Think Like an Attacker: Be Frogger

It’s time to think about a new model for cyber defense. The conventional wisdom of a defense-in-depth architecture is just that: wisdom and conventional. Said apart, one can literally hear the last vestiges of its applicability to the cloud friendly, hyper-converged, globally distributed, and platform-independent cyber world of today. This isn’t to say that a defense-in-depth approach is without merit—it wouldn’t have become such a ubiquitous fundamental of cybersecurity if it wasn’t easy to understand, simple to deploy, and incredibly strong. But cyber attackers know the model too, and its relatively static delivery mechanism and resistance to the inclusion/exclusion of new or reorganized controls make it common ground. As any good defender knows, common ground offers no advantage. 

To get to a new way of thinking, we need to first understand a few fundamentals of information technology and networking that have been with us for years. History is often the best driver for new ways of thinking. 

Of Meshes and Cyber Defense 

Firstly, and most importantly, is the concept of a mesh. Consider the postal system of the United States: to send a letter from New York to California, means the letter must traverse several different locations, otherwise called “nodes.” Those nodes may include a flight from Albany to Chicago, a truck from Chicago to Denver, and a train from Denver to Los Angeles. The letter moves in different ways between different nodes before it finally arrives in a letter carrier’s mail bag for delivery to the recipient’s mailbox. If there’s a storm, the plane might not fly and an alternate path is preferred. If there’s highway maintenance, the postal system works to choose an alternate series of nodes—all to deliver the letter in no more time as would be optimal. These interconnected nodes are collectively known as a mesh. Sometimes it’s simpler to understand if we can visualize it, as below.

Next is an advancement of the mesh concept, called a “directed mesh.” To understand this, consider the postal analogy once more. Letters that are processed through the Atlanta facility move twice as fast as those routed through the Richmond facility. When letters are routed through St. Louis, they can only be sent to Dallas. But letters sent through Louisville can be sent anywhere north of Las Vegas. The point is, every node in the mesh has its own characteristics. 

Some nodes cause delays and some paths between nodes are non-optimal. In a directed mesh, these nodes are “weighted” and an optimal path exists. Paths might change to newer, more optimal paths should those weights change. And now on top of this directed mesh is added an element of change. Just like the post office analogy, a directed mesh can be dynamic, changing. 

Some nodes cause delays and some paths between nodes are non-optimal. In a directed mesh, these nodes are “weighted” and an optimal path exists. Paths might change to newer, more optimal paths should those weights change.

A path that existed between postal distribution centers in the early morning might be suboptimal by the end of day because of a thunderstorm in the Midwest. The point here is that this collection of nodes, and paths between them is ever changing in the directed mesh. This is a key concept to applying the directed mesh model to cyber defense, but more on that in a bit.

In modern networking, the paths between nodes of a directed mesh are called “routes.” And these routes are calculated by something called a “dynamic routing protocol.” This is little more than standing in the Albany post office with a letter in hand, choosing which path to take to advance the letter west toward California. A dynamic routing protocol learns the node weights (perhaps a delay in the Cincinnati facility) and optimal paths through the directed mesh (air travel or road travel between Nashville and Little Rock), and spits out the best paths between any two nodes. (Shoutout to all those that spent way too much time in school learning the fundamentals of RIPv2, OSPF, or BGP). 

A computer network—just like a postal network—is a directed mesh that is constantly moving and reacting. The dynamic routing protocol can always be trusted to find an optimal route through it. Once all the optimal paths are known between the nodes, and there aren’t any changes in the mesh, this is what is known as network “convergence.” Convergence is mesh utopia; all possible paths through all possible nodes are known, and optimal.

Once all the optimal paths are known between the nodes, and there aren’t any changes in the mesh, this is what is known as network “convergence.” Convergence is mesh utopia; all possible paths through all possible nodes are known, and optimal.

Is Traditional Defense-in-Depth on its Last Legs?

This is the crux of a new way to think about cyber defense. Historically, cyber controls were layered like an onion and often integrated. An attacker would have to move through successive and increasingly complex layers of controls to reach whatever nefarious conclusion they were after. The castle-keep analogy is often the easiest analogy to explain this. If an attacker wants to steal the crown jewels (patient data, intellectual property (IP), cardholder data, etc) stored inside the castle keep at the structure’s center, they first need to traverse the moat, then scale the walls, defeat the guards, race past the killer attack dogs, avoid the pitfalls, sneak past the sleeping guards, pick the lock to the keep door, and claim their prize. 

Never do they move backwards to check for keys on the sleeping guards, or sideways to just wait until the dogs are feeding, and the jester leaves the keep door open. Defense-in-depth architectures are designed to trap attackers at any one layer. We monitor those layers/controls, alarm on them, sometimes even make them trivially easy to defeat so as to bait attackers (honeypots, honeynets, etc). Defense-in-depth security is a one-dimensional directed mesh; one path, one set of nodes, and one optimal direction.

That’s just not how attackers think today. 

