Castle

Imagine an old fort or castle that is preparing to be attacked by a horde of enemy soldiers. They have a single, flimsy fence or wall protecting the villagers and the defending soldiers. This single layer, full of holes due to poor maintenance, is all that stands between the defenders and an untimely end. The attackers can surround your defensive position and attack from multiple points, meaning that as the defender you must spread your defences thinly to defend yourself. How would you feel as a defender in this situation? Protected?

Armies have been developing strategies and procedures for decades to ensure they have their bases covered (no pun intended) and to make it as hard as possible for the enemy to win. They also need to educate new generations and ensure people can remember what to do and important principles when tired, cold, and wet.

To aid with remembering the Principles of Defence, there is a mnemonic (DAMSOD), this stands for:

  • Defence in Depth
  • All-round Defence
  • Mutual Support
  • Striking Forces
  • Offensive Spirit
  • Deception

Using the same example of the fort or castle I will provide an explanation of the principles, and show how they relate to information security:

Defence in Depth

Remembering our poorly designed fort or castle, with a single, damaged, wall around the outside and no other defences. This would be described as a single line of defence, meaning that once penetrated an attacker has nothing left to defeat them or slow them down. So, we use Defence in Depth, which considers layers of security, like the layers of an onion protecting what you want to defend (based on your risk appetite). The multiple layers are intended to delay or defeat attacking forces.

Imagine now, that same castle but instead of the single wall, there are multiple outer walls and a smaller inner wall defending the keep. Additional layers of defence are added by building a draw bridge and a moat, troops can be stationed on the ramparts to shoot arrows and pour boiling oil onto attacking forces, caltrops can be used to injure approaching soldiers and their horses and patrols can be sent out to scout for an approaching enemy and provide early warning. The fort or castle now has multiple layers providing defence in depth. 

In the information security world, this can include having a DMZ, firewalls, IPS & IDS, a SOC, network segregation, separation of duties, and the principle of least privilege. There is no silver bullet to security only “lots of lead ones”, but risks can be reduced by building up layers of protection so that there is not a straight line through to the organisation’s important resources and early warning can be given of an attacker’s presence. 

All Round Defence

Remember that the attacking horde has surrounded our fort, if we only had a single straight wall between us and them, they could easily come round the side or attack us from behind. All-round defence is concerned with ensuring the organisation is protected from all (relevant) avenues of attack. This means that while you might prioritise controls in a particular area, you cannot just put defences up in front of the attack you expect, you need to consider attacks that come from within, from behind or the sides. 

Threat actors include insiders, malicious third parties, organisational suppliers, and changes in the context within which the organisation operates. Therefore, the organisation needs to implement security awareness training, a robust third-party assurance process, and build internal controls in such a way that security is assured, in-line with organisational risk appetite. 

Mutual Support

In our fort or castle, we may have guard towers, if the bow and arrow fire from those towers overlap, allowing a tower not under attack to provide fire support to the tower next to them, then you have ‘mutual support. Additionally, a second fort or castle in the vicinity may be able to provide supporting fire, or a reserve (more in the next principle). Mutual Support ensures that security controls interlock and reinforce one another. 

This could be a control such as access control, the activities of which are logged and collected by a SIEM tool, which alerts when malicious activity is detected, this is then investigated by a Security Analyst, allowing remedial action to be taken. This demonstrates multiple interlocking and reinforcing controls, ensuring that if one is breached, the others will detect it, potentially respond, and certainly raise an alert. 

Striking Forces

These are people and resources held in reserve until needed, in warfare, they are committed when the commander sees a gap forming in their defences, or when they see an area where they can dominate the enemy and penetrate or overwhelm their defences. Striking forces can be provided from internal or external resources. In our fort we can commit a small reserve that can be committed to areas that look as though they will be overwhelmed, additionally, as already mentioned, a nearby fort could send out a portion of their forces to act as much needed striking forces. 

Unfortunately in business security teams and organisations do not have the capacity for a non-committed reserve waiting to respond to security incidents, however, striking forces can be counted in a number of ways, the internal security and IT teams can stop what they are doing and start working together to respond to an incident, an external company or Managed Security Services Provider (MSSP), who is on retainer, can be brought in to help respond to incidents, staff can be drafted in to aid in Business Continuity incidents or forensics teams that are hired to support an investigation or incident. 

Offensive Spirit

What is ‘offensive spirit’? ‘Offensive’ defined as “the action of attacking an enemy” and spirit as “the vital principle or animating force within living things”. Therefore, offensive spirit in a company can be described as the “animating force within a business to defend and detect an adversary”. 

In our fort, offensive spirit is demonstrated through high morale – troops that ‘look the part’ (i.e., are alert, clean, and performing their duties), regular exercises are performed (to test how quickly everyone responds to a perceived threat and if there are any identified vulnerabilities), leaders exhort (and embody) the need to be prepared and provide necessary resources, etc. 

While retaliatory cyber-attacks are most definitely not permitted by businesses and even governments would think twice before launching a retaliatory attack, due to the issues with attribution and not setting a precedent that others may use against them, an organisation can still foster an ‘offensive spirit’. Offensive spirit is created and developed by senior leadership with support and guidance from the security team. 

‘Offensive spirit’ in the business world would look something like; running regular incident response and business continuity exercises to test responses to an attack or outage, having cyber as a board agenda item, and ensuring that business unit leaders and managers are supporting and enforcing security procedures consistently throughout their departments. 

It is also developed through strong organisational culture, where people care about the organisation and work to ensure its continued existence. This requires support from the HR department, they are responsible for developing and supporting the organisation’s culture. 

Deception

Deceiving is natural, animals have developed deception mechanisms, whether it is an octopus changing its shape to mimic a rock or piece of coral or a butterfly with eye spots to deceive predators (like mice) into thinking that they are an owl so they will leave them alone. Deception is everywhere, Sun Tzu knew this when he said, “all warfare is based on deception”. 

Relation to information security – honeypots can convince an attacker that they have penetrated your network while alerting you to their presence and warning you of a likely impending attack on your real network, giving you time to alert your striking forces.

No matter what your business, these principles can aid your security team define your security, however, it will need the buy-in and effort of the organisation’s IT, team, to implement the controls and build your network with security in mind.

If you’d like to have a discussion, please get in touch: jim@principledefence.com

Leave a Reply

Book a Call

We have experts here to help you