The threat landscape is constantly evolving. It is increasingly important for organizations to invest in security to mitigate both internal and external malicious actors. New threat vectors are emerging including:

  • Internet of Things (IoT) devices with weak security
  • Bring Your Own Device (BYOD)
  • Remote workforce

However, the preferred attack vector according to Verizon’s 2017 Data Breach Investigation Report is still stolen credentials. Basic steps to mitigate this risk include:

  • User training
  • Security policies
  • Strong passwords
  • Frequent password change
  • Minimal permissions
  • Multi Factor Authentication (MFA)
  • Mobile Device Management (MDM)

Kaspersky Global IT Risk Report 2016 lists the top causes for data breaches as:

  • Viruses, malware and trojans
  • Lack of diligence and untrained employees
  • Phishing and social engineering
  • Targeted attack
  • Crypto and ransomware

Kill Chains for Targeted Attacks

The following steps are typically used during a targeted attack:

  • Reconnaissance – search for vulnerabilities to conduct an attack.
    • External Reconnaissance – data gathering outside the target’s network and systems. This is typically done using dumpster diving, phishing, social engineering, water holing, baiting to create a weakness either through stolen passwords or malware.
    • Internal Reconnaissance – data gathering inside the target’s network and systems. Typically, this is done by tailgating, sniffing and scanning with the intent of compromising passwords, mapping networks, servers and ports.

  • Compromising the System
    • Extortion Attacks – holding data to ransom or threatening to expose information. Becoming preferred by hackers – direct payout from target rather than finding a third party.
    • Data Manipulation Attacks – changing or corrupting data to undermine trust in the integrity of the organisation’s data.
    • IoT Device Attacks – typically compromised devices participating in DDoS attacks.
    • Backdoors – software that has been compromised at source or within the supply chain to enable hackers to access it after it has been deployed onto the organisation’s infrastructure.
    • Mobile Device Attacks – malware installed on BYOD devices can be used to attack organisational data systems.

  • Lateral Movement – expanding presence to find high-value data and gain control of infrastructure.
    • Primary targets of this stage include:
      • Directory Servers
      • Email Servers
      • Database Servers
      • File Shares
    • Infiltration Mechanisms include:
      • Network mapping – note that movement within a subnet that does not cross a security boundary may go undetected so isolate servers where possible.
      • Alternative Data Streams – hiding payload files with legitimate system file names whilst piping data between commands.
      • Legitimate system tools such as:
        • PowerShell
        • Remote Desktop
        • Sysinternals
        • Windows Management Instrumentation (WMI)
        • Scheduled Tasks
        • Remote Registry

  • Privilege Escalation

  • Concluding the Mission

Defense in Depth


The most vulnerable component of our defense strategy are the people who own and operate it. All the available research shows that most attacks succeed because a user’s identity has been compromised. These stolen credentials are then used to create weaknesses that can be exploited to damage the organization.

The first and most important layer of our defense strategy must therefore be practical security polices that are easily understood by our users. Each user should be fully trained on security practises and be given regular refresher training as threats, tools and processes evolve. This is especially important to high value users like administrators, developers and systems operators.


Building from the bottom up our defense in depth strategy needs to protect our infrastructure. Depending upon the specific technology choice there are a range of tools and best practices that will enable us to secure, monitor, alert and respond to security incidents. The big take away from this section are that we need to compartmentalise our network infrastructure to prevent lateral movement from the periphery our network towards our critical Data at Rest servers.


Software that we create to run in the Data Presentation, Data in Motion and Data in Action zones needs to provide two different kinds of protection:

  • Software vulnerabilities need to be eliminated by training developers and running static analysis tools to detect the common threat vectors including:
    • SQL Injection
    • Buffer Overflow
    • Cross Site Scripting
    • Structured Exception Handler Overwrites

  • Transport vulnerabilities need to be eliminated by:
    • Validating the identities of the users or applications involved in each transaction.
    • Enforcing compartmentalisation of each service so that all data flows across an intrusion detection device.
    • Ensuring that all data is encrypted as it crosses a security boundary.
    • Ensuring that data has not been modified during transport.

Data at Rest

As described above the primary targets for a targeted attack will include:

  • Directory Servers
  • Email Servers
  • File Shares
  • Database Servers

Whilst Data as a Service generally doesn’t have much to add to Directory and Email Servers, there is a lot we can do with File and Database Servers.

Firstly, encrypt the media that the data resides on. This is especially important for physical media stored on-premise. When media is being disposed of, ensure that it is first erased and then physically destroyed to prevent dumpster diving attacks. Even when storing information in the cloud utilise available storage level encryption mechanisms.

Next encrypt the content of the data itself in a way that is transparent to the user accessing it – make it easy for the user to implement the security policy! For data files, use Information Protection tools that lock data based on security levels and restrict access. These tools can be extended across mobile endpoints to prevent data leaking from emails.

In databases:

  • Enforce row level security checks on users accessing the data.
  • Implement row-level version control to identify and recover from data manipulation attacks.
  • Implement auditing and machine learning to identify threats and abnormal activity.
  • Use vendor analytic tools for threat analysis and alerting
What is Data as a Service?

at Rest

At rest within a persistent data storage medium


Presented as part of an omni-channel user experience

in Action

In action when we want to perform some business logic on it

in Motion

When being shared with third parties or other internal solutions