Threat-actors have exercised and displayed a focused ability to infiltrate, operate and persist within complex environments. Living off the land allows threat actors to increase their dwell time, perform extensive reconnaissance of their targets, and identify low hanging fruit. As more organizations establish a holistic Zero Trust program to securing their environments many challenges present themselves. Primarily in deciding which technical and operational approaches would be suitable to the journey they are about to embark on. The preferred fruit of threat actors is the user, their authorizations and of course their endpoints. The diversity of these endpoints and their software has provided a massive attack surface for threat-actors. The concept of Zero Trust’s “never trust, always verify” requires all endpoints and the apps which reside on them to authenticate centrally requiring all users and devices to authorize and encrypt each access request or session, regardless of the location of the endpoint.
The evolution of threat actors has come with new cyber breach methodologies. And a majority of them are focused at exploiting the “insider”. Insiders are usually the lowest hanging fruit, with breaches stemming from social engineering, misconfigurations and other techniques targeting operations and users instead of the network perimeter. Historically, companies secured end points with VPNs and Firewalls, Anti-malware scanning and Data-Loss Prevention. These technologies maintain gaps which extend a threat actors dwell time, even worse these endpoints are usually given implicit trust. Users are exposed to growing permission sets, including access to sensitive or confidential data. These endpoints maintain a wide variety of applications and middleware that could be ripe grounds for threat actors to exploit. Once a threat actor compromises a device it should no longer be trusted, as the control health check should be considered as tampered.
When these devices get compromised, they should be considered untrusted but with traditional architecture approaches that wouldn’t be the case. To combat this issue companies, deploy a myriad of traditional cyber security controls. Endpoint Detection and Response is normally deployed to respond to this risk, however missed or “sick” devices are usually rampant at many organizations. This foothold allows threat actors to target and attack remote user endpoints. Now add to that, this device is on the home network or a coffee shop, outside of a managed Corporate network and that adds another level of complexity.
To overcome this risk, and prepare for the ZeroTrust journey, organizations have to have a secure-by-design and risk-based approach to cyber hygiene. The foundational cyber control set should be addressed as part of any robust security program. Good foundational cyber hygiene is a base requirement when implementing zero trust on endpoints. This can be a monumental task; many enterprises depend on legacy applications which present additional vulnerability vectors. Mitigation of this risk requires a vulnerability management model that adapts to remote users, and micro service applications which can introduce another foothold for threat actors. Considering 80-90% of CVEs are not typically exploitable; companies should focus on the vulnerabilities which are. A focus on eliminating attack paths is paramount as attackers will go for the lowest hanging fruit first, your users’ access/data, your misconfigurations, and your exploitable vulnerabilities. Zero Trust solutions will ensure endpoints cannot access enterprise resources if they present a weak or non-compliant vulnerability posture.
Zero Trust on the endpoint is a complex approach and companies will have to commit to integration of various technologies that reside on their endpoints. This spectrum of components which claim to provide Zero-Trust capabilities usually only focus on one tenet of the Zero Trust model. The organizational investment can be large, but a proper threat modeling methodology (such as PASTA) can help organizations understand where Zero-Trust is needed the most. Threat modeling allows for the assessment of the compatibility of software and other dependencies with the organizational Zero Trust Model. An organizational threat model should feed directly into architectural design models, feeding a security organization’s long and short-term roadmaps.
Risk should be front of mind as organizations build out their Zero Trust initiatives. Like Cyber Hygiene, companies are never done improving Zero Trust models.
The tenets of Zero Trust are as follows:
- Trust Nothing
- Trust is another tool used by threat actors to breach environments. Ensure endpoints have strong authentication and users are required to provide a physical factor.
- Verify Everything
- Monitor device hygiene posture, locations, and time of day. Anything not meeting Zero Trust requirements should be quarantined.
- Assume A Breach
- Given the landscape and how quick threat actors move, enterprises must acknowledge that a breach has already occurred or will occur shortly. Today’s landscape focus on a reactive prevention approach to breaches. It is more likely that a breach has already occurred and gone undetected, resulting in a large amount of dwell time for malicious actors. Assume the threat actors are in your environment and focus on containment. Enterprises should focus on identifying opportunities for defense evasion.
To be successful in this journey, a holistic approach to ZeroTrust is required to mature your security posture. Organizations should focus on enterprise-wide capabilities, seeking to understand what data they have, where it is, how it flows between environments and super clouds. The movement of data to 3rd parties further complicates this effort and provides additional attack vectors. However, threat actors continue to grow in sophistication, and a Zero Trust model is starting to become an integral requirement to having a robust cyber security program that’s built on trust.