Why is it so easy to break into an organization’s network and encrypt all the data you come across? Is this due to laxity or are solutions based on an architecture that can no longer withstand attacks?
It is not necessary to start an article like this by listing all the attacks we have seen against various Norwegian organizations. Unfortunately, most people in our industry see devastating attacks getting closer and closer.
I noticed a little CTO Kari-Anna Fiskvik Statement on Choice . Series: «There is reasonable agreement between Krepos and the National Security Authority that it is almost impossible to protect against this. What is not impossible is planning what to do when it happens.
The essence of the problem in network solutions today
The solution for Choice to reduce exposure is Introduce Chrome OS as the workstation platform for your enterprise. What they achieved through this was breaking the close bond between workstations and server solutions. This makes it more difficult for an attacker who obtains, via email, code to run on a workstation to be able to move further inland into the network through the slots that would have to be present if the workstation was running Windows in Active Directory.
Here we are at the heart of the problem with current networking solutions: They are built around Active Directory as a directory service and authentication solution for users, workstations, and servers – in a tightly integrated solution where identities can flow freely across the enterprise. This means that you don’t need a very dangerous loophole before an attacker gets in a little foot and can start digging more inward.
The vast majority of cryptographic attacks today use AD identities to navigate the web, and the first goal one tries to achieve is to control AD and domain controllers. In this sense, AD is the tool used by the attacker and the first target that the person targets. If you control AD, you can pretend to be any user, or a member of any group, by logging into all systems that use AD to authenticate the user.
I find it intimidating to know how many solutions to manage just to keep environments reasonably safe. There are proactive systems to prevent attacks and reactive systems to deal with the attack as it is in progress – as well as systems to be able later to analyze what happened.
Many of these solutions exist to prevent an attack somewhere on the web, such as a computer via email or a vulnerable, vulnerable web server, from using it to take over other parts of the web. Too bad to say, but these systems monitor completely normal network activity and have no easy task of sending alarms in the right places. Pretty much any well-executed attack can be camouflaged as a completely normal activity.
Co-advertising for everything increases vulnerability
Therefore, my claim is that the best thing one can do to increase web resiliency is to start the march away from fully integrated Active Directory and implement solutions that are more local to the single service. One service for workstations, one or more services for server pool and one for cloud services.
We don’t necessarily need a cross-advertisement to be able to offer single sign-on services, a lot can be done via cloud identity, like Azure AD. Or as the selection string did, to move all workstations to ChromeOS, perhaps using a different authentication solution than the primary Active Directory.
If you also remove the ability for workstations to directly access services in the local network, but release it to services via the same mechanisms used for remote work, you get a shared setup for accessing the service no matter where the workstation is. So you also get a 100% mobile enterprise.
Take one bite at a time – and start right away
For many, implementing such a partition is seen as an insurmountable task. It is certainly a big task. But it can be implemented if you take it “a little at a time”. The least intelligent thing is to do nothing, sooner or later you will be the victim of an attack.
The first task is to draw a structure consisting of isolated building blocks, not a tightly interlocking solution. The links between them are identity and access to the service.
In a split solution, the identity is still used to provide access across the different solutions. The difference between a cloud identity and an on-premises AD identity is that it is easier to restrict the former in terms of how it is used. This can limit the possibility of the infected device getting corrupted on the rest of the network.
I just started. Good luck and God bless you.