Adaptive Zone Defense – Part 1

Adaptive Zone Defense – Part 1

Adaptive Zone Defense – Part 2
Adaptive Zone Defense – Part 3
Adaptive Zone Defense – Part 4

Limiting and intelligently managing communications between services and systems on an organizations network helps contain an infection or compromise to keep malware or a persistent threat from running rampant. In addition, business needs, regulations and other compliance requirements impact security architecture and design and thus may impose mandated separation or additional boundary controls.

Zone Defense

This blog offers guidance to organizations seeking to develop a modular and scalable network segmentation design. The blog is a part of both the Security Architecture Series as well as the APT Strategy Series with the overall goal to improve security around protecting users, applications and access to data to enable a Defensible Security Posture.

Organize for Future Growth

There are dramatic technology changes that are driving today’s network security trends –

Big Picture

  • Mobile networks, VPNs and roaming users
    • Connect-from-anywhere road warriors test boundaries
  • Targeted attacks and APTs
    • Advanced Persistent Threats are next generation attacks
  • Consumerization and BYOD
    • Consumer devices are moving onto the corporate network
  • Web application and web server protection
    • Attacks on web applications to extract data are more prevalent
  • The Elastic Network
    • The perimeter is expanding to include high speed 4G, home offices, roaming users, cloud services, and third parties

Importance of Security Zones

Organizations and their IT environments are constantly changing. For some years, these “hyper-extended” environments have been growing more globalized, virtualized, distributed, and mobile. The resulting significant architectural changes require network security zones to become more modular and dynamic while maintaining a level of organization and proactive management to prevent complexity or fragmentation.

Network security zones that separate systems based on their communication and protection needs minimize security risks while allowing information flows to continue even in the face of failures and security incidents. This blog series helps organizations determine how to group IT resources into security zones bounded by network perimeter controls that enforce mandated separation policies.

Security Zones are put in place to:

Protect Detect Contain

  • Protection:
    • A ‘Managed Boundary’ for all user access to applications and systems
    • Implement granular role-based controls on traffic, users and assets
    • Manage Inter-Zone communications
      • Including between sub-zones
    • Enforce policy and regulations
    • Data confidentiality and integrity rules for data stored within a zone
  • Detection:
    • Monitor Inter-Zone communications
    • Gain visibility of traffic, users and assets
    • Logging and Event Correlation
    • Elevate alerts for events using a SIEM/Analytics
    • Prevent Inter-Zone data leakage using a DLP solution
  • Containment:
    • Control communications and resources on both inbound and outbound requests
    • Set a default deny policy on all inter-segment connections

The key benefits of network segmentation and policy-based Zones are, as follows:

  • Ability to Limit Exposure and Impacts
    • Access Control: Firewall, VPN, Proxy
    • Risk-Based Organization and Access
  • Focus on Protecting Critical Assets
    • Impossible to Protect Everything Equally
  • Ability to Detect Suspicious Activity
    • Visibility is Key (Sensors / Network Taps on Zone Gateways)
      • IDS/IPS, Netflow, Packet Capture, Traffic Analysis, Analytics
      • Network Behavior Anomaly Detection (NBAD)
      • Predictive Threat Modeling
    • Group Critical Assets and Users to Log and Monitor
  • Enable Containment of an Infection or Compromise
    • Lockdown a Zone or Sub-Zone to prevent further impacts
  • Expedite the Eradication and Recovery
    • Investigate
    • Incident Response
    • Recovery (Backup and DR)

Layered Zone Components

The conceptual Adaptive Zone Defense design proposes 7 foundational layers or zones that are described as, the Untrusted Zone for assets not under the organizations control, Semi-Trusted (DMZ) Zone for assets that are externally shared (either publicly or to 3rd parties), Trusted Zone for internal systems, Restricted Zone for high risk and/or mission critical systems, a Management Zone for network services and management systems and, an Audit Zone to isolate and protect security logging and monitoring.

There is also the concept of a Sub-Zone that is basically a Zone within a Zone that enables special cases, such as regulatory mandated segmentation.

