Classical security designs rely heavily on structural perimeters with DMZs as the most famous example. In structural design it is the infrastructure doing the heavy lifting, providing a barrier between bad stuff on the outside and the good stuff on the inside. But connectivity, mobility, cloud, and other tech has chipped that world away to where structural perimeters are able to mitigate a tiny fraction of the threats in something like MITRE ATT&CK.
Structural perimeters do several things well. Let's take network DMZs as an example. DMZs excel at limiting attack surface, closing ports, for example, but the attack surface is never zero. So what then?
Behavioral perimeters start with the assumption that some data is getting through. Behavioral perimeters navigate and adhere to data flows add an important layer of countermeasures to increase the hardening, detection, and other security capabilities.
Getting a bit more specific, think about the series of steps in a KillChain
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions on Objective
Comparing structural and behavioral approaches in defending a Kill Chain above. Where is the DMZ adding value here? From an ingress perspective, a DMZ can limit most attack delivery vectors. From an egress perspective, a DMZ can also address certain Exploitation and C&C vectors. These can form a useful piece of the overall security foundation, but really most of the threats in a basic MITRE ATT&CK model assume this foundation as tablestakes and bypass them so there is much more required.
A perimeter that focuses on the behaviors (both desired and not) of the system is what is required for security designers to go after the next classes of threats. What do phishing, Golden ticket/SAML, Supply Chain compromise, and SSRF all have in common? They all assume a structural DMZ and then offer ways to bypass it.
While Threat Models and catalogs like ATT&CK are a good shorthand way to illustrate the limits of DMZ designs, they do not show the range or depth of what is required to build a stronger blue team. What we lack is a defender model. Many years ago, I worked on a predecessor to ATT&CK that focused on Attack Patterns elegantly named CAPEC (http://capec.mitre.org). The goal of CAPEC was to start a consistent way to analyze attack vectors, but that was not the end goal. It was supposed to spawn the blue team toward defender models. It has been a long wait, but that is why it is great to see MITRE and NSA come out with D3FEND (https://d3fend.mitre.org), which depicts defense tactics like Hardening, Detection, Isolation, Deception, and Eviction. Notice that all of these defense capabilities are active behaviors, this much more closely matches the way the blue team game is played today - granular security capabilities based on deep understanding of data flows and system usage.
I am heartened to see that D3FEND takes a data flow centric view of defense, just in Detection it enumerates a whole range of sensor locations ( Message, File, Identifier, Process, User Behavior, Platform, Network, and so on). This type of thing represents a step forward for blue teamers and I hope it catches on as much as ATT&CK has.
In terms of putting analytical tools like D3FEND to work there are a couple of things to plan for to make a real system. So in addition to the areas that D3FEND looks at, consider augmenting with the following:
Inventory- To coordinate the wide range of security capabilities across a decentralized and federated system that so many people defend today when there is not the Single Point of Control, defenders benefit from Inventory systems. After all, there is an additional level of complexity when both the assets and controls sprawl. It is one thing to identify the dozens of places that D3FEND lists to monitor, it is very much another thing to weave them together in a coordinated way.
Response/Recovery -
Sounil Yu has made the case that Infosec is in the era of response/recovery, and that is another area that D3FEND spends a good deal more time on than many predecessors, breaking the "right side" of defense into three focus areas - isolation, deception, and eviction. As this continues to (hopefully) evolve, it will be interesting for blue teamers to coordinate detection services with the response/recovery trifecta.
Assurance - Just the complexity of the range of controls in the D3FEND map should cause at least some to pause, but now imagine operating them across a scaled, distributed system. There's no replacement for assurance in this case. The design should include a range of tests that show both expected and unexpected behaviors.
Implicit in all of this is threat models. Building behavioral perimeters is essentially the set of countermeasures that emerge from your threat models. So it is important to keep these fresh and consistently upgrade them from many perspectives.
