Defense in Depth

beginner25 minWriteup

Understanding layered security and defense strategies

Learning Objectives

  • Understand defense in depth
  • Learn security controls
  • Know the cyber kill chain
  • Understand MITRE ATT&CK

Defense in Depth is the philosophy that no single security measure is enough. Instead, you layer multiple defenses so that if one fails, others still protect you. Think of it like a medieval castle: moat, walls, towers, guards, and a final keep. Attackers must breach ALL layers.

Imagine your security like an onion (or if you prefer, an ogre - they have layers too). Each layer an attacker must peel through increases their chance of detection and decreases their chance of success. A firewall is great, but what happens when someone walks in with a malicious USB? That's why we need layers.

The Swiss Cheese Model

Each security layer has holes (vulnerabilities). But when you stack multiple layers with different holes, it becomes nearly impossible for an attack to pass through all layers undetected. The holes don't align!

The Security Layers

1Defense in Depth Layers:
2 
3┌─────────────────────────────────────────────────────────────┐
4│                    PHYSICAL SECURITY                        │
5│  Guards, Badges, Locks, Cameras, Fences                     │
6├─────────────────────────────────────────────────────────────┤
7│                    PERIMETER SECURITY                       │
8│  Firewalls, IDS/IPS, DMZ, VPN, WAF                         │
9├─────────────────────────────────────────────────────────────┤
10│                    NETWORK SECURITY                         │
11│  Segmentation, VLANs, NAC, Network Monitoring              │
12├─────────────────────────────────────────────────────────────┤
13│                    ENDPOINT SECURITY                        │
14│  Antivirus, EDR, Host Firewall, Patch Management           │
15├─────────────────────────────────────────────────────────────┤
16│                    APPLICATION SECURITY                     │
17│  Input Validation, Authentication, Encryption              │
18├─────────────────────────────────────────────────────────────┤
19│                    DATA SECURITY                            │
20│  Encryption, DLP, Access Controls, Backups                 │
21├─────────────────────────────────────────────────────────────┤
22│                    POLICIES & PROCEDURES                    │
23│  Security Training, Incident Response, Compliance          │
24└─────────────────────────────────────────────────────────────┘
25 
26Each layer is a barrier. Attackers must defeat ALL to reach data.

Think of this like protecting a diamond in a museum. The building has locks (physical), alarm systems (perimeter), security cameras (network), guards (endpoint), a glass case (application), and the diamond is in a vault (data). Plus there's a policy that guards must check every visitor.

The Cyber Kill Chain

Developed by Lockheed Martin, the Cyber Kill Chain describes the stages of a cyber attack. Understanding this helps us know WHERE to place defenses and HOW to detect attacks at each stage.

1The Cyber Kill Chain:
2 
31. RECONNAISSANCE
4   └── Attacker gathers info (OSINT, scanning)
5   └── Defense: Minimize public info, detect scans
6 
72. WEAPONIZATION
8   └── Attacker creates malware/exploit
9   └── Defense: Threat intelligence, understand TTPs
10 
113. DELIVERY
12   └── Attacker sends payload (email, USB, web)
13   └── Defense: Email filtering, web proxy, USB controls
14 
154. EXPLOITATION
16   └── Vulnerability is triggered
17   └── Defense: Patching, hardening, EDR
18 
195. INSTALLATION
20   └── Malware establishes persistence
21   └── Defense: Application whitelisting, monitoring
22 
236. COMMAND & CONTROL (C2)
24   └── Attacker establishes communication
25   └── Defense: DNS monitoring, proxy logs, outbound filtering
26 
277. ACTIONS ON OBJECTIVES
28   └── Attacker achieves goal (data theft, ransomware)
29   └── Defense: DLP, encryption, backups, monitoring
30 
31606070;">#a5d6ff;">"Break the chain at ANY point = attack stopped"

Left of Boom

In security, we talk about "left of boom" (before the attack succeeds) and "right of boom" (after). The earlier you detect and stop an attack in the kill chain, the less damage occurs.

MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of real-world attacker behaviors. It's like a detailed catalog of every trick attackers use, organized by what they're trying to accomplish.

1MITRE ATT&CK Tactics (Attack Phases):
2 
3┌────────────────────────────────────────────────────────────────┐
4│  Tactic            │  What Attacker is Doing                  │
5├────────────────────┼────────────────────────────────────────────┤
6│  Reconnaissance    │  Gathering information about target       │
7│  Resource Dev.     │  Setting up infrastructure                │
8│  Initial Access    │  Getting into the network                 │
9│  Execution         │  Running malicious code                   │
10│  Persistence       │  Maintaining access after reboot         │
11│  Privilege Esc.    │  Getting higher permissions              │
12│  Defense Evasion   │  Avoiding detection                      │
13│  Credential Access │  Stealing passwords/tokens               │
14│  Discovery         │  Learning about the environment          │
15│  Lateral Movement  │  Moving to other systems                 │
16│  Collection        │  Gathering data to steal                 │
17│  Exfiltration      │  Stealing data out                       │
18│  Impact            │  Destroying/encrypting data              │
19└────────────────────┴────────────────────────────────────────────┘
20 
21Each tactic contains TECHNIQUES (specific methods)
22Each technique has PROCEDURES (exact implementations)

Using ATT&CK for Defense

1How Defenders Use MITRE ATT&CK:
2 
31. DETECTION MAPPING
4   - Map your detection rules to ATT&CK techniques
5   - Identify gaps in your coverage
6   - Example: 606070;">#a5d6ff;">"Do we detect T1059 (Command & Scripting Interpreter)?"
7 
82. THREAT INTELLIGENCE
9   - Map threat actor TTPs to ATT&CK
10   - Know which techniques APT groups use
11   - Prioritize defenses against relevant threats
12 
133. RED TEAM / PURPLE TEAM
14   - Structure tests around ATT&CK techniques
15   - Validate detection capabilities
16   - Measure improvement over time
17 
184. INCIDENT RESPONSE
19   - Categorize attacker activity
20   - Common language across teams
21   - Predict next moves based on known patterns
22 
23Website: https:606070;">//attack.mitre.org/

ATT&CK Navigator

MITRE provides a free tool called ATT&CK Navigator that lets you visualize your detection coverage. Color-code techniques you can detect (green), partially detect (yellow), or can't detect (red). It's eye-opening to see the gaps!