  • Untrusted Zone
    • External Systems (not owned by organization)
      • Internet, Public data classification
  • Semi-Trusted (DMZ) –
    • Externally-Exposed systems
      • Public data classification
    • 3rd Party Exposed systems
      • Business Partner systems
  • Trusted Zone
    • Internally-Exposed systems
      • Internal data classification
      • Confidential data classification
  • Restricted Zone
    • High-Risk Mission Critical systems
      • Restricted data classification
  • Management Zone
    • Network Management systems
      • Virtualization Management
    • Security Management systems
  • Audit Zone
    • Regulatory Compliance
    • Security Logging
    • Security Monitoring (SIEM)
  • Sub-Zones
    • Zones divided into Subzones
      • Span Global Sites
    • Special Cases
      • Regulatory Mandated

High-Level Zone Design

The following graphic presents a conceptual high-level zone design that provides a foundation for a series of multi-layered zones based upon the device or systems Application Security Profile criteria. The criteria will be applied to this security model to develop the Application Security Design (Placement, Policy, Controls) based upon the Zone Architecture Rules as well as Application Architecture Taxonomy (discussed further in the next blog).

Conceptual Zone Design

Zone Deployment and Migration

The critical success factor is in the Zone Deployment and Migration to move servers and systems to this model. This section provides an overview of the considerations and we will go into more detail in a future blog on this topic.

Zones – User Experience, Perception and Buy-in is key –

Zone Deployment

  • Baseline Prototype
    • Start Open/Simple
    • Gain Quick Key Wins
  • Implement / Migrate
    • Analyze Application Use Cases
      • Group by Service / Dependency
    • Migrate to Zone Structure
  • Monitor
    • Review Logs and Connections
    • Establish Progressive Policy Controls
  • Iterative Improvement
    • Validate the Model with Feedback Loop
    • Reverse Engineer Policy/Standards
    • Structure as needed
    • Iteratively Evolve over time

Zone Lifecycle Management – Smart Growth

Like Firewall Rules, Network Security Zones are organic and can easily become complex over time as new services and servers are deployed. It should be noted that the original Zone Architecture and Design was based upon the security model and business requirements at one point in time.

The concept of Adaptive Zone Defense talks to the critical need to continually review the Zone Design and to validate it against the needs of the business, new services, application and system deployments, new relationships, and so on.

Based upon assessments of 100’s of organizations the typical challenge with legacy DMZ approaches is that they start out well designed and organized. Over time the security model does not quite fit a new business need or deployment and/or the security model is not well understood and so either exceptions are made or human errors are made. The result is a DMZ implementation that is not only complex and harder to manage and maintain but also at risk of human error with configuration and implementation mistakes creating backdoors or side doors.

Keeper of the Zones – Security Vision

IT needs to be continually educated about the Zone Design, the business rules and the security model so that it is clearly understood. In addition, the Application Architecture Taxonomy (see below) needs to be integrated early in the cycle of service and server deployment processes and refreshes so that deployments are included in a risk assessment, are designed appropriately and thus, are placed within the Zone Design based upon both their connectivity and security needs to protect them and not break the model.

Zones need an owner, the keeper of the Zones and need to be managed to enable Smart Growth –

Smart Zone Growth

  • Create Zones
    • Based on Risk Assessment and Mitigation
    • Application Profile – Placement
  • Divide Zones
    • Risk Profile Changes
    • Special Cases, Security Exceptions
  • SubZones
    • Zones within a Zone
  • Review Zones
    • 6 Monthly Zone Organization Review
  • Condense Zones
    • Monitor and Consolidate
  • Retire Zones
    • Remove Zones from prior temporary Security Exceptions


Security zone isolation is a lot of work, at least initially, but it offers a tangible Return on Security Investment (RoSI) that helps stop that bad end-user(s), a weak remote office(s), a malware infection or, a persistent attacker from compromising the whole network.

In Adaptive Zone Defense – Part 2 we develop a key profile that is currently termed an Application Architecture Taxonomy that considers Applications and their relationships as well as Users and their relationships. profile organizations and are currently in operation.

