Today, a data breach is almost guaranteed. Every day, there are news accounts of costly, devastating breaches. Many involving company secrets or proprietary information are not even disclosed or reported. Even the NSA, FBI and security vendors have been breached successfully. The reality is that a motivated attacker will get into any network, if only through theft of valid user credentials. Once inside, the odds are heavily in favor of the attacker. While still important, preventive security is no match for an attacker.
Various solutions exist to find network intruders, but most of these are made ineffective due to the amount of noise they force operators to work through due to the number of false positives they produce. Practices of encrypting data at rest as well as in motion hope to solve the issue, but credential theft can leverage valid access. Locking data down is not effective if bad actors can easily get the keys. Segmenting data may slow down an attacker, but ultimately will not prevent eventual theft or damage.
One approach to protection is based on a little-known aspect of networking that can effectively put a short leash on data. Every packet contains a value for the number of hops—or number of routing devices a packet travels across between its source and destination. While crossing each firewall, router or gateway, the hop count decreases by one. Generally, hop count is fixed at a default setting of 128, allowing ample travel between any two points in the world. Hop count can be changed and set or limited to a specific number.
By knowing the exact number of hops that data must make between a server or storage device and supported destination devices, data can be effectively put on a leash and limited to this specific number. In this way, important data could be limited to stay within a data center or on a primary corporate network.
Hop limits automatically destroy data, preventing it from falling into the wrong hands. Again, by knowing a specific hop count, one can establish an upper limit. Each router decrements and examines the hop limit. When the limit reaches 0, the router destroys the packet and issues an ICMP message to the sender. This enforcement is already performed by every router on the internet. The missing pieces for this approach have been intelligent software to pick appropriate limits and monitoring to detect attempts to breach the perimeter.
This new approach to security is based on distance rather than access. Access can and will be compromised. Distance is an absolute. Controlling hop count obviates risk.
Monitoring discarded packets spotlights hackers already within the network. Traditional approaches have proven ineffective at rooting out intruders to the point hackers remain undetected for an average 200 days. Those tools either miss intruders or trigger so many false positives that their alerts are ignored. Hop limits trigger high-quality alerts that are specific and actionable.
To secure data using hop count first requires knowledge of how data is accessed legitimately. What are the legitimate destinations, and what path does the data travel? How many hops are required? Once this is established, hop count limits can be set. Obviously, inaccurate hop counts can create havoc and prevent authorized users or applications from getting the data they need. Dealing with the outcome from such chaos is a job no one wants.
In some cases, data can be limited for internal use only, and hop count can be the leash to ensure it doesn’t leave a certain network. Even within a company, data can be kept from unauthorized employees and eliminate internal threats.
Security has largely kept to a set of practices and technologies for risk mitigation. Using hop count to secure data and eliminate risk by establishing a proper leash with a proper length is a way of teaching an old profession a new trick. Now data can be fully protected, and threat actors will be left outside in the dark.
By Bill Alderson, CTO