Types of Security Controls

1Security Controls by Function:
2 
3PREVENTIVE (Stop attacks before they happen)
4├── Firewalls - Block unauthorized traffic
5├── Access Control - Limit who can access what
6├── Encryption - Protect data in transit/at rest
7├── Patching - Remove vulnerabilities
8└── Training - Prevent human errors
9 
10DETECTIVE (Identify attacks in progress)
11├── IDS/IPS - Detect malicious traffic
12├── SIEM - Correlate security events
13├── EDR - Monitor endpoint behavior
14├── Log Analysis - Find suspicious patterns
15└── File Integrity Monitoring - Detect changes
16 
17CORRECTIVE (Fix problems after detection)
18├── Incident Response - Contain and remediate
19├── Backup & Recovery - Restore from attacks
20├── Patch Management - Fix vulnerabilities
21└── Antivirus Quarantine - Isolate malware
22 
23DETERRENT (Discourage attacks)
24├── Warning Banners - Legal notices
25├── Security Cameras - Visible surveillance
26├── Threat of Prosecution - Legal consequences
27└── Visible Security Team - Shows preparedness
28 
29COMPENSATING (Alternative when primary control fails)
30├── Monitoring old system that can't be patched
31├── Network isolation for vulnerable device
32└── Additional logging when prevention isn't possible

Controls Must Overlap

Never rely on a single control type. If you only have preventive controls and an attacker bypasses them, you won't know you've been compromised. Always pair prevention with detection!

Practical Example: Phishing Defense

1Defense in Depth Against Phishing:
2 
3LAYER 1: Email Gateway
4├── Block known malicious senders (IP reputation)
5├── Scan attachments for malware
6├── Check URLs against threat intelligence
7├── SPF/DKIM/DMARC validation
8└── Sandboxing suspicious attachments
9 
10LAYER 2: User Training (The Human Firewall)
11├── Phishing awareness training
12├── Simulated phishing campaigns
13├── Clear reporting process
14└── Reward for reporting
15 
16LAYER 3: Endpoint Protection
17├── EDR detects malicious behavior
18├── Application whitelisting
19├── Macro blocking in Office
20└── Browser isolation
21 
22LAYER 4: Network Controls
23├── Web proxy blocks malicious domains
24├── DNS filtering
25├── Network segmentation
26└── Outbound traffic monitoring
27 
28LAYER 5: Identity & Access
29├── MFA prevents credential use
30├── Conditional access policies
31├── Privileged access management
32└── Session monitoring
33 
34LAYER 6: Data Protection
35├── DLP prevents data exfiltration
36├── File encryption
37├── Access logging
38└── Backup systems
39 
40Result: Even if user clicks link, multiple layers can still stop attack!

Assume Breach Mentality

Modern security thinking assumes that attackers WILL get in. It's not about if, but when. This mindset shifts focus from only prevention to detection, response, and limiting damage.

1Assume Breach Principles:
2 
31. LIMIT BLAST RADIUS
4   - Network segmentation
5   - Least privilege access
6   - Separate admin accounts
7   - Microsegmentation
8 
92. DETECT QUICKLY
10   - Continuous monitoring
11   - Behavioral analytics
12   - Threat hunting
13   - Honeypots and deception
14 
153. RESPOND RAPIDLY
16   - Incident response plan
17   - Automated containment
18   - Forensic readiness
19   - Communication plans
20 
214. RECOVER RESILIENTLY
22   - Tested backups
23   - Disaster recovery
24   - Business continuity
25   - Lessons learned process
26 
27"It's not about preventing every attack.
28 It's about detecting fast and limiting damage."

Dwell Time

"Dwell time" is how long an attacker stays undetected in your network. Industry average is 100+ days! The goal is to reduce this to hours or minutes. Assume breach mentality helps by focusing on detection.

Building Defense in Depth

Implementing Defense in Depth

1
Identify AssetsKnow what you're protecting (crown jewels)
2
Assess RisksUnderstand threats and vulnerabilities
3
Layer ControlsImplement multiple control types at each layer
4
Monitor EverythingLogs, alerts, metrics for all layers
5
Test RegularlyRed team, penetration tests, tabletops
6
Improve ContinuouslyLearn from incidents and near-misses

Knowledge Check

Quick Quiz
Question 1 of 3

What is the main principle behind Defense in Depth?

Challenges

Map Your Defenses

Challenge
🌱 beginner

Think about a home network. List at least 5 different security layers you could implement, categorizing each as preventive, detective, or corrective.

Need a hint? (4 available)

Key Takeaways

  • Defense in Depth = multiple security layers, not relying on one control
  • The Cyber Kill Chain describes attack phases - break any link to stop the attack
  • MITRE ATT&CK catalogs real attacker techniques for better detection
  • Security controls are preventive, detective, corrective, deterrent, or compensating
  • Assume Breach mentality focuses on detection and limiting damage
  • No single layer is enough - controls must overlap and complement each other