In today’s blog post I’ll try to share with you Richard’s model of DNA and how important trying to achieve it is when preparing to handle incidents, and that incident response is more than just preparing your first responders by training and providing them with tools. I’ll share with you eight key design principles for creating a defensible network architecture model from Richard Bejtlich, author of The Tao of Network Security Monitoring: Beyond Intrusion Detection. We can briefly call this model DNA 2.1. Identifying a compromised asset, finding a responsible owner, and delivering an incident report are three of the toughest jobs in security, but they are not the only challenges. The list in below begins with the characteristics a protection group should adopt first, and as it keeps, the factors emerge as step by step extra hard to implement.
A DNA 2.1 is an information architecture that is:
- Monitored: The simplest and most inexpensive manner to start growing DNA on an present organization is to set up Network Security Monitoring sensors shooting consultation data (at an absolute minimum), complete content material data (if you could get it), and statistical data. If you can access other data sources, like firewall / router / IPS / IDS / DNS / proxy / whatever logs, you should always start by monitoring first. Save the harder facts types (people who require reconfiguring assets and buying mammoth databases) till plenty later. In security perspective, everytime quick win are important. Monitore all assets at the host, network, and application log levels.
- Inventoried: It means knowing what you have and what you are hosting on your network. If you’ve started tracking, you can capture much of this information passively. You need to access an inventory that identifies the location, purpose, data classification, criticality, owner, and contact method of the asset.
- Controlled: Now that you know how your network works and what’s in it, you can start implementing network-based controls. Such as ingress filtering, egress filtering, network admission control, network access control, proxy connections, etc. The main idea is that you go from a network where everything is happening to a network where business is cleared in advance. The security team enforces access control at the host, network, and application level to allow authorized activity and deny everything else.
- Claimed: Claimed means identifying the owners of the assets and developing policies, procedures, and plans for operating those assets. In my experience, it’s generally easier to start putting controls in place before people take ownership of the systems. This step is a prerequisite for responding to an incident. it can detect break-ins in the first step. We can only work with the owner of an asset to respond if we know who the asset belongs to and how to lock in and get it.The owner of the inventory exerts has active control over the system.
- Minimized: This step is that the 1st to directly impact the configuration and posture of assets. Here you’re employed with stakeholders to scale back the attack surface of their network devices. you’ll apply this to clients, servers, applications, network links, so on. By reducing attack area you improve your ability to perform all of the opposite steps, however you can’t very implement minimisation till you recognize who owns what. The assets offer the minimum surface area needed to perform their business function; needless services, protocols, and code are disabled.
- Assessed: This is a vulnerability assessment process to identify resource weaknesses. Some will say that it is useful to start with an evaluation, but the first question will be: “What are we evaluating?” I think it might be easier to turn off unnecessary services first, but you might not know what is running on computers without evaluating them. Also consider running an adversary simulation to test your overall security operations. Assessment is the stage where you decide if what you want us to do so far makes a difference. This part regularly assesses the configuration of resources to determine their safe position.
- Current: Current means keeping resources configured and correct so that they can resist known attacks by fixing known vulnerabilities. It’s easy to turn off features that no one needs. However, sometimes updates can damage apps. This is why this step is the last. The IT team keeps the active patch and configuration status up to date with the latest standards.
- Measured: The Red team measure their progress against the previous steps. The Red Team proactively assesses and tests the organization to determine its security posture by simulating a wide variety of threats. This team provides a metric against which performance can be measured.
Model Reference: Richard Bejtlich “The Practice of Network Security Monitoring: Understanding Incident Detection and Response Book”