In his book “A Burglar’s Guide to the City”, Geoff Manaugh describes the case of a thief who burgled a whole row of adjoining flats [1]. Instead of breaking into each property from outside, he broke into one and then entered the next one by simply cutting through the relatively weak internal walls. The so-called “drywall” burglar did this again and again until he got to the end of the block, carrying the stolen goods back through his “tunnel” at leisure.
Consider the cybersecurity problem early
Householders are often advised to upgrade their door and window locks to deter burglars. It’s not so easy to re-fit internal walls in a way that will stop an intruder. If the housebuilders didn’t consider the problem during construction, it may not be feasible to fix it later.
Cybersecurity experts emphasise the importance of applying security principles to the architecture of a system early in its development, at the design and build stages.
In fact, the first principle recommended in the NCSC’s cybersecurity guidance is to establish the context of a system before designing it using IT Architecture [2]. The context includes an understanding of the threat model for the system. The guidance suggests applying appropriate modelling techniques to understand the ways in which an attacker could achieve their objectives and the level of capability such an attack would require.
Security controls can then be mapped to potential attack points to establish confidence in the resilience of the design.
As an architect, design the system from an attacker’s point of view
Doing this effectively requires architects and designers to view the system from an attacker’s point of view. In practice this can be difficult, simply because it involves a radical change of mindset.
The “drywall” burglar’s technique succeeded because the house builders and property owners didn’t consider the internal wall construction as a vulnerability that was likely to be exploited by an intruder. Criminals can be very creative when it comes to identifying weak points. At one time or another, many types of standard building features, including sewers, rooftops, air-conditioning ducts, garbage chutes and even wall cavities have all been “re-purposed” as access routes by burglars.
Manaugh, a writer who specialises in architecture and the built environment, regards burglary as an essentially “architectural” crime. It depends on the burglar having an appreciation of a building’s architecture that can be fundamentally different from that of the building’s legitimate users. In his words, burglary is “topology pursued by other means: a new science of the city, proceeding by way of shortcuts, splices and wormholes”. To a burglar, a roof can become an entryway, a wall can become a door and if a corridor doesn’t exist, he can make one.
How cyberattacks happen
Cyberattackers apply the same treatment to computer systems and networks. John Lambert, of the Microsoft Threat Intelligence Center, summarises the approach: “Assets are connected to each other by security relationships. Attackers breach a network by landing somewhere in the graph using a technique such as spearphishing, and they hack, finding vulnerable systems by navigating the graph. Who creates this graph? You do.” [3]
Attackers exploit the security relationships that actually exist between systems, not just the “authorized” paths taken by legitimate users. The graph of connections should be constrained by the IT architecture and changed according to the needs of the enterprise. However, it can also be modified inadvertently or maliciously, for example by installing software containing a vulnerability that can be exploited to gain access to other assets in the network.
How can IT architecture help you protect against an attack?
One approach is to build your own graphs to help visualise attack paths. A graph allows you to see the routes to potential targets. This produces a view that corresponds to the one an attacker tries to construct by exploring your network. You can then take appropriate actions, for example by breaking connections to reduce the number of attack paths and by hardening the security of key nodes [4].
Some tools can generate graphs from dependencies that exist in your networks. However, to identify the connections that your organisation actually requires, you will need to compare these with your IT architecture. Solutions such as HOPEX IT Architecture shows not only how your IT assets are connected, but also how those assets support your business.
If your data could be valuable to someone else, it’s likely that someone will try to find the vulnerabilities in your architecture. Before that happens, one of your best lines of defence will be to understand your own architecture better than they do.
References
[1] Manaugh, G. “A Burglar's Guide to the City” Farrar, Straus and Giroux, 2016
[2] “Secure design principles - Guides for the design of cyber secure systems” National Cyber Security Centre, Version 1.0, 21 May 2019
[3] Lambert, J. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” Blog, 26 April 2015
[4] Budja, A., Brinkmann, F., Aubin, H., Sabberton, J., Finkeisen, J. “3 ways to outsmart attackers by using their own playbook” Microsoft Secure Blog, 21 March 2017