This is the second installment of my “IT Security Warfare” series in which I draw from Clausewitz to reinforce the ‘art of IT security.’

Culminating Point Of The Offensive

One of his areas of interest was the inherit superior strength of defense versus offense. For example, he was impressed with the strength of entrenchments and fixed fortifications. Both represent established, fortified points of contact with the enemy and can be compared to firewalls, HIPS, VLAN ACLS, etc. Typically in battle there are stages of trenches to fall back to if the threat of being over-run becomes real. In network security we do the same; firewalls are the outermost point of contact, then we fall back to the IPS, then the VLAN ACLS and so on.

Another strength of defense is the ability to ‘choose his own ground’ or make them fight your fight. This means IT security removes, reduces, or mitigates risk on key assets while accepting the risk when absolutely necessary, while fully anticipating contact with the enemy at the chosen point, be it a publicly-accessible web server or FTP server, etc. When we have chosen the point of battle, we build fortifications (system hardening) deploy scouts (HIDS like Tripwire, etc), and maintain a general posture of preparedness (log monitoring, traffic monitoring, etc).

As the offense extends itself into your territory, it becomes more difficult to sustain the attack. Communication and supply becomes more difficult. In IT sec parlance, this means that maintaining privileges on compromised hosts and maintaining communications back to the black-hat becomes more challenging. For this reason, we want to cut off the supply lines by blocking IRC ports outbound at the firewall and sniping “/join” and “/nick” commands at the IPS. We also want to harden exposed hosts to make privilege escalation more difficult. Also be conservative with host-trust relationships. For example, if your exposed web server doesn’t need to talk its neighboring FTP server in the same DMZ, don’t let it. That protects the FTP server from the web server.

The culminating point of the offensive in IT security comes when the attacker has tried enough systems and has been observed by enough countermeasures to create formidable evidence. That evidence becomes the weapon that gives the defense enough of an edge to turn on the offense. In a best-case scenario, the authorities can be brought in as allies and thus tip the balance of power in favor of the defense.

Some solid points that Clausewitz makes about defense:

• It is a game of waiting but “waiting” does not mean being passive
• His version of defense was “profoundly active”¹
• If defense was to be compared to a shield, then it should be “a shield made up of well-directed blows.”

I especially like the last point. I’m all for a proactive security posture that leverages IPS versus IDS technology and user training and awareness programs versus knuckle-cracking punishment for policy infringement.

Now go out there and build your sniper’s nest and keep an eye to the horizon.