Looking at zero trust from an attacker’s perspective

Zero trust has become the latest buzzword in the security industry. The concept of not trusting users or devices even after authentication has revolutionized how organizations view access management in the data center.

In theory, it sounds great; the “guilty until proven innocent” mentality suits security well. However, it’s helpful to analyze the model from the attacker’s perspective to identify assumptions or actions that could provide a foothold for cybercriminals.

The fact is, many organizations have a lot of different cybersecurity solutions deployed. However, they still need to determine where there is potentially too much trust inside their networks to give attackers opportunities to exploit vulnerabilities. Attackers look for ways to exploit weaknesses, areas where organizations are placing more faith than they should.

Accessing The Data Center Remotely

Let’s look at the example of remote connectivity. Employees typically connect to the corporate data center through a virtual private network (VPN), and they probably use some authentication to do that.

Usernames and passwords are common authentication mechanisms but are very weak and can sometimes be easily guessed or stolen. This pair is not good enough as an identifier for authentication, and attackers commonly exploit this. To trust someone just because they know a specific password that is not that strong in the first place is asking for trouble.

Many organizations will go beyond this by deploying additional authentication mechanisms to enable user access to the VPN. They might use multi-factor authentication to prove that a particular user is who they claim to be before gaining access.

This method is not foolproof either, however, because attackers can get around it. Even though users are authenticated and using their passwords, a security team can’t assume that this specific person is accessing the data center. An attacker might be abusing the user access rights to gain access to corporate data. This is one of the more common attack vectors.

One potential solution for safeguarding remote access is to deploy endpoint detection and response (EDR) technology to protect endpoints. These tools are designed to gather data from endpoint devices such as laptops and then analyze the data to reveal potential cyber threats and issues such as hacking attempts.

This reduces the risk that a non-authenticated user is trying to gain access and sounds like it might be solving the problem. But any skilled attacker can try to take down the EDR or other endpoint security solution to gain access, and this has happened.

Inside The Data Center

EDR and VPN security solutions do not address one of the most pervasive problems organizations face: excessive user permissions. When people are given too much access to resources, they are given too much trust. This is bad for a couple of reasons. One is that an employee might not have the best intentions or even be an insider threat. Another is that if an outside intruder somehow gains access using the employee’s credentials, the intruder gains access to the same resources open to the employee. Either way, the impact can be significant.

The key is to make access from the VPN highly selective and specific to users. Configuring the VPN with identity-based access or using more modern solutions, such as zero-trust network access (ZTNA), ensure that whoever is accessing the network is authenticated and accessing only those applications they should be.

Breaching The Data Center

In addition to these potential attack vectors, cybercriminals often exploit other data center entry points, including vulnerable internet-facing applications that run on production servers, databases and web servers. And even if an organization properly secures its servers and keeps them internal to the network - rest assured that attackers will find their way in and move laterally to reach critical assets.

The best way to secure IT resources from potential threats is to segment the data center and cloud services. In particular, software-based segmentation helps companies achieve a higher security level, reduce the attack surface, prevent lateral movement, and protect critical IT assets.

Unlike legacy segmentation tools such as firewalls and virtual LANs (VLANs), the latest segmentation platforms integrate deep visibility of the entire IT environment into a policy engine, allowing security teams to create more granular and accurate security programs and policies.

They can automatically visualize the entire data center environment, map application dependencies and flows to identify security gaps, and create policies based on asset classification.

Zero Trust Must Be Flexible

While the name makes Zero Trust sound like an immovable strategy, it’s important that security leaders continually refine it over time. For instance, a data breach or malicious insider can break the trust scheme that necessitates an immediate and spontaneous assignment to the block list. Organizations may also need to take back trust based on a behavior or property, such as a machine’s Indicator of Compromise (IOC). Creating quick block rules in the network help limit the blast radius of cyberattacks.

Providing adequate cybersecurity, particularly in the emerging hybrid work environment, can be daunting. Threat vectors can seem overwhelming at times, and there is little clarity into what solutions will be effective over the long term. Adopting an attacker’s mindset provides many organizations with an objective frame of reference to test new strategies and identify issues before they become data breaches.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.