Zero trust model security challenges

DDoS_threats_are_one_of_zero_trust_architectures_biggest_challenges

ZTA adds high standards of data security, but can be exploited to bring down an entire enterprise network
when under a
DDoS attack. Here is what you need to know to keep your network secure and available.

In this article we will explain how Zero Trust became the highest priority for organization's security and what are its challenges.

We will go over the following topics one by one:

Recent cyber-attacks made it clear – it’s time for Zero Trust. Unlike perimeter-based security, making it harder for a potential hacker to traverse through internal core systems, Zero Trust assumes hackers are already inside your network, therefore - “TRUST NO ONE”.

The impact of security breaches

Earlier this year, in what appears to be the largest cyberattack on an American energy organization ever, a group of hackers breached the “Colonial Pipeline” network using a leaked password they found in the dark web. Using the compromised password, they were able to traverse through Colonial's critical network systems, leading to a complete shut-down of the entire pipeline that resulted in fuel shortages across the USA East Coast. Stealing nearly 100 GB of Colonial’s data, the Russia-based hacker group known as DarkSide got paid $4.4 million, after threatening to leak this information.

A great article by Lorance Abraham from Bleeping Computer shows how “Pysa” ransomware organization used a simple PowerShell script to get the information they look for after gaining control of an organization’s Domain Controller. Once a hacker gains control on a Domain Controller – the game is over. From this point, all a hacker needs is a simple PowerShell script to search for files related to the company’s financial information, banking information, login credentials, and insurance policies (if you got one – they assume you will pay the ransom), etc.

Traditional Network Architecture 

A traditional network architecture is a perimeter-based network, which although being widely used, cannot prevent hackers from accessing a sensitive organization’s data or gaining control of critical systems. Until now VPN solutions were used in securing network communications and preventing untrusted access to sensitive data. However, although capable of securing communication channels using data encryption, VPNs are useless in preventing security breaches if an attacker gets hold of credentials to a network. 

ZTA on the other hand, with it's strong authentication & authorization capabilities is the ideal solution for this major security concern.

Learn why VPN security is not enough to protect your network 

traditional_network_architecture_perimeter_model

Image: Traditional Network Architecture Model

It's time for Zero Trust!

Organizations’ security leaders understand now that Zero-Trust has become the top cyber security priority, due to the recent high success ratio of cyber-attacks. 96% of security decision-makers who participated in Microsoft’s 2021 Zero Trust Adaptation Report stated that Zero Trust is critical to their organization’s success. 76% are in the process of implementation already. 73% expect their Zero Trust budget to increase.

How Zero Trust works?

A zero-trust network is just as it sounds – i.e., a network that is completely untrusted. We interact with such a network very frequently – the Internet. Instead of breaking a network into location-based pieces, if we declare that network locations have no value, VPN suddenly is not needed (along with several other modern network constructs).

Zero trust is about minimizing the trusted zones and separating systems so that each one does its own authentication and authorization.

zero_trust_says_do_this

Image: Zero Trust-Based Network Architecture Model

Zero Trust Architecture main concepts:

  1. Zero Trust paradigm works on the principle that every network component is untrusted by default, inside or out. To achieve that, an additional authentication layer is needed and privileges to users are given only after authenticated, depending on their function within the organization. To explain a bit further, an individual / system will gain access to requested resources only after multiple authentication processes and only if allowed, thus validating the requestor identity and access privileges. 

  2. Since every user and every request is individually checked and authorized, even if attackers gain access to enterprises premises or even hack into a system, they won’t be allowed to get any further information/control for free.

  3. The Control Plane is where the authorization decisions take place for every access request in the network, for all devices and users.

  4. A security / access policy is applied at this stage, based on an individual’s function within the organization, time / date, or even by the type of the device (for example, if an employee tries to connect a resource from his or her personal smartphone he or she will need to provide explicit (dynamically changed / static) unique authentication data (token) which only that user knows about, thus eliminating the possibility of a hacker to gain access in case the smartphone is compromised).

  5. If a request to a resource is allowed by the control plane, it automatically sets permissions to accept traffic from that client to that specific resource.

  6. The control plane may also instruct the network entities for encryption details of this request.

The main concept here, is that one entity (the control plane) is in charge and instruct the network components of all authentication & authorization processes, as well as coordinating all needed access settings automatically, with no delay, once all authentication credentials are provided.

zero_trust_model-2 Image: A Pictorial Depiction of How a Zero Trust Network Resource's Access Looks Like

Zero Trust by itself, is enough to protect your network?

No. Imagine for a moment the outcome of attacking a Zero Trust model-based network with DDoS attacks. What will be the result of not protecting the Zero Trust control plane against DDoS attacks?

Whitepaper: Learn Why Zero Trust Cannot Prevent DDoS Attack

The truth is, if a DDoS attack succeeds in taking down the Control Plane components in a ZT based network, making it unavailable for new requests, the entire network will become unavailable, and no one will get access to any part of the network. As specified on NIST Special Publication 800-207 section 5.2, this is a major weakness - and considered as a serious security risk CISOs must consider and prepare for.

What are the best practices for securing organizations' networks?

The best suggested solution for securing a network is implementing a ZT solution alongside a well-designed DDoS protection. A Zero Trust solution will protect an organization from security breaches to sensitive systems and information, while DDoS protection that is validated 24/7 will keep the organization’s online services and Zero Trust components protected and available, ensuring new requests to resources will be handled by the Control Plane.

MazeBolt’s patented DDoS RADAR™ validates that your network is well protected against DDoS attacks. It does so by automatically simulating more than 100 different DDoS attack vectors against every host in your network, 24/7 non disruptively.

DDoS RADAR™ is used by top financial organizations, governments, and e-commerce companies to make sure their DDoS protection is well-tuned and updated with the latest changes in the network and latest DDoS trends.

DDoS RADAR™ is the only solution today that can lower down your network DDoS vulnerabilities level to 0%.

What is DDoS RADAR™ Technology?

RADAR™, MazeBolt's new patented technology solution, is the only 24/7 automatic DDoS attack simulator on a live environment with ZERO downtime/ disruption. It automatically detects, analyses, and prioritizes the remediation of DDoS vulnerabilities in any mitigation system. RADAR™ raises the efficiency of your mitigation solution, delivering the ultimate DDoS protection.

About MazeBolt

Israel-based MazeBolt is an innovation leader in cybersecurity, with over two decades of experience in pioneering DDoS protection solutions. The company’s new flagship product, RADAR™, is a patented, new technology. It offers DDoS protection through automated DDoS simulations on live production, with zero downtime. Working in conjunction with any mitigation solution installed. Its unique capabilities have ensured business continuity and full DDoS security posture for enterprises worldwide including Fortune 1000 & NASDAQ-listed companies.

Reference:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWGWha
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

 

Picture of Alon Yafe

About Alon Yafe

Alon is a Senior Cyber Security Researcher & Professional Services Expert at MazeBolt Technologies