Cyber attacks, like the pandemic that has spurred the rise in incidents, have been relentless.
Over the past eight months, there has been a significant escalation as the sophistication of these attacks has risen. Hackers are going after key vendors, allowing them to target wide swaths of valuable victims like we have seen in the attacks on SolarWinds, Microsoft Exchange, Colonial Pipeline, and more recently, MSP software provider Kaseya.
Adding to the troubles is that the groups behind these attacks are based in countries that have shown no interest in reigning in the hackers. In many cases, the attacks are coming from groups associated with these foreign governments or even directly from the state actors themselves.
In response to the outcry for action, the Biden administration has warned these governments that a continuation of these attacks will not be tolerated –– though there is little doubt that their warnings will have much of an impact on the hacking activities.
Lacking an effective coercive response, in May the administration issued an Executive Order aimed at improving the government’s security posture. Among the requirements in the EO, the administration called for the federal government to implement a Zero Trust architecture that would make it more resilient to attacks, hopefully helping to mitigate some of the risk and implement best practices for zero trust security.
Defining Zero Trust
In the previous era, defenders looked to build high walls that would keep attackers from breaching their networks and reaching their valuable assets. Whoever was inside the perimeter was deemed to be trustworthy, and those on the outside of the network were not.
So long as work remained on the LAN in the office, this approach had a reasonable chance of success. But over the past twenty years, work has been in transition out of the office and the perimeter built to guard against data loss became steadily less effective. Work was now done from home, on the road and from all sorts of devices.
The transition to the cloud further erased the boundaries of the perimeter. Organizations relinquished much of their control in favor of flexibility and scalability. Identity became the primary method of accessing data and services. Security was no longer a question of where you are but who you are –– and if you could prove it.
A key transformation that came in the move to Zero Trust –– where the motto is essentially “Trust no one and always verify” –– was the mindshift away from the high walls of the perimeter equaling safety to the understanding that the bad guys were probably already inside the gates.
So if everyone is suspect, then the strategy is to restrict access inside your environment and work to detect when an intrusion has occurred so that it can be dealt with as soon as possible.
In short, we moved from prevention to mitigation, which was probably a more realistic approach that we should have started with from the beginning if we are being honest.
The shift to Zero Trust had been gaining steam for the past few years, being embraced as the goal that organizations should aspire to adopt. And then came COVID-19 and just about everything became remote. That meant that working from the office on the local network was no longer an option and the threat surface for attacks had just widened even further than before.
And the attackers around the world knew it.
Targeting Privileged Identities
Hackers have stepped up attacks during the past year and a half, taking advantage of the rapid move to remote work and the security holes that it opened up. Particularly in the area of identity.
With identity as the key to access, hackers have been going after privileged identities that will allow them to breach and reach their targets’ valuable assets. The more privileged, meaning the more access that the identity has, the more useful it is for the attackers.
Attackers acquire the credentials needed to compromise these privileged identities in a number of ways.
Two of the most common are:
- Phishing where the mark is socially engineered into giving away their credentials.
- Lists of compromised creds that they then use for password stuffing. This is a spray and pray method, but it is surprisingly effective.
With these credentials in hand, attackers can take over accounts and then use their newfound access to reach valuable assets.
Identifying these privileged identities and protecting them is essential to reducing the organization’s threat surface and mitigating their risk. Doing so means embracing the right tool sets and practices.
Below are some of the core methods and techniques that need to be implemented for guarding against these attacks.
3 Key Tool & Best Practices for Zero Trust Security
Zero Trust aims to make it hard for attackers to reach their targeted assets while working to detect them before they can cause too much damage.
These tools and practices will help lay the foundation for a Zero Trust security approach.
Implement tools that monitor user accounts for unusual behavior
If an account is compromised, then the hackers are able to carry out an insider attack. Outward-facing defensive tools become way less relevant.
What is needed are User Behavior Analytics that can monitor accounts for behavior that is out of character. They can look to see if a user is downloading files that they normally would not be or performing other suspicious activities that might be indicative of an attacker moving around inside the network.
Use Strong Authentication to Make it Harder to Access
Verifying identity is an important first step in preventing attackers from reaching their target. Since we assume that the attacker is already inside the network, then we need to verify identity constantly and through different channels.
One of the most important and well-known authentication tools is multi-factor authentication. This takes the idea that there should be multiple checks to verify the user. Ideally, this verification should be done using different “keys”.
For example, I know what my password is, but that can be compromised if it is leaked in a hack. However, if I have MFA, then I put in place not just the protection of my password but also require an additional step like a code generated on my phone. This second piece of information is harder for a hacker to attain, and can block the vast majority of attacks if implemented.
Ideally, MFA should not use SMS as the second factor. But it is still better to use SMS MFA than none at all.
Passwords take valuable time and most people use them badly. Password reuse, easily guessable passwords, and other crimes against security are common. To address these efficiency and security challenges while gaining better control over access, most organizations now use Single Sign-On tools.
Common vendors include Okta, Ping, and Azure AD. They make signing into identities easier with a federated access model that reduces the “workload” on the user.
Finally, in an effort to reduce friction for users without compromising on security, biometrics are fast becoming a popular option. Think about the Face ID or fingerprint reader on your phone. It’s faster than punching in your pin code and still highly secure.
Use Authorization Tools to Restrict Access Once Attackers are Inside
If an attacker is able to get past the authentication stage, the next layer of Zero Trust defense is to manage who is authorized to access the organization’s assets. These are the permissions that allow an account to access specific folders, resources, or other items.
Ideally, organizations should follow the Principle of Least Privilege. This is the concept that says that you should grant the minimum level of access to the minimum number of people. Just enough to let them do their jobs.
The more control over what can be accessed, the narrower the threat surface and the less opportunities that the attackers have for accessing something that can be damaging to the organization.
The Government as a Market Maker Leading Change
We still have a long way to go when it comes to protecting our organizations against the hacking groups that are becoming more sophisticated and determined, even as the tools are getting better.
The first step is actually using the tools that are available to us. Most people still do not use MFA, even though it is extremely effective in most cases.
The hope is that the government will start creating standards for themselves, and then everyone that wants to sell to them will have to shift over to their standards. That kind of buyer is a real market maker. Let’s just hope that this EO is enough to shake folks up and start protecting themselves.