Cyber attacks are becoming increasingly sophisticated and often state actors are involved in the attacks. 1.2 billion people had their data exposed and discovered on the dark web, and 1.5M complaints of data theft were received by the FBI in the last two years. [1]
Generally, Cyber threat actors who carry out such attacks globally can be classified into six groups, each driven by distinct objectives and motivations.
- Hacker groups based out of Russia, China, Iran, and North Korea are generally categorized as state actors behind many attacks across the globe. Competitors are also a source of attacks for many companies.
- Hacktivists, organized criminals, opportunists, and amateur hackers are the main types of hackers motivated by political agendas or ideological reasons to carry out high-profile attacks.
- Disgruntled employees and ex-employees are often the groups of attackers who target data resources of their present or former employers.
After most attacks, attribution of cybercrime is often difficult, but with the help of a forensic investigation, it can be possible to identify the type of attacker involved in the incident.
A recent industry survey found 67% increase in cybercrime costs in the last five years.[2] The study found that the cost of cybercrime increased by 11 and 16 percent for banking and utilities respectively. Cybercrime has the potential to cripple business operations and growth by stifling time and money that could have been used for innovation.[3]
Hackers may perform reconnaissance on people, network and hosts involved, create spear-phishing e-mails that look like they come from a known vendor or other business contact, capture usernames and passwords through Watering Holes, exploit vulnerabilities in the network, install backdoors on other computers and have access through a command and control channel over the network.
After hackers take control of the network, they use internal users' computer to launch attacks on the network and use network devices to rope them into botnet for a DDOS attack.
In a traditional network setup, Cyber Defense is emphasized on perimeter defense with consideration that attacks often originate from outside the organization. This analogy can be explained through the analogy of Castle defense strategy where assumptions are given that data can be protected by keeping it behind the fortress walls.
The drawback in traditional cyber defense is that it does not adapt to changing threats, thus it is not able to protect against newer cyber attacks. A new approach is needed that involves devices and users building their trust to access resources.
The first step towards preventing internal attacks is treating internal devices and users as you would treat external users and devices. Rooted in the concept of "Zero Trust", organizations should not automatically "trust" anything inside or outside their network perimeter.
For example, devices and users are made to authenticate against the device inventory database, verify against user/group database, and then access enterprise applications. It is important to consider the specific network traffic pattern, application, user, and vendor access requirements and network deployments when building Zero Trust networks.
The key to implementing this security strategy is to create an attitude of 'Do not trust, always verify', where devices and users either internal or external must build their own trust in order to gain access to IT resources.
A zero-trust security model must bring together business objectives, leaders, employees, and security professionals.
Typical elements of a Zero Trust security model are:
- Data Foundation: It is important to categorize your data assets and create a data management strategy.
- Device-level security: is an important part of building a "zero trust" security model.
- User-level security: The rules of earning "trust" apply to users as well as IT systems. A centralized policy engine can enforce such criteria for granting access to limited IT resources and access to more mission-critical data.
- Network Security: If you want an impregnable perimeter, keep it and reinforce it with dynamic walls, including zoning, securing network slices, and host-level micro-segmentation.
- Application security: To secure applications, the first step is to isolate them, then use MFA. This must be followed by micro-segmentation at the container, hypervisor, and even micro-services level.
- Security Automation and Orchestration: Automation and orchestration are crucial for zero-trust security as they provide automation, orchestration, and visibility. However, while certain tools such as Software-defined Perimeter (SDP) and micro-segmentation do provide some degree of automation, it is important to remember that automating and orchestrating are critical components of the model.
- Security incident visibility and analytics are important in the "zero trust" model to respond appropriately in real-time to threats that are observed by security analytics tools.
Implementing a Zero Trust security model
In general, there is no need to reinvent the wheel when it comes to cyber security. Instead, you should start with appropriate Governance guidance such as HIPAA, PCI DSS, GDPR, or NIST Cyber Security Framework. An organization may wish to augment "Protect", "Detect", "Respond", and "Recover" functions as appropriate to develop a comprehensive "Zero Trust Security" strategy. The NIST framework can be used to achieve compliance with other requirements, such as HIPAA or PCI DSS.
The best approach to move towards "Zero Trust" IT security model is by starting with network access control, malware and antivirus protections for user devices, and investing in endpoint detection and response and intrusion detection and prevention system tools, which are traditional and yet essential to some extent.
Figure 1: The BeyondCorp Zero Trust network developed by Google
Identity and access management (IAM) is an important component of the model. The IAM framework is made up of several business policies, processes, and technologies that enable the management of the digital identities of users and devices.
There are a variety of tools and techniques for IAM, however, three distinct methods are most important: a) TPM for device-level encryption and authentication, as well as sophisticated AAA (Authentication, Authorization & Accounting) mechanism such as TACACS+, and b) Multi-factor authentication for users.
Software-defined perimeters (SDP)
Traditional network perimeter defense assumes attacks are often originated from outside, but what about attacks that occur inside the perimeter?
Today, many network attacks originate from inside and may come from anywhere. Software-defined perimeters (SDP) address these issues by allowing users to deploy perimeters dynamically without the traditional notion of impregnability and inaccessibility to outsiders.
SDP framework can address many security, privacy, and availability challenges, including but not limited to authentication & trust, access control, data privacy, data availability, and services availability. SDP framework includes protocols for device authentication, device validation, dynamic firewall, and application binding.
Micro-segmentation
Micro-segmentation is a concept of isolation, segmentation, and security that is applied to applications, databases, and network levels. It is based on the idea of stopping lateral movement in case of an attack.
Much of the discussion related to micro-segmentation generally is focused on data centers, however, micro-segmentation can be applied to any segment of networks as well. Micro-segmentation can be implemented in a number of ways, for example, through VPN tunnels, network overlay, and/or using Segment routing.
Micro-segmentation at workloads, applications, and even hypervisor level can further protect critical data from hackers.
The Zero Trust Security model is a comprehensive approach to cybersecurity that considers all points of attack. It can be daunting for any organization to implement, but there are many available frameworks that should provide some assistance in understanding how you should employ different security measures to protect your company's assets.
[1] “Massive Personal Data Leak of 1.2 Billion Showcases New Privacy, Security Concerns.” CPO Magazine, 13 Apr. 2020, https://www.cpomagazine.com/cyber-security/massive-personal-data-leak-of-1-2-billion-showcases-new-privacy-security-concerns/
[2] "67% ncrease in security breaches in the last five years." Ninth Annual Cost of Cybercrime Study, 6 Mar. 2019, https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
[3] "42% of businesses saying that digital fraud hampers innovation and expansion into new channels." Global Cybercrime Report, 25 Oct. 2021, https://seon.io/resources/global-cybercrime-report/
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
