Plaintext: Understanding Layer 8

Welcome to Dark Reading in Plaintext, where each day we bring you insights around one topic important to cybersecurity professionals. Today, we talk about the OSI Model and what it means to consider Layer 8. How should security teams incorporate user behavior and intent into the security model?

Consider the OSI Model

Security teams often focus on "Layer 3" or "Layer 4" data when trying to detect security issues or mitigate attacks. Many are now moving up the stack to consider "Layer 7." What does this data tell security teams about modern attacks?

The International Organization for Standardization created the open systems interconnection (OSI) model, a conceptual model to help diverse systems communicate with each other.

Layer 1 : Physical. The “bottom” of the model represents the electrical and physical components, and can be the cable type, radio frequency link (as in WiFi). Troubleshooting Layer 1 problems involves checking that the hardware is plugged in and properly connected with each other.

• Encryption at the application layer is a good idea, but what about encryption on Layer 1?

Layer 2 : Data Link. This layer is where note-to-node data transfers happen. Most networking switches operate at Layer 2.

• Layer 2 attack surface has been largely unprotected: Consider the fact that “evil twin” access point attacks are still effective. Another is ARP spoofing.

Layer 3 : Network. This layer refers to the router functionality – packet forwarding, routing traffic through different routers. Network switches that support virtual LANS are considered Layer 3 switches because of their routing capabilities.

Layer 4 : Transport: This layer coordinates data transfer between end systems and hosts, determining details such as how much data to send, at what rate, and to whom. TCP and UDP port are for Layer 4, while IP addresses are on the Layer 3.

• Consider network segmentation. “Most policies in today’s microsegmentation systems reside primarily at Layer 2 for admission control, Layer 3 for controlling flow establishment, and Layer 4 for protocol selection.”
• Layer 4 attacks involve exploiting open ports and protocols for lateral movement. “Effective micro-segmentation must strike a balance between application protection and business agility, delivering strong security without disrupting business-critical applications.”

Layer 5 : Session. A session is created on this layer so that two computers or other network devices can speak to each other.

Layer 6 : Presentation. This area is independent of data representation at the application layer and is where data for the application and network are presented. For example, data encryption and decryption happens at Layer 6.

Layer 7 : Application. This layer receives information directly from users and displays incoming data to the user. Web browsers rely on Layer 7.

• Layer 7 attacks exploit weaknesses in applications, as opposed to network services.
• Distributed denial of service attacks are interesting, as they can target different layers. Newer attacks exhaust application resources, but there are still plenty of large Layer 3 and Layer 4 DDoS attacks.
• Firewalls have also evolvedv. Stateful firewalls tend to live at Layer 3, as this is where network protocols operate. However, deep packet inspection takes effect on Layers 4, 5, 6, and 7. The inspection checks whether the packets are misformed, properly encoded, and carrying data permitted by corporate rules. 

Is there a Layer 8? We sometimes need to go beyond the application and look at the user activity to understand what is happening or whether an activity is legitimate. The difference between the legitimate user of an application and abuse boils down to the end user’s intent. “Some people refer to this end-user layer above layer 7 of the OSI model as layer 8,” F5’s Joshua Goldfarb writes this week. 

Headlines on Tap 

• What women should know before joining the cybersecurity industry: 3 things to consider.
• Why bug-bounty programs are failing everyone: an overview of a Black Hat USA presentation.
• When Human Security meets PerimeterX: analyzing the merger of these two companies.

Subscribe to receive Dark Reading Weekly every Thursday morning!

On That Note

Earlier this week, the Office of the National Cyber Director (ONCD) named Camille Stewart Gloster as Deputy National Cyber Director for Technology and Ecosystem Security.

“We need top talent in the government to meet the dynamic and complex cyber challenges we face as a nation,” National Cyber Director Chris Inglis said in a release. “The depth and breadth of her experiences will help the Biden-Harris Administration advance key priorities, including promoting the resilience of our software and hardware supply chain, building a more diverse cyber workforce, and strengthening cyber education for all Americans.”

Check out the Dark Reading Q&A on systemic racism and discussion on breaking the glass ceiling.