Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 17 of 53

block the ransomware callback domain (which is part of the infec‐ tion process)? The answer is likely no. Remember, most ransomware strains must make an initial callback to an attacker for an encryption key exchange, or the attacker will never be able to decrypt the user files. When ransomware needs to perform this callback, we can use recursive DNS servers to stop it and subsequently help eliminate the ransomware from becoming an epidemic by spreading to other devices located elsewhere in the net‐ work. As we can see by these two examples, integration between the lines of defense is desperately needed. Conclusion In this chapter, I highlighted many of the technologies that are so often found in nearly all organizations today and how they're deployed. In fact, I have implemented many of the technologies mentioned so far in this book exactly in the same way as previously described. What I have discovered is that these independent lines of defense commonly found in most organizations are not working in concert, have no awareness of one another, and are not sharing internal threat intelligence or acting on it. Because these technologies are doing nothing more than operating as lone citadels (towers), as highlighted in Figure 1-1, it's no wonder that attackers are so suc‐ cessful. Figure 1-1. Lack of proper integration leads to technologies operating as lone citadels. Figure 1-1 emphasizes the gaps that often occur due to the lack of integration in our current security approaches. Understanding that all of these technologies are operating independently, attackers con‐ sistently find ways of slipping through the "openings" that seem to 8 | Chapter 1: What's Not Working, and Why?

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth