Employing Clandestine Warfare Tactics to secure your IT Systems
Using Cell Structure Security to go beyond Layered Defense.
January 27, 2016 by Pete Kofod
In late 1970, a faction of the Palestinian Liberation Organization (PLO) emerged named the Black September Organization (BSO). Over the next several years, the BSO would go on to commit some of the more notorious acts of terrorism in Europe, including their famous attack during the 1972 Munich Summer Olympics.
While the PLO operated in a traditional hierarchical organizational structure, the BSO were highly compartmented teams of 3-5 members. Communications relied on intermediaries and operators were never aware of any identities outside their immediate team. This configuration is known as a "cell structure." It is a system that is highly resilient to external compromise and severely limits the ability of an attacker to further exploit the organization beyond the cell. Should the "cell" be compromised, the parent organization immediately isolates and collapses the cell.
What does clandestine warfare have to do with IT system security? Let's start by considering two of the prevailing IT system security principles.
1. Defense in Depth
Defense in Depth is a fundamental Information Assurance principle in which multiple layers of security are put in place to protect a system. Defense in Depth commands IT professionals to never rely on a single system for security, instead relying on multiple "rings of protection." There should never be a single point of failure that permits complete system compromise.
2. Central Authentication Services
Central Authentication Services is another key concept of Information Assurance. In this practice, each system in a network relies on a single central authentication service such as Active Directory instead of being responsible for its own authentication. The thought is that enterprise authentication is easier to manage from a central database rather than each system managing its own authentication mechanism. Typically, enterprises with thousands of systems are unable to effectively manage user access without a centralized authentication database.
Do you see the paradox? If the systems that occupy the various zones in "Defense of Depth" all rely on the same single "Central Authentication" mechanism, it raises the question whether those systems can, in fact, be considered to actually provide independent layers of defense (Defense in Depth). This is not an academic debate. Recognizing the critical and all-encompassing function of Central Authentication Systems, attackers have spent significant resources on compromising them, often successfully.
The industry response has been to continue to harden central authentication systems. While this is certainly a worthwhile activity, little has been done to mitigate the consequences of inevitable compromise. Functions such as Time-based One-Time Password (TOTP), offer protection against the compromise of user login credentials, but do little to protect the entire system should the central authentication system be compromised. Therefore, the principles of clandestine warfare, or what we call Cell Structure Security, should be applied to IT Systems.
In a series of articles, I will expand on philosophies, architectures, and systems addressing the containment of damage after compromise. I will focus on enterprise components that are highly sought by attackers, including certificate authorities and authentication systems as well as remote users and administrators.