available anywhere, on any device, remotely… This would give you an extra layer of physical isolation. Since the app itself would not exist locally in this case, you could, potentially, escape the sphere of influence of your adversary, and that’s nothing to scoff at.

Lastly, you could also try some sandbox solutions, which are generally good from the security perspective, but are not that great for your privacy and anonymity. This is because of the infrastructure you’re using, but you’re not the owner of. However, you would again be able to enjoy both virtual and physical isolation which reduces your potential risk greatly.

As you can see, there are some caveats with all these options, but all of these should provide you with excellent protection against many types of attacks out there. With your going through other systems and isolating yourself in such a way, even if something were to get compromised, it still ends up contained within that instance you’ve set up, be it a VM, a VPC/server, anything. This is also a great way to browse the web.

When it comes to attacks, browser-based ones are definitely relevant, since we’re all using them. So, with that in mind, this whole story above might even seem much more important, I hope!

Conclusion

It would be great if this conclusion could permeate all of my articles so that I needn’t repeat myself, but the main point I want to emphasize here is the fact that when I’m talking about adversaries, geographic sphere of influence, and similar terms that are within the field, I am not trying to write guides for evading 3-letter agencies, nor am I trying to condone anything illegal.

Think of all that as necessary! Yes, necessary, because as we all know, the same tactics are used by real threat actors, but also by activists, whistle-blowers, journalists, etc. I want us to explore those options together, so we can all learn how to protect ourselves better, and smarter, while online. That’s why we all need to be in the know. The bottom-line remains the same, and that is all about the choice, rather, what you choose to do with all that knowledge and technology.

This is key for me and is the main reason behind the topics I’m choosing to write about.

I hope this article spurred some imagination! Till next time!

Stay tuned.

Cover image by hmm 001

#portable #apps