In future parts we will tie this all together in terms of how to profile applications based upon data classification and risk assessment as well as communications needs to determine the appropriate zone placement, protection controls and, access control policy.  We will also discuss the deployment and migration considerations which are extremely critical to success. Lessons learned.

Thanks for your Interest!

Nige the Security Guy.


APT Detection Framework

APT Detection Framework

APT Detection Framework – Part 2

The last decade has seen a lot of research on intrusion detection with intelligent data analysis and its implementation in commercial products but there are still some challenges remaining. Effectiveness, accuracy and scalability are key considerations in the technical design, implementation, and operations of an IDS.

APT Detection Logo

This blog presents a proposed APT Detection Framework that can be used both for advanced multistep threat scenario analysis as well as detection system design – to identify an organizations gaps based on new threats and/or indicators of compromise and make iterative improvements.

The APT Conundrum

Advanced threats and stealthily targeted attacks against organizations are seeing an increase in complexity and persistence. These more complex attacks are aimed at penetrating networks to obtain critical intellectual property and/or sensitive data to be used for financial or competitive gain. The difference with cyber attacks from a couple of years ago is that attackers take more time and effort to remain undetected.

Common intrusion detection methods lack in their ability to detect such complex attacks. They do not correlate individual suspicious events to detect these advanced attacks. A new approach to detection is therefore needed which takes the multistep characteristic of these advanced persistent threats into account.

Intelligent Data Analysis

In order to begin to understand and to be able to defend against targeted attacks a detection matrix is needed for visibility, analysis and, to ensure that all threat scenarios are considered with no gaps in defense. The matrix can be used as a tool to relate attack characteristics with analysis methods and business criteria.

Traditional signature based detection algorithms with correlation engines are still needed but the advanced approach of the attackers requires the additional use of intelligent data, i.e., indicators or triggers that can be correlated for example in a Security Information and Event Management (SIEM) system.

[Our next blogs in the APT Strategy Series will discuss both Indicators of Compromise (IOCs) as well as APT Detection Use Cases in more detail to more fully leverage SIEMs in a SIEM Maturity Model.]

The proposed detection matrix is used as a roadmap to design and evolve a holistic security system capable of detection of advanced persistent threats. Use cases developed from threat scenarios are used to evaluate the resulting system design for gaps and weaknesses. These APT threat scenario use cases illustrate that not all activities of attackers will be detected by current technology alone and that human analysis of indicators produced by the system remains necessary. The proposed framework enables the analysis and consideration of key questions, such as:

  • What is the structure of Advanced Persistent Threats?
  • What indicators can be used for detection of APTs?
  • What business requirements, policy, assets influence the detection system design?
  • What design choices lead to a detection system which can detect APTs?
  • To what extent can the system design detect APTs?

APT Detection Framework

The proposed APT Detection Framework maps the high level attack structure of multistep attacks and low level attack methods to the design of detection systems, both automated technology as well as additional tools and techniques. The proposed framework is constructed as a matrix in which the rows are used to represent the different attack steps and the columns represent the different components related to attacks and detection.

The proposed framework is shown below.

Detection Framework Overview

APT Detection Framework Overview

The first column, Attack Steps contains the different phases of an APT which can be identified, it also shows the overlap amongst the steps containing activities which are distinct in nature but are executed at the same time. For example, Command and Control actually covers steps 2 through 7 (see vertical blue line on left) and there are others that execute in parallel to other steps, not strictly sequentially depending upon the APT signature. The presented framework has eight steps, but this might differ per specific attack signature or due to changes in attacks over  time.

Attack Methods lists the various methods which are known to be used within the steps. Attack Features goes into more detail, it is used to identify and describe detectable indicators or triggers. The Detection Locations where these attacks and aspects can be detected and/or contained by a control point are listed in the fourth column.

The next column, Analysis Methods links the previous columns to common detection methods. The column contains a description of analysis methods used by the detection methods in the previous columns.

