For the past three decades, organizations have been building and optimizing complex, wide-area, hub-and-spoke networks for connecting branches and factories to applications in the data center. The network was secured with a stack of security appliances and firewalls using an architecture known as castle-and-moat security. This was so named because the security stack created a network perimeter (or moat) around the data center (or castle). This architecture prevented access to anyone outside the network, but granted privileges to anyone within.
A familiar pattern of steps for breaching enterprise organizations has emerged as a result. Malicious actors return to this tried-and-true, rinse-and-repeat strategy repeatedly because it so often leads to success. While cybercriminals are often a clever group, these four steps don't require a strategic genius to execute. The greater the resources or, the deeper the skills, the more likely the adversary is to be successful at breaching its intended target – unless, that is, the target has already taken steps to shore up these weak spots by transitioning to a zero trust network architecture (ZTNA).
1. They find your attack surface
Every interconnected network has an implicit trust in that anyone accessing these networks can connect to any application residing on them. The shared network context, be it internet-based users connecting via VPN, workloads exposed for access (on any network), etc., ultimately leaves services open to receive a connection. When a service requires access from an initiator over a shared network, that service is exposed as an attack surface.
Hub-and-spoke networks have historically leveraged implicit trust to allow for connectivity, but the design also introduces performance problems when workforces and applications become distributed. To resolve this problem and its associated costs, many companies deployed local internet breakouts to route traffic directly. Virtual firewalls can be deployed to protect these breakouts, which increases their internet attack surface.
Every internet-facing service, including firewalls–whether in the data center, cloud, or branch–can be discovered, attacked, and exploited. Remember, firewalls connect networks and attempt to apply controls at that network layer. The moment access is needed, an ingress network listener must be exposed. Subsequently, this exposed network listener is open to anyone and anything that shares this network, which could ultimately be the entire internet.
2. They compromise you
Cybercriminals bypass conventional detection methods by exploiting the trust of common services. Attackers either directly target your exposed services (e.g., firewalls, VPNs, workloads) or entice end users by hosting malicious content. Firewalls and antivirus appliances, which once provided adequate protection, are anchored in a centralized network control point that hasn’t kept up with the pace and sophistication of modern users, apps, and modern-day attacks. It is not a matter of if you will be compromised, but when. With an exposed attack surface, the organization is subject to both randomized and targeted attacks.
Attackers identify and target a corporation’s weakest links to access its network. Once inside, they establish a beachhead, ensure they have multiple paths back into the network should the original entry point be secured, and begin scanning for high-value targets.
3. They move laterally
Extending networks for added functionality based on the principle of a shared network context allows for easy access, as users and apps are both on the network. But it also provides the same easy access to infected machines since network-based controls have difficulty controlling lateral or east-west movement across the breached network. A single infected machine in a user’s home–or an infected workload in a public cloud–that shares the trusted network context can access all applications, giving it the potential to cripple a business.
4. They steal your data
After discovering and exploiting high-value assets, attackers will attempt to leverage trusted services like SaaS, IaaS, and PaaS–as well as known and accepted protocols like standard HTTPS encryption–to set up backchannels and exfiltrate data. An example is the Colonial Pipeline breach, where an attacker could use stolen VPN credentials to enter a corporate network, move laterally to access sensitive financial data and disrupt operations, and ultimately hold a piece of U.S. critical infrastructure for ransom–a practice known as ransomware.
Ransomware at a glance:
- Extortion: Attackers render enterprise information unusable and demand money for its return.
- Double Extortion: Attackers threaten to release enterprise information if not paid.
- Triple Extortion: Attackers leverage the stolen information to inflict additional damage, e.g., DoS of the customer or the sale of customer data to apply additional pressure.
Attackers continuously refine these tactics and have adopted double and sometimes triple extortion techniques to increase their chances of collecting payment by threatening to leak customer data or cripple operations.
Breaking the cyberattack cycle
Vulnerabilities inherent to legacy network and security architectures highlight the imperative to evolve the design into something radically different that addresses modern-day attacks and exposure. This evolution involves both a network and security transformation, enabling more ubiquitous and granular policy and, at the same time, enabling digital transformation. The answer is a zero trust architecture that removes the attack surface and provides secure connectivity between users/devices, IoT/OT devices, and workloads, wherever they may reside.
Editor’s note: The above is an excerpt from the book Seven Elements of Highly Successful Zero Trust Architecture. To learn more about how ZTNA addresses each of the four steps commonly used to breach an enterprise, download your copy today.