Book Image

Mastering Defensive Security

By : Cesar Bravo
Book Image

Mastering Defensive Security

By: Cesar Bravo

Overview of this book

Every organization has its own data and digital assets that need to be protected against an ever-growing threat landscape that compromises the availability, integrity, and confidentiality of crucial data. Therefore, it is important to train professionals in the latest defensive security skills and tools to secure them. Mastering Defensive Security provides you with in-depth knowledge of the latest cybersecurity threats along with the best tools and techniques needed to keep your infrastructure secure. The book begins by establishing a strong foundation of cybersecurity concepts and advances to explore the latest security technologies such as Wireshark, Damn Vulnerable Web App (DVWA), Burp Suite, OpenVAS, and Nmap, hardware threats such as a weaponized Raspberry Pi, and hardening techniques for Unix, Windows, web applications, and cloud infrastructures. As you make progress through the chapters, you'll get to grips with several advanced techniques such as malware analysis, security automation, computer forensics, and vulnerability assessment, which will help you to leverage pentesting for security. By the end of this book, you'll have become familiar with creating your own defensive security tools using IoT devices and developed advanced defensive security skills.
Table of Contents (23 chapters)
Section 1: Mastering Defensive Security Concepts
Section 2: Applying Defensive Security
Section 3: Deep Dive into Defensive Security

Mastering defense in depth

Back in the old days, people relied on perimeter defense, which is erecting a virtual fence to prevent non-authorized people from getting into your systems.

Figure 1.8 – Single-layer perimeter defense

Figure 1.8 – Single-layer perimeter defense

However, the threat landscape has evolved, and we must do the same!

While perimeter defense is mostly based on a single layer of protection (normally a network layer), Defense in Depth (DiD) takes this further by applying a plurality of security layers in which each layer offers a new line of defense against an attack.

Normally, those layers are independent and each of them provides a different security mechanism that increases the overall security. The benefit of this independence is that a vulnerability that affects one layer may be irrelevant to the other layer. This is a great advantage over a pyramidal model where, if the foundation is affected, the rest will fall.

However, this independence also has its downside in terms of the complexity of the operations. In this case, managing all the different layers (configuration, test, updates, maintenance) is not an easy task, but who says that our job will be easy!

Factors to consider when creating DiD models

Most DiD models create the layers based on technology; however, if you want to apply DiD as a master, you must also consider the following two very important factors: People and Processes.


The DiD model can be applied at a macro level (to the entire organization) or at a micro level (to a single system or technology). This means that once you master this method, you can use it to create your overall security strategy, as well as use it to create the security strategy to secure your web apps.

Now, let's analyze these two factors in detail.

The people

People are often pointed to as the biggest threat in cybersecurity…and they are! And we are not talking about the criminals; we are talking about your company employees who are responsible for many of the security breaches, either as a result of an inadvertent error or by being used by an attacker to gain access to some systems or data.

Therefore, we must consider the human factor when developing our defense strategy. Ignore this and your strategy will be doomed.

The very first step here for you is to segment the company employees by access type. Users should be created on a need-to-know/need-to-do basis. This segmentation of employees should be performed as part of your identity and management process and while, in the beginning, it may be a time-consuming process, in the end, I assure you that the investment is well worth it.

Admin rights

Some companies started to adopt a policy to provide admin rights to all employees over their work computers. The justification is related to the huge cost associated with having a support team in charge of helping the user every time they need to install software, hardware, update, or plugin.

But what about the cost of reinstalling a machine following a malware infection? What about the cost associated with the installation of corrupted drivers? What about the cost of a data leak due to the installation of a trojan? What about the legal cost of the installation of unlicensed or restricted software? Those are some of the questions that you may ask senior management in case they want to provide admin rights to everyone. Remember, it is your responsibility to help your organization to understand that security will always be above usability and user experience.

Are you saying this should not be done? No, I am just saying that this needs to be carefully analyzed from the cybersecurity perspective to ensure that if applied, all appropriate controls are in place to reduce the risks mentioned earlier.

The processes

You must have an in-depth understanding of the organization that you are tasked with defending. You can achieve this by understanding all the company's processes (or at least the core of them). Once you know them, it will be easier for you to identify vulnerabilities and risks where others don't!

I understand that as a technical person, you may hate processes and the associated (and mostly) outdated documentation that it brings, but trust me, if you know them, you will bring an exceptional value that very few are capable of providing to their organization.

Another reason for you familiarizing yourself with this is because you will have to eventually create your own processes. One good tip is to create your processes in alignment with the organizational processes; this will enable you to reduce risks while closing any potential gaps.

Additionally, I suggest you evaluate/analyze those three factors (Technology, People, and Processes) from two perspectives: Internal and External.


I suggest you do an inventory of your technology, processes, and types of employees, and then evaluate the risks (internal/external) associated with each of them, as shown in the following diagram.