The last two columns contain categories which are not part of an attack per se but do influence choices on defenses against them. The Business Aspects are influenced by the possible impact of an APT or the occurrence of one of its steps. The cost of an APT occurring should be considered as a guideline as well as if this is a capability that the organization should build and operate with skilled resources, something that is co-sourced in a partnership or outsourced as a managed service.

The accuracy of a detection system is the most important aspect from a business perspective. A noisy system with too many false positives has a higher operational cost but a system that misses attacks does not prevent losses. Cost/Benefit analysis shows that systems that use multiple methods are considered better from a cost perspective.

Use of the Detection Framework

The APT Detection Framework can be used in different ways. It can be used for analysis of attack scenarios ranging from detailed to general analysis. The figure below illustrates two oversimplified steps as an example use case attack in the model at a high level.

APT Detection Example

APT Detection Framework Example

In APT Detection Framework – Part 2 we will provide our readers a more detailed set of examples together with more description on each of the APT Detection Framework matrix cells.

APT Detection System Design

Another way of using the framework is to use it as a roadmap for development of a more comprehensive and evolving detection system. The attack analysis is input for design choices of the system and ultimately the choice of analysis methods. This can be used to identify indicators and/or trigger combinations that are then combined together in a SIEM to correlate and alert on the combination for further investigation into potential suspicious activity.

APT Detection System

APT Detection System Design

The first column gives the attack steps and with that the structure of the APT. The second column with attack methods indicates real methods like denial of service attacks or malware related to botnets. Components like attacked ports or control messages are general aspects of these attacks that can be used for detection. These are the features which can be used for detection. The location column forms a link between the attack and the detection methods. The choice of location limits the available attack features for detection. The detection method column contains detection technology like virus-scanners, firewalls, honeypots and traffic capturing equipment, currently in use for detection.


APTs are a complex attack scenario in which different low-level attack methods are used in a multistep approach to achieve a predetermined goal. They are executed with more stealth than normal attacks. This is often achieved by specifically targeting employees or by using zero day exploits. This stealthy approach makes it harder to detect APTs with standard defenses like firewalls and virus scanners. An approach for detection of APTs should be aimed at detecting different elements of attack scenarios. The framework presented in this blog can help analyze APT threat scenarios with the purpose of creating a means of detection of APTs.

Defensible Logo

Effectiveness, accuracy and scalability are key considerations in the technical design, implementation and, operations of an IDS. The application of this detection matrix provides a good approach for attack analysis and detection design aspects. Intelligent data analysis methods are shown to improve detection as another layer in the APT Defense-in-Depth Toolkit but still does not replace other technologies such as signature and anomaly detection.


This APT Detection Framework blog is a part of the APT Strategy Series and complements and builds upon the Defensible Security Posture and Adaptive Zone Defense blogs.

In APT Detection Framework – Part 2 we will build upon this foundational introduction with some practical use cases and examples and begin to tie together with APT Detection Indicators.

For further information this blog was based upon the research paper, “Towards a roadmap for development of intelligent data analysis based cyber attack detection systems” written by  J.A. Vries dated July 5, 2012.

Thanks for your interest!

Nige the Security Guy.

APT Strategy Series

APT Strategy Series

There is a wealth of news and noise with regard to advanced threats, also known as persistent targeted threats and, marketed as the Advanced Persistent Threat (APT). The APT Strategy Series of blogs aims to try to cut through the hype and provide practical steps to our readers to help mitigate the threat.

APT Strategy Series

There is a lot of hype and yet there is no silver bullet. However there is much an organization can do to extend their defense-in-depth strategy, to improve their detection and containment capability and, to gain key visibility to rapidly respond to a compromise or attempt. There is also a win-win in that many best-practices, controls and, detection techniques needed for APT also help address the Insider Threat.

The APT Strategy Series covers, as follows:

  • APT Architecture & Strategy: Architecture and Design principles that help address APT and Insider Threats
  • APT-Focused Best-Practices: Practical steps to improve security posture and reduce threat/risk
  • APT Detection Framework: A framework to enable organization and analysis of attack and detection methods
  • APT Detection Indicators: Practical steps, methodology and tools to gain key visibility and identify a potential compromise

Strategic Defensible Security Posture

The Advanced Threat Defense series of blogs takes a top-down approach for those organizations who have the opportunity to address their security architecture and design to create a Defensible Security Posture, enabling the ability to seamlessly Detect, Contain, Respond, Eradicate, Recover.

