Defensible architectures are those that follow a set of specific practices oriented to avoid the shortcomings of classic security architecture. In a classical security architecture, systems are hardened during the design stage and they continue like this thorough the whole life-cycle thus assuming the threat’s modus operandi is constant unlike in a defensible architecture in which the constant threat shifting drives new changes in the architecture, systems and controls.
A system is considered secure when it is cyclically defended with system knowledge, threat analysis and intelligence thorough the life-cycle. These systems are well suited for threat driven defense practices when the knowledge of designers, developers, admins and defenders drives the control posture of that system.
Organizations that align with a threat-oriented defense are usually found in the profile spectrum of NIST Tier 3 and Tier 4. These organizations have systems that are resilient to attacks and cyber architectures that are resilient to changes in attackers modus operandi thus improving the overall organizational resilience against cyber threats. This kind of organizations are concerned with advanced threats such as the APT.
Characteristics of Defensible systems:
There are three distinct characteristics exhibited by defensible systems, visibility, manageability and survivability.
- Visibility: this characteristic is critical for defenders as it provides access to the activity happening in the network, OS and application layer
- Manageability: ensures that the system’s security posture can be sustained over time through administrative activities such as patching, and configuration and security control updates based on new threat intelligence.
- Survivability: allows the system to provide its intended services during attack, compromise, and recovery. It also addresses the ability to withstand lateral movement and support recovery from attack in an assured manner
These three attributes can be aligned to the NIST categories and functions. To achieve these characteristics we have to focus the control efforts in the following functions and categories.
The biggest challenge for an organization to develop and maintaining a defensible architecture is that the engineering, architecture and operational teams must stop working in silos; and all of them become part of the defense team that supports the system thorough the life cycle. Absolutely all of them at different stages during the life-cycle provide input to make the system defensible.
Threats – Assets – Controls Relational model
In a threat driven defence model the relational model between threats – assets and controls change from the traditional model. In a traditional model (compliance driven) the main aim is primarily to support architectures for the protection of critical information. In this model, controls are applied to assets, which it is the final goal of the threat however; in a threat driven model to support a defensible architecture controls are applied to the identified threats, attack vectors and vulnerabilities that provide access to the components that contain the assets because threat actors rarely gain direct access to the targeted assets.
In a compliance driven model, we are assuming conventional threats with limited operational capabilities thus controls are applied to the assets unlike in a threat driven model in which controls as explained before, they are applied to the components that provide access to the assets as the threat is considered not conventional and capable of locating assets within the organizations through lateral movement.
In this model when threat intelligence is used as input, the defence teams (Architecture, Engineering & Operations) can identify weaknesses and assess the control effectiveness against specific threats thus improving the system’s security posture. Furthermore, when threat analysis and modelling are introduced into this model, it can uncover areas of potential exposure and controls weaknesses which supports the selection and implementation of new controls.
The threat driven approach is a set built of a methodology, collection of practices and thinking patterns.
In this methodology the ‘discovery’ sections is aligned with the ‘Concept’, ‘Requirement’ and ‘Design’ of the system and the ‘implement’ section aligned with ‘Build’, Test, and ‘Deploy’.
During the discovery phase, assets, threats and attacks are identified, and in the implementation phase threat analysis is done. The results provide input into the controls selection, configuration or upgrade to counter or mitigate the identified threats and attacks.
The methodology above is Lockheed Martin specific but it can be used with different threat models such as STRIDE, STRIDE-LM (STRIDE Lateral Movement) or even ATT&CK and Cyber Kill Chain.
Defensible architectures allow organizations facing advanced cyber threats to react to threat shifting increasing their cyber resilience. The changes in the threat’s TTPs are translated into new signatures and updates, infrastructure and architectural pattern changes to reduce and improve the threat surface. This is achieved leveraging threat intelligence and threat analysis techniques within the strategic, operational and tactical levels.
Defensible architectures make use of cyber resilience techniques but threat intelligence and analysis are paramount to achieve a defensible architecture.
In summary an organization that is supported by a defensible architecture can survive and continue operating under an advanced cyber-attack. It also provides a framework to make inform decisions and justify the deployment of new security controls and updates to counter the threat.