Value of an IPS and utilising a defence-in-depth strategy

Most of our customers understand the concept of defence-in-depth, this is a long standing security principle that should be adopted by all organisations. But in case you don’t, the principle of defence-in-depth is that layered security mechanisms increase security of the system as a whole.

Defence-in-depth minimises the probability that the efforts of malicious hackers will succeed. A well designed strategy of this kind can also help system administrators and security personnel identify people who attempt to compromise a computer, server, proprietary network or ISP (Internet service provider).
If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system. For example, it is not a good idea to totally rely on a firewall to provide security for an internal-use-only application, as firewalls can usually be circumvented by a determined attacker (even if it requires a physical attack or a social engineering attack of some sort). Other security mechanisms should be added to complement the protection that a firewall affords (e.g. surveillance cameras, IPS, and security awareness training) that address different attack vectors.

The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defence system than to penetrate a single barrier.

Components of defence in depth include items such as antivirus software, firewalls, anti-spyware/malware programs, hierarchical passwords, intrusion detection/prevention systems, data loss prevention (DLP), HIDS (host based IDS), security information and event management (SIEM) solutions, regular penetration testing and biometric verification. In addition to electronic countermeasures, physical protection of business sites along with comprehensive and ongoing personnel training enhances the security of vital data against compromise, theft or destruction.

As a pentester I perform a lot of engagements against client networks, and although clients do tend to adhere to defence-in-depth strategies to a degree, a lot of the time two components are missing.  These components are monitoring/alerting and lack of prevention mechanisms.

The effect of this is that either the client is logging attacks but nobody is reviewing the logs, or in most scenarios, they are not reporting attacks and are unaware of attempts to compromise the network from attackers, or have zero visibility into IOC’s (indicators of compromise) or existing breaches.

Remediating can be as simple as deploying an Intrusion Prevention System (IPS). There are a number of vendors out there who provide such devices, (we recommend HP Tippingpoint) and although they won’t completely protect you from every attack that will ever happen, it will give you a large degree of protection for your network and most importantly give you visibility into just how many attacks are occurring against your network and and alert you accordingly.
To give you an idea as to how effective an IPS can be check out the stats below. These are attacks detected and actioned from our IPS (just one of our many layers of prevention systems) over the last 6 months.
Kiandra currently defend against around 29,000 odd attacks each month against our network.

The jump in attacks can be attributed to increasing reconnaissance attacks. This is the type of activity a hacker will attempt in the first phase of an attack, for example through the use of a SIP Vicious Brute Force Tool. You can find info on this here: and here: If we look at data released by HP, on average they are seeing 11,408,006 attacks of this type each month, most are stemming from addresses in the US, Germany and France, and are most likely botnet/malware related. Let’s take this a step further. In a recent proof of concept deployment for a client, we installed two IPS’s, one on the internal side of the LAN, another on the perimeter.  The IPS’s were active for between 1 week to 1 month.

What did we see? Around 1,000 attacks occurring each week, stemming from both inside and outside the network. We identified communication to a number of ‘Bad IP’s’. We identify a bad IP as an address that falls into the following categories:

  1. Miscellaneous
  2. Botnet
  3. Malware
  4. Misuse and Abuse
  5. Network Worm
  6. P2P
  7. Phishing
  8. Spam
  9. Spyware
  10. Web Application Attackers
  11. Blended Threat

In the case of this organisation we saw internal advanced persistent threat (APT) style data exfiltration occurring to China. As this organisation was involved with government and industry control systems it was only natural that they would be the target of Chinese government and espionage attacks, as well as communication with Bad IP’s in USA, Iceland and Vietnam.

We also identified a number of attacks from automated worms, and communication stemming to and from the network exploiting the Backdoor Zero Access Trojan.

Simultaneously, there were also signs of attacks occurring by targeted attackers against their perimeter. These ranged from reconnaissance and probing attacks, through to exploit launching and account brute forcing.

In other engagements we have identified that a number of past employees were performing corporate espionage against an organisation by exfiltrating research schematics and other sensitive information to company competitors.

So in summary, if your organisation is not performing a comprehensive defence-in-depth strategy, now is the time you should start actioning /budgeting to address this.  As attacks are increasing each day, so too are the avenues for attacks and the ever evolving threat landscape. As a first point of call for perimeter protection, organisations should consider the implementation of an IPS system and undertake a penetration testing engagement.