“What if a rogue host gets stood up in my public cloud environment, either by accident or by a malicious attacker? And then, what if that rogue host is used as a launchpad to inflict further damage on my environment or to steal data?”
Several customers have described this same scenario involving unauthorized virtual machines (VMs) or rogue instances, which has been made more likely by the automated and simplified provisioning capabilities offered by public cloud service providers. A developer could unintentionally instantiate a host that may not be properly configured or secured and the host could be taken over by a malicious actor. Or the actor, if he or she has the right privileges, could stand up a rogue host. A good approach to security should protect the environment no matter the cause. Read on to learn how a zero trust approach can reduce risk.
A multi-layered approach to securing the environment is required. The approach should:
- Eliminate external attack surface. Applications exposed to the internet present an attack surface. Applications should not be discoverable.
- Prevent initial compromise. Attackers need to gain a foothold in the environment. Attack techniques could include phishing, exploit of zero-day vulnerabilities, or other means of unauthorized access. End-user devices and access need to be secured.
- Stop lateral movement of threats. After gaining a foothold, attackers move laterally to their ultimate targets. Stopping threats from spreading across the network is paramount in limiting damage. In this instance, a zero trust approach to securing communications is key.
- Prevent exfiltration of data. Securing outbound communications of workloads from cloud and data center environments is a critical final step. External communications must be authorized and inspected to prevent data loss.
Perceptive readers would recognize the above steps as a simplified version of a kill chain. Breaking any link in the chain could stop an attack, but having controls at every stage yields the greatest reduction in risk. The remainder of this blog focuses on the third approach–lateral movement prevention.
Stopping lateral movement of threats with zero trust
Today, the term “zero trust'' is broadly applied and at risk of losing its value. Narrowing the term to “zero trust networking” is useful and actionable. Simply put, with zero trust networking, we are assuming the network is hostile and untrusted; and on this untrusted network, the identity of any communicating entity (e.g. applications or workloads) must be verified and every communication flow must be authorized. Furthermore, policies must be automated to ensure no gaps in coverage, especially in dynamic environments. The question is: how does zero trust relate to stopping lateral movement and rogue hosts?
If an attacker instantiates a rogue host or even compromises a legitimate host, it is just the second step of initial compromise in the attack kill chain as described earlier. To cause greater damage, attackers must connect to other systems, and then move laterally over the network toward the most valuable assets in the environment. Attackers do this by installing malware that could spread in the environment or exploit dual-use, administrative tools such as Powershell to propagate across the network, which is often flat, i.e., unsegmented.
The traditional approaches to stopping lateral movement have involved using firewalls to segment environments. However, attackers can piggyback on approved firewall rules. Firewalls inspecting IP addresses, ports, and protocols have no knowledge of the software behind the address. Is it good or bad software? This is why we need to apply the concepts of zero trust networking; to move beyond the address-based security approaches of firewalls, and instead verify the identity of the communicating software and host.
In a zero trust network, even if a rogue host is instantiated, it has no ability to communicate with anything else in the environment, regardless of if the communication is within a VPC or across VPCs. If a rogue host attempts to communicate, every other host will not accept the connection because it is outside of policy. The identity of the host and software must be verified; it is not enough for the rogue host to be in the same network or use approved ports or protocols. The zero trust network allows for even more fine-grained control. If a host has been compromised, all verified software on the compromised host will continue to be allowed to communicate, while the malicious software is not allowed to communicate. This approach ensures business continuity in a secure way, even if there has been a compromise. Of course, the administrator should be alerted to the attempted suspicious or malicious communications. A zero trust environment, with least-privileged access, is a lonely place for a rogue host.
To learn how Zscsaler can help secure workload communications and segment cloud and data center environments, please see our secure Cloud Connectivity solution and register to attend our webinar: Why Enterprises Need a New Approach for Securing Cloud Workloads.