Fahd Aomari

tryhackme
Blog
Fahd Aomari Last Edit : October 9, 2024 7:29 PM

Defensible Network Architecture

In my journey in cyber security i started only with strong passwords, you know at 13yrs old ur first security defense is a mere password šŸ˜‚ and guess what :D i got hacked. I had a simple architecture. my game database server( SQL Microsoft server ), IIS based web application and the game authentication engine. i left dbā€™s default username sa buuuut i did put a strong password. Life was good until someone ( OR 1=1ā€ ) me :D lot of mistakes i did, i should have changed the default username at least. But wwait ah the game engine was in the same host as the db and both WERE PUBLIC. Why wd even the db be public. And the worse i had no idea what happened until the hacker messaged me I GOT YOUR ACCOUNTS TABLE. I understood basic defense isnt enough. I need something that not only well protected but something we can be defended, something have a Defensible Architecture.

But in this article i want to talk especially about Defensible Network Architecture.

Why network? What about the others? Workstations, serversā€¦

You are right they are all important, but we should start somewhere right? ( Good answer :D ) No im kidding, i will start with network because its the most critical asset. you know, infornation security is all about risk. its by itself another from of risk management. Security is not for security but for achieving you organizationā€™s goal in a secure manner. Now imagine the network is down. Server or endpoint.. nothing really matter after that. And guess what, its not critical only for us. But for the adversaries too. Its the network where they need to pivot and move. And by knowing normal maybe our strongest ally to find an indication of compromise. So what a Defensible Network Architecture? which can be easely extended to Defensible Security architecture.

It can be defined in 4 phrases :

Its something can be watched.

can limit intruderā€™s maneuver.

kept with minimum needed services.

can be continuously updated and current.

Can be watched

Do we have the visibility we think we have? and even before do we really know the assets we have? all of them? do we know the purpose of the business? Know thy self.

Red Perspective : what threats that can likely cause an impact.

Blue Perspective : how can design an architecture that can protect against them.

  • Asset Discovery
  • Mitre Dett&ct

Limit intruders maneuver

a compromise is just the start of the end, Will the adversary hate his life while pivoting? Unless he just give up or at the worse case if he continue, do we have what can help to increase the time for protection until the security team complete their Detection & Response?

  • Private Vlan/ ACL Enforced Vlan
  • Honeypots
  • Applocker

be continuously updated and current

Will the security team hates their life everytime they need to improve security posture? Or its not even doable?

  • WSUS
  • Continuous Vulnerability scanning

kept with minimum needed services

Least privilege, only the service we need should be enabled or at least be public.

  • OSSTM/ ZERO TRUST

ā€¦.

i will be updating this article countinously.

see also