Living in an Assume Breach world

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

assume breachSome security professionals claim their networks are secure from hacking. They may say this to justify a recent large purchase of security equipment. But many times, they say this because executive leadership or customers don’t want to hear the bad news that all systems can be breached. As the poet Cross Jami said, “When a man is penalized for honesty he learns to lie.”

Anyone with any experience in security knows better: a hack-proof security architecture is an unusable security architecture. There are always trade-offs and to do anything useful, we need to open ourselves up to risk. Given that a certain amount of risk of breach is inevitable on all practical systems, it is safer to defend your systems with this attitude.

The assume breach mindset

The traditional defenses we still have in place today will not be as effective against the attacks of today, and they will only deteriorate over time as new attacks and technologies are invented. Like antibiotic-resistant infection, malware has routed around signature-list antivirus solutions while network attacks have shifted to application and user identity attacks.

Like water, attackers flow to where the cracks are. Accepting that your network will be broken into is called the Assume Breach principle. It means you’ve accepted the fact that an attack is going to succeed no matter what, and you’re going to build your defenses accordingly.

Pick your battles

Your minimum level of security across the board must repel the opportunistic attackers. Luckily, we know what’s needed there: Vigorous access control, robust patching, minimal attack surfaces, malware control. But you need to realize that a determined attacker or unlucky zero day will break through that basic line of defense.

Sun Tzu said, “Those skilled in war bring the enemy to the field of battle and are not brought there by him.” So, we fight these opponents on favorable terms. This means we define the subset of our systems that really matter. The systems holding our most valuable intellectual property, the systems processing our critical transactions, the systems containing personal private information. These systems are what is in scope for our audits and where we concentrate our best controls.

Here is where we lay our best traps, spin our thorniest mazes, and bolt on sturdiest locks. (In compliance parlance, this area is called the “scope,” so I’ll use that term from now.) Put all your eggs in one basket and then watch that basket. But, this will drain a significant portion of your resources and impede practical usage of systems in scope. So, you’ll want to keep your scope as small and tight as possible, which obliges you to use the Least Privilege principle.


Now that you’ve defined your secure scope and concentrated additional controls there, what about the rest of your organization? Naturally, you will have controls and defenses in place there, but they won’t be as expensive or demanding to users. This is the zone where we expect a determined enemy to gain entry but we don’t want it so open that casual attackers and malware constantly sweep through. Movement from the un-scoped parts of your systems into the scoped systems should require passage through elevated access controls.

Furthermore, these systems should have barriers to deter any attacker, be they insider or outsider, from crossing over. This means assuming that an attacker has compromised the main systems and may have full administrative rights on the unscoped network, so there should be segregation in controls between the zones. Separating authentication domains, internal firewalls, and divergent anti-malware solutions is a good idea to ensure that whatever broke into the outside network won’t use the same methods to break into the scoped network. The key is rigid segregation to ensure that failures can’t cascade through interconnected systems into the systems in the scope.

Many networks already have evolved to include some of these controls to accommodate compliance and operational requirements. However, the Assume Breach design is a deliberate compartmentalization between zones of differing trust and as little overlap or interdependency as is feasible. In biology, the concept of enantiostasis refers to the ability of a system or organism to self-stabilize to maintain functionality in an unstable environment. That is the goal for the scoped systems.

Global visibility with rapid response

Since we are expecting attackers on our networks, we want to know what they’re doing and then jump on them as soon as possible. This means leaning harder on tools like threat intelligence, logging, and security incident response. It also necessitates that you already have a good idea of where all your important data is stored (and in what state? encrypted?), and what software should be running on machines. Again, this is resource intensive, which is why it’s easiest to concentrate these efforts on your scoped systems and the scope barriers.

Part of this visibility is using threat intelligence to monitor darknets and data breach notification services to see if or when your organization’s identities or intellectual properties become known to hackers. It also is useful to look for your organization’s IP addresses on things like reputation blacklists, botnet command and control (C&C) networks, or peer-to-peer file sharing nodes.

Visibility can also mean laying booby traps such as honeypots and alarmed fake data entries to detect when intruders are moving around inside your networks. Deceptive defenses such as these work very well deep in the scoped network since, by definition, there is less traffic and activity there to trigger an alarm.

Lastly, your incident response process and team should have their jobs down cold. Living in an Assume Breach world means that their services will be needed. In the middle of an incident is not the time to figure out who does what and who is going to notify the proper authorities.


Here it is again in a nutshell: Assume the bad guys will get in (because they will), so make sure they can only get to the stuff you don’t care as much about. Segregate the important things with the assumption that the barbarians will be at the gate, even if the gate is inside your own network. Watch for enemies within and without, while being ready to respond calmly and totally at a moment’s notice. This is living with the Assume Breach mindset.