Zone Defense

In this series we have currently published, as follows:

Tactical Best-Practices and Detection Techniques

The APT Defense Puzzle series of blogs takes a bottom-up approach for those organizations who need to take more immediate tactical steps to address their current security posture to address APT and the Insider Threat with practical best-practices and detection techniques. The blogs will gather together the best of the best-practices from the multitude of sources and gather them together to discuss the merits based on industry, organization size, threat/risk tolerance and, security profile.

APT Practical Defense

In this series we have started the process with, as follows:

Some quite fundamental but practical steps in that regard we will discuss are, as follows:

  • Maintaining a list of application systems at risk
  • Creating an APT checklist for assets at risk
  • Focusing on APT detection techniques and analysis tools
  • Focusing on incident response for APTs
  • Creating ready to use APT rapid response tactics
  • Preparing an APT forensic response plan
  • Increasing use of external threat intelligence
  • Focusing on APTs in security awareness training

And … significantly, implementing a policy requiring least privilege and authentication for all intranet services because trust-based access is a weakness that must be eliminated.

The Importance of a Defensible Foundation

While deploying tactical improvements and countermeasures is very important if organizations do not have the luxury to address their architecture and design near-term, a good solid foundation is critical. A Defensible Security Posture, Strategy and, Roadmap should be developed and factored into IT planning as a future goal.


Develop a Secure Architecture Strategy & Roadmap Blueprint

I would like to illustrate my point with an extract from What Continuous Monitoring Really Means by Dr. Ron Ross, which appears in the Summer 2012 issue of FedTech Magazine. At the end of the day it can cost more in terms of operations, resources and, operational costs to maintain a complex and fragmented infrastructure with band-aids than migrate to a new architecture and design that flexibly supports the business. This is even more important in the age of advanced targeted and insider threats.

Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI).

IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.

What Continuous Monitoring Really Means

Continuous monitoring is an important part of an organization’s cyber security efforts. But without establishing an effective security framework first, those efforts may be misspent.

Holistic Logging

Prototype, Iterate and Evolve towards Holistic Monitoring

Organizations that begin work on a continuous monitoring program with a narrow focus on security controls at the information system level without first doing some basic investment in strengthening their underlying IT infrastructure face significant problems.

First, they may end up wasting significant resources monitoring inherently weak information systems — in essence, throwing good money after bad. You can check a broken lock on the front door of your house once a day or every hour, but the lock is still broken. Better to fix the lock first, reinforce the doorjamb, and then with the remaining resources, check the lock on an ongoing basis.

Second, premature allocation of resources toward continuous monitoring of security controls for information systems may preclude organizations from investing the resources needed to build stronger, more penetration-resistant systems. Such investments are critical as organizations address the advanced persistent threat and cyber attacks associated with sophisticated and well-resourced adversaries. This is especially important for information systems that support key infrastructure.

Strengthening the IT infrastructure begins with establishing a sound cyber security and risk management governance process. Next, organizations must manage the complexity of their IT infrastructures by using enterprise architecture to consolidate, standardize and optimize the current inventory of IT assets as well as developing “threat aware” mission and business processes.

Sample Roadmap

Develop a Security Improvement Program to Evolve Capability Maturity

Organizations must also develop and integrate into their enterprise architecture a security architecture that guides the effective allocation of security controls to their information systems. And finally, organizations must initiate continuous monitoring of all of the above activities to ensure ongoing effectiveness of cyber security and risk management governance, mission/business processes, enterprise and security architectures, and security controls deployed within the enterprise.

Continuous monitoring, broadly applied, can provide important benefits to organizations with regard to cyber security and risk management. It can support and enhance a dedicated, mature process for building the necessary trustworthiness into the information systems. [Extract from article by Dr. Ron Ross]

Thanks for your interest!

Nige the Security Guy.