Attackers are patient, crafty, and dynamic. Why traverse the castle walls if they could fly over them with a drone and drop straight in front of the keep door? Can they leverage the information gained from one control to defeat another? Can they simply impersonate a good actor to defeat any control that relies on trust? This is where the defense-in-depth model suffers greatly, and it's time for a change in thinking.

Defense-in-depth security is a one-dimensional directed mesh; one path, one set of nodes, and one optimal direction. That’s just not how attackers think today. 

What if cyber controls were built like a directed mesh? Every control inhibitive to an attacker is simply a node in that mesh. What if, to think like an attacker, we simply tried to traverse the mesh much the same way a dynamic routing protocol would. 

Endpoint detection might be a node in that mesh, but how does the relationship between endpoint and say ... local privilege escalation offer weakness to any would-be attacker? Or the relationship between endpoint detection and application allowlisting, script control, accessing a network resource, peer discovery, or any other area where a control could exist. 

All nodes, and all possible paths in the directed mesh. Movement between these controls is akin to path optimization. An attacker moves forward, backward, left, and right to find their path to the castle keep. The goal is to answer the question: “Which path is optimal (or maybe suboptimal?) such that we would add a control, akin to changing a node weight or path cost, such that the attack is directed to where we want it to go, ultimately creating a path too costly for the attacker?” 

The utopian goal is a convergence of security controls. Convergence in this sense is an understanding of the interdependency between all security controls (nodes in the directed mesh), and how they build an optimal path to defeat any attacker.

Consider the practical example of identity theft, so common in today's cyberattack portfolio because this attack targets the new perimeter of cyber security: humans. Assume for a moment that an attacker has compromised a privileged identity and is using it to login to a protected asset. In the defense-in-depth model, there might be additional challenges for multi-factor authentication, or an additional comparative filter for historical activity. But the attacker needs only to wait out the controls, or focus solely on their defeat. 

The utopian goal is a convergence of security controls. Convergence in this sense is an understanding of the interdependency between all security controls (nodes in the directed mesh), and how they build an optimal path to defeat any attacker.

In the directed mesh way of thinking, the system might monitor for behavioral anomalies, increasing the number of factors required to authenticate. Or, should the attacker use known exploits, additional levels of scrutiny are invoked, causing the attacker to “restart” their attack, choosing or landing on different security controls (nodes) that may have not been present for their first attempt at choosing a path. While the attacker chooses a new path and evaluates its merit, just as the dynamic routing protocol does, cyber defenders have already modeled it (that new way of thinking) inside the directed mesh, and assured defeat.  

Frogger Shows the Way

So now if you’ve come this far, it’s time for the tl;dr summary on “thinking like an attacker.” Remember Frogger?

Frogger was a console and arcade classic, whereby the goal was to move your frog across the highway, through increasing levels of traffic complexity, to get to the other side without getting squished. Each traffic lane had a different pattern of vehicle placement and speed, making it a precarious "jump" between lanes. The frog could be moved up to advance between lanes of traffic, backwards to retreat back to safety, left or right to accommodate timely jumps across lanes. 

And voila, Frogger is a simplistic example of dynamic routing protocols that were created years after the game mesmerized young minds in front of arcade screens the world over. In Frogger, the human player is the routing protocol. They are constantly evaluating each jump, and assessing the threats present, in order to safely advance. 

Each lane of traffic represents a node in the directed mesh that is Frogger. Jumping between lanes is akin to moving between nodes, the player choosing the optimal path each time. The comparative analogy of how an attacker might traverse through security controls, makes Frogger a wonderfully applicable and easy-to-understand totem for this entire change of thought. Traversing through successfully increasing speeds of traffic, or safe places to jump, ultimately arrives at complete path optimization aka convergence, i.e. winning the game.

We as cyber defenders can model the frog, the lanes of traffic, and the choices taken between lanes. We are Frogger’s developers as much as any player. In this directed mesh of controls, the relationships between our security controls should be evaluated just like any dynamic routing protocol would do. We can influence those relationships, and map out how an attacker might think, what they might traverse. By using the concept of a directed mesh, we can build a framework of security controls that always squishes the frog.

More practically, the task is to evaluate the co-dependency of any security control, against any and all other controls, regardless of any hierarchical relationship.  For instance, if a mature privileged access management (PAM) tool exists, but it is somehow compromised, what other controls could be thwarted, each of them represented as a node with some proximity to the PAM node. Lateral movement anyone?  

But compromise of a PAM tool also means an attacker likely has a very high level of administrative control, and endpoints could be victimized. So those nodes also have a mesh-based relationship to the PAM node. The complexity has an equivalent number of dimensions as the number of possible security controls. 

A directed mesh can easily become overwhelming. BUT…there’s a trick. Always keep in mind what you are trying to protect. System uptime? IP? A particular IT asset? In Frogger, you could always see the goal, you just have to figure out the movements to get there, each jump to a different node, thus mapping out how an attacker might think, what they might traverse. By using the concept of a directed mesh, we can build a framework of security controls that always squish the frog.