June 1815

The Waterloo campaign

In June 1815, Napoleon faces the 7th European coalition. Its 125,000 soldiers strong north army faces 120,000 British and 100,000 Prussians, soon to be reinforced by Russians and Austrians. The only way out for the French emperor is to eliminate Brits and Prussians before allies gather together.

On June the 15th the French army surprisingly crosses the Belgium border at Charleroy. The next step is to simultaneously cut communication lines by quickly taking the strategic position of Quatre-Bras, and defeat the Prussian army at Ligny.

June 16th, the Prussian army is defeated at Ligny. However, the delay in the attack of Quatre-Bras leaves Napoleon without the expected reinforcement, necessary to definitely exterminate the Prussians.

On June 17th French and British soldier are face-to-face in the plain of Waterloo. Grouchy's French regiment, sent by Napoleon to search and destroy the remaining of the Prussian army, is missing.

As the battle enters its critical phase, Prussians will unexpectedly join the fight and settle the outcome of the battle.

What went wrong ?

Waterloo is known as the defeat that sealed the fate of French emperor Napoleon the 1rst.

Surprisingly, the very battle of Waterloo is only the very last stage of a brilliant blitz campaign, each previous one being a success, more or less according to the plan. The "more or less" is what makes the difference.

As the French regiment of Marechal Ney hesitated, the capture of Quatre-Bras took too long and no reinforcement could be sent to Napoleon fighting the Prussians at Ligny. Ligny was a victory, but didn't definitively put Prussians out of the game.

Waterloo battle was well engaged, but Grouchy's regiment got lost, and remaining Prussians eventually joined the British at the worst time for Napoleon.

The strategy for the defense

An analogy

The Waterloo disaster in not simply a lost battle. It is the consequence of multiple little snags in a complex plan, leading to the final defeat. So can be mitigated an intrusion attempt.

Indeed, intrusions are not (or no longer) one shot. There are several stages involved in a successful attack against information systems: gain a foothold, weaponize it, discover and propagate into the network, deal the deathblow.

A consistent defensive strategy should be built accordingly.

Setting-up the first line of defense

One day someone will get in, you don't know how and you don't know where.

However, it doesn't mean that IT systems should be wide open. It just means that one needs to know which are the most exposed and the weakest points in the defense. Because this is where the intruder will most probably deal the first blow. Think global, it can be a system, an application, a whole network, a user (or group of users), or a combination of all of these. In any case a proper, unbiased assessment of your security posture may be decisive in the battle to come.

Monitoring, deception and education (for the users) are the key factors for an early warning of an offensive attempt against your infrastructure.

The first strike

Although the initial intrusion is inevitable, it has to be painful and require custom attack crafting and testing before the breach in the defense is found.

The more difficult it is for the attacker, the longer it takes, the more mistakes he does, the more traces he leaves. And the more chances you have to detect it in time. Patching, firewalling, anti-phishing/spam/BEC/etc. , intrusion prevention and endpoint protection are part of this process. They are no silver bullet and will be bypassed in some way, but they may (MUST) be a pain for the attacker.

Weaponization

Once the intruder gets a foothold, he needs tools to get further.

First he will try to weaponize legitimate programs on the compromised host as it is obviously stealthier and easier. Access and abuse of code interpreters such as PowerShell, Python or PHP and Living-off-the-Land binaries (LOLBins) can be restricted and monitored through proper hygiene and hardening.

Second, an external connection will be necessary to download the tools or the payload (usually in staged malwares) required to move further. Smartly filtering outgoing connection is another opportunity to identify the intrusion, find and blacklist the C2 (Command and Control) servers, or at least delay the execution of the next step.

Discovery and propagation

Time is gone where one could reach its target at first strike with a single exploit or malware infection. APT, ransomware or even targeted attacks need to propagate and get deeper into the infrastructure, where the real value (eg. data) is. It is then necessary for the intruder to discover its environment and spread as fast and discreetly as possible.

That's where decoys, segmentation, access control and zero-trust comes to play at all layers: network, system, application and user. The more boundaries are set and enforced, the more the scope of the propagation shrinks, the more alerts it will raise. In case of malware infection this will limit the impact, in case of an intrusion this will require the attacker to make more steps to reach its target.

The final battle

Now comes the time when the attacker faces its final target. Like Napoleon facing Wellington at Waterloo, he managed to bypass all security measures and he is ready to deal the deathblow. Unless...

Unless each and every steps he took lowered his firepower, raised alerts and was so time consuming that the defense is now ready to wipe him out of the system for good. This is the role of the SOC. Fed with all the data gathered while the intruder was struggling to move toward its target, operators are ready to trigger the proper reaction, and win the war.

Winning the fight that counts

Layered defense

Layered defense is not new, and may even seem quite obsolete at the time of digital transformation. It is not. It just evolved from a the bastion network to a distributed meshed architecture. But concepts remain the same.

A cloud-based firewall remains a first line of defense wherever the second line is, microsegmentation between cloud-hosted virtual machines is still internal segmentation, and artifacts scanning in CI/CD pipelines is nothing different from traditional vulnerability scanning. Like it or not today's security architecture is still layered defense, it just got more complex to manage and ensure consistent and comprehensive protection across layers spread over mutiple platforms.

However it remains the cornerstone of your defense. Each and every layer has a role to play in slowing down, weakening and monitoring the intrusion process.

Intelligence

Gathering relevant information about the on-going attack implies that all the components of the different security layers are able to provide consistent information. Wherever this information comes from, it has to be correlated with other sources and put into context for manual analysis or automated reaction. It implicitly means that the least possible information should be lost during the ingestion phase by the event management system. Lost information is loss of context and may lead to improper reaction, delayed analysis or disregard of critical piece of information.

Simultaneous suspicious activity from multiple users or multiple endpoints MAY be a security misconfiguration.
Simultaneous suspicious activity of the same user multiple endpoints is definitely abuse of a stolen account...

The counterpart is the amount of information to deal with. It is no longer manageable by humans and need assistance to help making a decision. AI is designed for this purpose. But don't read me wrong, I didn't write the AI will make the desision. AI will help. With the capability of analyzing huge amount of data in the very context of your infrastructure, it will approximately provide in seconds what would take days or months to an analyst. However, final review and decision remains yours.

Coordinated response

Each layer has its own protection mechanisms, would it be traffic filtering, process interruption, user lockout, etc. Once the attack is properly identified and response qualified, reaction has to be immediate and coordinated across the infrastructure. IoCs must be distributed to all systems who can consume them, blacklisted IP addresses must be shared across all filtering devices, revoked certificates propagated to all edge solutions...

The SOC must be connected to all the components of the security architecture. Either through native integration, API, third-party connectors or home-made mechanisms, any action must be taken from a unique control panel and automatically spread over all the relevant parts of the defense.

Conclusion

The last campaign of Napoleon turned into a disaster because of small mistakes, leading to global fatigue at the time of the final battle. This is what we intend to replicate when we face intrusions.

Some (many) battles are to be lost, but with a cost to the attacker. We need to keep in mind that it is a series dominoes. Ney's delay in taking Quatre-Bras seems an anecdotal event in a minor battle. But it triggered a whole succession of events (Ligny's partial victory, Grouchy's loss and Prussians backstab) leading to the conclusion we know. We help attackers make mistakes (and this time Murphy will be on our side), mistakes that we will leverage to eventually safeguard our infrastructure when the moment comes to strike back.

Properly and consistently secure all the layers of defense, deploy efficient communication and analysis, trigger immediate global response. This is the plan to win a digital Waterloo.