Sunday, June 21, 2009

Response to the Möbius Defense

One of you asked me to comment on Pete Herzog's "Möbius Defense". I like Lego blocks, but I don't find the presentation to be especially compelling.

  1. Pete seems to believe that NSA developed "defense in depth" (DiD) as a strategy to defend DoD networks after some sort of catastrophic compromise in the 1970s. DiD as a strategy has existed for thousands of years. DiD was applied to military information well before computers existed, and to the computers of the time before the 1970s as well.

  2. Pete says DiD is

    "all about delaying rather than preventing the advance of an attacker... buying time and causing additional casualties by yielding space... DiD relies on an attacker to lose momentum over time or spread out and thin its massive numbers as it needs to traverse a large area... All the while, various units are positioned to harm the attacker and either cause enough losses in resources to force a retreat or capture individual soldiers as a means of thinning their numbers."

    That's certainly one way to look at DiD, but it certainly isn't the only way. Unfortunately, Pete stands up this straw man only to knock it down later.

  3. Pete next says

    "Multiple lines of defense are situated to prevent various threats from penetrating by defeating one line of defense. 'Successive layers of defense will cause an adversary who penetrates or breaks down one barrier to promptly encounter another Defense-In-Depth barrier, and then another, until the attack ends.'"

    It would be nice to know who he is quoting, but I determined it is some NSA document because I found other people quoting it. I don't necessarily agree with this statement, because plenty of attacks succeed. This means I agree with Pete's criticism here.

  4. So what's the deal with Möbius? Pete says:

    "The modern network looks like a Moebius strip. Interactions with the outside happen at the desktop, the server, the laptop, the disks, the applications, and somewhere out there in the CLOUD. So where is the depth? There is none. A modern network throws all its fight out at once."

    I believe the first section is party correct. The modern enterprise does have many interactions that occur outside of the attack model (if any) imagined by the defenders. The second section is wrong. Although there may be little to no depth in some sections (say my Blackberry) there is plenty of depth elsewhere (at the desktop, if properly defended). The third section is partly correct in the sense that any defense that happens generally occurs at Internet speed, at least as far as exploitation goes. Later phases (detection and response) do not happen all at once. That means time is a huge component of enterprise defense; comprehensive defense doesn't happen all at once.

  5. Pete then cites "Guerrilla Warfare and Special Forces Operations" as a new defensive alternative to DiD, but then really doesn't say anything you haven't heard before. He mentions counterintelligence but that isn't new either.

I've talked about DiD in posts like Mesh vs Chain, Lessons from the Military, and Data Leakage Protection Thoughts.

I think it is good for people to consider different approaches to digital security, but I don't find this approach to be all that clever.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.


Pete Herzog said...

Wow, I had no idea the presentation without being presented could be that misunderstood. What I don't understand is why you would criticize something that you missed the point on and say so. You know, you could have written me and asked. It's not like we haven't talked before. I even sent you a way early draft of OSSTMM 3. So I am friendly and approachable. So why didn't you just ask me to explain?

Richard Bejtlich said...

Pete, what needs to be explained? Your slides were clear enough.

LonerVamp said...

1. I'll admit the slides leave a lot to the imagination, so I won't be overly critical. But if you plopped down a moebius strip in front of me and told me you were going to use it as part of a network analogy, my first and only thought will be: de-perimeterization (no end, no beginning..). Not really DiD.

(In fact, I'm surprised to see no mention of any castle, moats, trenches, etc in a discussion of DiD. Then again, I see the wikipedia article on the topic goes with DiD being a delaying tactic as well...I guess times have somehow moved on after so many years! I'm not sure I agree...)

2. I wouldn't say that because one attack works (and others), that DiD doesn't work at all. We really do have a problem with known holes and ways around DiD measures that we've used for 10 years now. I'll grant that DiD may have value but we need more, but that's still implementing more DiD in a way... In the visualization of a field of battle with spaced defenses, this setup of a webserver with trusted access into the database could be seen as simply a very thin front-line-to-crown-jewels section.

3. I was actually prompted to read the slides just because I was confused at the mention of defensive guerilla warfare. I see now that some of the points are quite valid (harming of innocents, quick strikes), but I think much of our continued network security problem is not side and supply line attacks. An attack on our web server is still bashing at the front door. Likewise, and maybe this is my lack of military background, but I have no idea what guerilla defense should look like. The phrase "guerilla defense" sounds like firefighting defense (or soccer goal defense?) to me. It's Monday tho, so I could be dense! :)

4. Going to take two statements, almost certainly out of context.

Slide 42: "Assure each system is secured against each other system"

Slide 43 "Not to mention not all parts of a hetero network need to be completely secured because they won't be completely open."

I guess I got lost there. This might be a result of me putting the label "de-perimeterization" on this part of the preso.

5. Props to bring out that dirty "O" word: Obfuscation. Yes! There is value! =)

BTW, I dig the chalkboard network diagrams! =)

Anonymous said...

Let's not be pedantic on semantics.
Pete's point - as i understand it - is that we should look at the problem from a different point of view.

When I talked about DiD in the past what I really talked about was what Pete calls Moebius-Defense or guerilla tactics. I guess it's the same for most security pros.

But how do executives and "average-joe" admins understand DiD?

Right! "Well we have firewalls, IDSs, av-scanners, passwords and patch-management. That is defense in depth and handled by the it-security department."

This thinking leads to a wrong sense of security and so Admins do not apply all the appropriate controls. So it happens all the time, that servers in a DMZ allow connections from all other servers in the DMZ, because we have all those shiny security solutions and layers of defense.

However that was NEVER the way I understood DiD.

People like me, who deny all first and then allow what is necessary and apply all loss controls and processes are often called paranoid.

However that's the way to go.
It's not us against them. It's me against everyone. This message is very clear and that's the way security works.

In the real world you could say:
Hey, we have a great neighborhood, it's safe to leave the backyard-door open.
If someone wants to steal my stuff he will have to know about my open door, come to my house and risk being spotted by Mrs. Robinson, who looks out of the window all day long. It's risky and it costs time and money. It's inconvenient.

In the world of IT all houses and all doors and windows are permanently under attack.
Those attacks cost almost nothing and are no inconvenience at all to the attacker and the risk is relatively low.