Maksim Kabakou - Fotolia

Manage Learn to apply best practices and optimize your operations.

Defense-in-depth strategy: Growing cyberthreat intelligence

Cybersecurity defense in depth needs to learn from the military strategy it originated from. Expert Peter Sullivan explains where cybersecurity should not deviate.

Much has been said about cybersecurity defense in depth over time, with both Homeland Security recommending a defense-in-depth...

strategy for industrial control systems and the National Security Agency calling it a "practical strategy for achieving Information Assurance in today's highly networked environments."

What many discussions of defense in depth in cybersecurity fail to do is relate it to the military defensive strategy that defense in depth originated from.

In military defense in depth, there are a number of underlying assumptions about how a defense-in-depth strategy is supposed to work, which many in cybersecurity don't understand.

Characteristics of defense in depth

The No. 1 assumption in the military defense-in-depth strategy that seems to be lost in cybersecurity is this: The approach assumes that a determined attacker will always be able to breach the perimeter.

Given that assumption, it becomes clear that military defense in depth is not a strategy that seeks to prevent the advance of an adversary but, rather, is one that seeks to delay their advance.

In order for active defense in depth to be effective, it must be able to distinguish between legitimate users and attackers.

This is very different from the commonly held but futile cybersecurity belief that a network can be completely and effectively protected at the border by preventing an attacker from overcoming or bypassing the network perimeter defenses.

In assuming that the perimeter will be breached, military defense-in-depth strategy employs additional defensive layers that are designed to:

  • Delay the attacker so that an effective response or counterattack can be mounted by bringing additional resources to bear;
  • Channel the attacker into "kill-zones" where defensive weapons may be concentrated;
  • Cause an attacker to consume the resources it needs to sustain an attack; and
  • Cause an attacker to disperse their resources over a wide area, making the attack ineffective.

In some cases, a defender may give up physical space to an attacker in order to gain time to organize defensive measures or a counter attack.


Another resource that military organizations seek to maximize is intelligence. Military intelligence is the collection and analysis of information to provide guidance to commanders and support their decision making. Intelligence gathering is a cornerstone of military operations -- where understanding an adversary's location, the composition of its forces, its weapons and capabilities, and its potential objectives -- is critical in order to develop a high level of situational awareness about an adversary and to develop effective defensive strategies. Military defensive strategies are always in response to specific threats. Therefore, a clear and detailed understanding of the threat environment is crucial to survivability and mission accomplishment for the military planner.

Active defense in depth

Taking the underlying assumptions of a military defense-in-depth strategy and applying them to cybersecurity is defined here as "active defense in depth." Active defense in depth differs from passive defensive in depth, precisely because it takes into account the assumption that the perimeter will be breached and that specific defensive strategies must be created and deployed in response to a perimeter breach.

Slowing the attacker down

Accepting the underlying assumptions of military defense in depth in cybersecurity requires an understanding of what happens after the perimeter is breached and then taking control of the situation.

Ideally, defense-in-depth strategy deals with threats as far away from critical information assets as possible. If a firewall or gateway at the perimeter is the only defense, then breaching or bypassing the perimeter means that the entire network is compromised. Additional layers of cybersecurity defenses can be added so that, just like in military defense in depth, the attacker is directed into portions of the network that will slow them down and waste their time and resources, while the defender gets to watch and see what the attacker is after, what offensive capabilities they possess, what vulnerabilities they seek and which exploits they attempt to use.

Developing this level of awareness and cyberthreat intelligence is vital to protecting critical information assets and will also increase the ability to detect when attacks and intrusions occur.

A honeypot is one step in accomplishing this. A honeypot or honeynet can serve as an input into a threat intelligence program and greatly improve understanding of the threat environment. A honeypot or honeynet is a tool that can trap an attacker in a decoy server or network and provide detection and information gathering tools to the defender, while protecting valuable information assets from intrusion.

In order for active defense in depth to be effective, it must be able to distinguish between legitimate users and attackers. A honeypot has no production value and contains no actual information assets. By definition, then, there is no legitimate reason for anyone to ever penetrate, occupy and peruse a honeypot. Therefore, any penetration into a honeypot is unwanted and assumed to be malicious, providing the differentiation required for it to be an effective component of active defense in depth.

Observing the penetration of a honeypot can yield significant information, including indicators of intrusion, and the ability to closely analyze intruder activities in order to:

  • Determine the intruder's offensive capability;
  • Understand what information assets are targeted;
  • Identify vulnerabilities and see attempted exploits in action, and
  • Provide additional detection capability to the defender.

Honeypots are often deployed on production networks to augment traditional intrusion detection. A honeypot may be added to a network segment alongside a critical information asset, such as a database server. The honeypot would have the same security configuration as the database and penetration of the honeypot would point to a possible intrusion of the database server itself. The value here is that the honeypot will distinguish between the legitimate users of the database and malicious users of the honeypot, while providing information on the attacker capabilities and intent.

Cyberthreat intelligence

A honeypot deployment can also provide significant intelligence value to the defender and contribute to the improvement of situational awareness. Developing a high degree of situational awareness is a key step to having a strong defense.

In cybersecurity, situational awareness means:

  • Understanding the general risk environment, such as which information assets must be protected and why, what threat actors exist and threaten those assets, and how to provide protection and vulnerability identification and mitigation for those assets.
  • Understanding what value information assets have to a potential attacker.
  • Identifying critical business processes and their components of people, process and technology.
  • Understanding the skills and abilities that an attacker may use to gain access to desired information assets.
  • Understanding of cybersecurity operations and the ability to identify vulnerabilities and identify exploitation of vulnerabilities.
  • Monitoring internal and external events and activities that relate to cybersecurity as they occur.
  • Identification of internal and external events and activities that may impact cybersecurity and identifying cybersecurity incidents.
  • Understanding the modes of attack that are being used externally and internally by threat actors.

Developing this level of awareness and cyberthreat intelligence is vital to protecting critical information assets and will also increase the ability to detect when attacks and intrusions occur. Obtaining and sustaining this level of cyberthreat intelligence is not easy and requires significant effort to draw information from many internal and external sources.

Having a strong understanding of the threat environment, along with a detailed understanding of network operations and the value of information, allows the defender to develop specific cybersecurity strategies that consider the type and value of information that must be protected. Similarly, understanding the capabilities, modes of attack and the intent of the attacker allows for the development of defensive strategies that specifically counter the attacker's capabilities and attack modes.


In order to defend information systems today, it is crucial to assume that the network perimeter will be breached and spend time planning for what happens after and how to stay in control.

To further develop and refine effective defensive strategies, an active defense-in-depth strategy will help control attackers while you gather cyberthreat intelligence about how attacks are carried out and what is being targeted.

Next Steps

Defense-in-depth security: How to establish an ultra-redundant network

Thirteen principles to ensure enterprise system security

The 4 rules of a microservices defense-in-depth strategy

This was last published in May 2016

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments