How Security Brutalists Build Maps to Simplify and Strengthen Defense
In the world of security, defenders are often trapped in a never-ending battle against attackers who continuously find new ways to exploit vulnerabilities. One of the key reasons why attackers have the upper hand is the way we, as defenders, think about security.
Security professionals have long been trained to view their environments through the lens of a list: lists of assets, lists of potential risks, lists of vulnerabilities. But this list-based approach can often miss the bigger picture, leaving defenders vulnerable to sophisticated, lateral attacks that are difficult to detect until it’s too late.
But what if we shifted our perspective—away from lists and toward maps?
The Problem with Lists: A Fragmented View of Security
In many organizations, security is managed through lists. These lists may include assets, networks, devices, and applications—each sorted by business function, criticality, or technical specification. However, this fragmented approach overlooks an essential fact: security is not a list. It’s a map.
In a network, everything is connected. One system depends on another, users interact with multiple machines, and vulnerabilities may be linked across seemingly unrelated devices. Attackers don’t look at your network the same way. They don’t simply target a single asset; they exploit the relationships between systems, users, and services—attacking the map, not the list.
If you think of your network as just a list of individual assets, you’re missing out on how attackers see it. Instead of focusing on isolated components, attackers think in terms of a map—a network of interconnected nodes that form a map of potential attack paths. The question is: How do we make this shift to a map mindset and use it to strengthen our defenses?
Security Brutalism: Simplifying the Complex with Maps
Security Brutalism takes a minimalist, no-nonsense approach to defense. Instead of adding layer upon layer of security controls that create complexity, brutalists aim to simplify, distill, and remove unnecessary components. It focuses on the essentials and sees the full picture.
A brutalist approach to security would involve taking your lists—whether it’s lists of assets, users, or services—and turning them into maps. This doesn’t just help visualize the complexity of your network; it lets you see where the risks are most concentrated. By focusing on the interconnections between assets and users, you can better understand where attackers can move laterally across your systems.
Connecting the Attack Dots: Visualizing the Threat
Imagine your network as a sprawling map of connected dots: servers, workstations, accounts, services, and all the relationships between them. An attacker doesn’t start with a target on the list; they start with an entry point into this map. This entry point could be a compromised machine, a vulnerable service, or a phishing email that gives them access to a user account.
For instance, let’s take a look at a hypothetical network. If attackers compromise a Terminal Server that is used by hundreds of employees, they gain access to many user credentials. With the right tools, such as Mimikatz, they can collect passwords and explore the map, finding new paths to escalate privileges and gain access to critical assets. If those user credentials belong to admins of workstations or high-value servers, the attacker can hop from one system to another, making their way toward your most valuable data.
In this context, your map helps you see how an attacker can traverse your network. Attackers use this map to find weak points and escalate their access. But, by mapping your network as a connected system, you can do the same, identifying critical paths, dependencies, and vulnerabilities before the attacker does.
Pruning the Map: Removing Unnecessary Connections
Once you have a map-based view of your network, the next step is to prune it—cutting down unnecessary connections and reducing the number of attack paths. This is where the principles of Security Brutalism truly shine.
Some actions you can take to secure your map include:
- Reducing Privilege: Attackers thrive when they can move laterally using overly broad privileges. Minimize admin access and implement Just-In-Time (JIT) and Just Enough access policies.
- Segregating Networks: Reduce the number of paths between systems by creating network partitions and implementing credential silos. This helps limit the attack surface.
- Rotating Credentials: Credential theft is a common tactic for lateral movement. Implement solid credential rotation practices to minimize the impact of stolen passwords.
- Implementing Multi-Factor Authentication (MFA): Adding an extra layer of security helps limit an attacker’s ability to move through the map even if they’ve compromised a node.
The Brutalist Advantage: Preparing for the Attackers’ Map
By embracing the map mindset, defenders can adopt a far more effective approach to securing their network. You already know your own network better than anyone else—this is your advantage. Attackers, by contrast, need to study and probe systems to understand the map before they can exploit it.
The key takeaway from Security Brutalism is this: stop defending isolated assets and start defending the relationships between them. By focusing on simplifying your environment and understanding how everything is interconnected, you can more effectively mitigate risk and shrink the attack surface.
Remember: attack paths are not linear. They’re maps, and attackers think in maps. If you want to stay one step ahead, you need to think that way too.
To Close
Security Brutalism isn’t about adding more layers of complexity. It’s about simplifying the picture and making connections clear. By visualizing your network as a connected map, you can identify, prune, and defend the most critical connections. The more you understand your own map, the more prepared you’ll be when attackers come knocking.
So, stop thinking in lists. Build your map. And turn your network into a fortress.