Figure 1.9 – Risk evaluation matrix based on three factors

Figure 1.9 – Risk evaluation matrix based on three factors

Now that we have reviewed the factors that need to be considered and how to manage them, it is time to move forward to understand how to determine which assets will be defended by our DiD model and how to prioritize them.

Asset identification

In an ideal world, you would apply the strongest defense across the entire organization, but as you may know, that is not realistic because the stronger the security, the more expensive the cost.

Therefore, before moving forward, you must analyze your systems and data and sort them to prioritize the defense strategy for each type.


Once you have identified the different systems and data, create a Kanban-like board in which the columns are the levels of security (with an associated cost), and then schedule a meeting with relevant upper management (CEO, CFO) and ask them to place the different systems and data in the desired security level (columns). This is a great tool for you when it comes to supporting your budget request, but also when delegating the responsibility of the security level selected for each system/infrastructure or dataset.

The following diagram is an example of a Kanban-like board that can be used to determine Asset priorities (based on impact) and also to support budget requests made to upper management:

Figure 1.10 – Sample Kanban-like board for asset classification

Figure 1.10 – Sample Kanban-like board for asset classification

Now it is time to create the layers of your DiD model.

Defense by layers

Here, you will use the inputs from the asset prioritization that we just created to develop the best-layered model based on your resources.

There is an open debate ongoing about whether it is better to have one super strong control or multiple good controls.

Let's look at some pros and cons of a sample scenario so that you can draw your own conclusions.

Figure 1.11 – Single strong control versus the multi-control approach

Figure 1.11 – Single strong control versus the multi-control approach

There are two ways to create your layers, by means of the functionality of the control or by technology, as explained next.

Creating layers by type or functionality of the control

Here, you create the layers based on the functionality or type of controls.

The idea is that you correlate what you are trying to secure against the controls applicable to it. For example, there will be cases in which corrective controls may not be relevant, while in other cases, it should be the priority. Remember that in security, everything needs to be tailor-made based on the business.

Figure 1.12 – Layered security by the control function

Figure 1.12 – Layered security by the control function

Figure 1.12 shows a full layered model that includes the most popular controls layered by their function. For example, an electrified fence to prevent someone from entering the building, a Camera system to detect intruders, a security guard to deter potential intruders, biometric authentication or geolocation as an alternative method to compensate a more expensive mechanism, a backup to perform the recovery following a disaster, and a "Reboot to restore" software (like a deep freeze) to correct any issue or misconfiguration on a given system.

Creating layers by technology

Here you create layers of controls based on the technology used, despite the fact that they provide the same functionality. For example, you may implement several methods or technologies on a critical system to detect intruders (IDS, audits, logs, and so on).

Figure 1.13 – Layered security by technology

Figure 1.13 – Layered security by technology

In the preceding diagram, you can see an example of how you can create layers based on the technology. For example, a camera and a sensor may both be a detective control, but both use different technologies to achieve it. This model is very useful when you want to increase the focus on a given functionality, for example, implementing a plurality of technologies to provide a special focus on detection or prevention.


To make things more interesting, remember that layers can also be further defined on three categories of controls: administrative, physical, and technical. I know that you are already familiar with those categories (so there is no need to waste ink in explaining them), but I just want you to keep in mind that you can add components from the three categories on the same layer.

Which approach is better?

This will depend on your infrastructure, and that is why performing an in-depth analysis of the environment is key.

Remember that the logic behind this is to make things harder for an attacker and you can achieve that with both methods.

Benefits of a security by layer model

There are a lot of benefits associated with the implementation of a Security by layer approach and Figure 1.14 highlights some of them for you to consider whether they can be beneficial for your defensive security strategy:

Figure 1.14 – Benefits of implementing a security by layer model

Figure 1.14 – Benefits of implementing a security by layer model

Additionally, upper management will also benefit from implementing this type of security model as this enables the company to perform a better allocation of cybersecurity resources.


Layered models were designed to work in isolation, which means that there is no communication between the layers. However, the latest research studies confirm that interconnecting the layers will improve the system as one layer may learn from the other one to better protect against an upcoming threat.

Keep in mind (like everything else in security) that a layered model that works today may be obsolete in 2 years, so you need to constantly evaluate your layers to determine if they still offer the required level of security.

Bonus track

I know you want to see the latest and greatest technologies, so here are a couple of systems recently developed that can be implemented on layered security models.

Mobile device feature disablement

This is a very interesting project (patented in the US) that I worked on recently with my friend and master inventor, Eric Rueger. The idea is a system that prevents the execution of a plurality of systems on a mobile device based on a plurality of factors such as time and location. Therefore, this is a state-of-the-art system that can be applied to the preventive or detective layer of the model. Here is the link:

Cognitive security adjustments based on the user

If you want to see one real example of how you can add AI to a preventive layer (and take your layered model to the next level), take a look at this patent pending in which the system monitors the user's emotional state and level of attention to determine whether the user's computer should be automatically locked to prevent unauthorized access or the inadvertent disclosure of sensitive information. In terms of the development of this system, I had the privilege to work with one of the most prolific inventors in human history, Greg Boss: