Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 12 of 53

opening an attachment in an email. In the case of clicking, the inter‐ nal user starts the conversation from within the firewall, outward. When the return traffic (as a result of the click) arrives on the exter‐ nal side of the firewall, it allows the traffic to seamlessly pass to the internal user. Normally, the return traffic carries a piece of malware, an exploit of a system or application vulnerability, or even worse— ransomware. As soon as the traffic arrives at the user's computer, it executes the malicious code and normally allows an attacker to gain a foothold into an organization. Why Do Phishers Phish? It's simple. Attackers completely understand how firewalls work. Because nearly every network is protected by firewalls that are very effective at blocking all incoming unsolicited traffic, how do attack‐ ers get around them? They don't get around them because there is no way to do that. Instead, they get the victim to do the work for them. This Approach Is Not Adequately Protecting Internal Users When observing the perimeter defenses (commonly called border or edge defenses) most organizations deploy today to protect their internal user community, we can see a common methodology. Most organizations deploy layer upon layer of independent technologies designed to stop various cyberattacks. These lines of defense are normally deployed in a serial fashion with one line of defense deployed behind another, or they are deployed out-of-band, operat‐ ing in a monitoring fashion only. Next-generation firewalls are normally deployed as the de facto "first line of defense" at the edge of a network. Using these firewalls, most organizations block all incoming traffic destined to their user community that originates from the internet. However, understand‐ ing how phishing works, firewalls are severely limited in their ability to block these attacks. Looking further in, past edge firewalls, organizations normally deploy advanced network intrusion prevention systems as the next line of defense. These technologies are designed to block "known" This Approach Is Not Adequately Protecting Internal Users | 3

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth