[Zero Trust]What is the use of “zero trust” from a hacker combat?

Today, zero trust is no longer popular. However, most people’s understanding of zero trust is still at the conceptual level. They know what capabilities zero trust has, but they don’t know how zero trust solves practical problems.

In fact, zero trust itself is very grounded. The famous zero trust architecture BeyondCorp is summed up by Google based on its own offensive and defensive practices. It has been used internally by Google to this day, and the effect is remarkable.

Let’s take a practical case of hacker attack to see what problems exist in the enterprise network. Then look at what zero trust can do in the face of the same attack. (The case is adapted from “Hackers Change”)

1. A hacker attack

(1) Background

Alpha company (pseudonym) is an internationally renowned system software company. Hammer system is the company’s core product, and the product quality is the first in the industry. However, while the Hammer system brings huge revenue to the company, it also attracts the covetousness of many peers…

Xiao Hei is a professional hacker with three years of “guest age”.

One day, a man in a suit looking like a boss found Xiao Hei and offered 5 million to steal all the source code of the next version of Hammer software.

Xiao Hei didn’t quite understand the business competition. Anyway, the rewards were extremely generous, and Xiao Hei decided to accept the contract.

(2) Collection of information

Before starting the attack, Xiao Hei conducted a comprehensive collection of information on Alpha Company.

Xiaohei used Google to find a lot of Alpha company’s employee mailboxes. Xiao Hei checked the prefixes of all mailboxes, and quickly guessed the naming rules of Alpha company mailboxes – the full spelling of names.

When searching for employee information on the Internet, Xiao Hei also found a lot of technical posts shared by Alpha Company’s big cows, which contained many Alpha Company’s network conditions. Xiao Hei also accidentally found the address book of some of Alpha’s sales organizations on the website of a partner company.

After collecting the email addresses of about 200 companies, Xiaohei felt that the information was almost collected.

(3) Fishing

In order to cooperate with the next attack, Xiao Hei made a fake game website.

Xiao Hei selected 10 mailboxes from the previously collected mailboxes (controlling the number to avoid spam filtering), and sent a phishing email – try the latest game for free. The general content is that our company is testing a new game, which requires expert testing. Are you a game expert? Come and try! There is a download link for the game in the email. Of course, the game files are trojanized.

Xiao Ming is a young code farmer. Apart from writing code, he also plays games. One morning, when Xiao Ming was browsing the company’s email, he found the email of the free trial game, “Cool!” Xiao Ming exclaimed, and the impulse in his heart made him decide to give it a try.

Xiao Ming knew that the company could not catch him downloading the game through the company network, so he first closed the company’s VPN connection, and then clicked the link in the email to download the game.

After downloading, Xiaoming conducted a virus scan, and started the game only after there was no problem. The game is a “green” software that does not need to be installed. Xiaoming feels very good and enjoys it very much. He also wrote an email to give some suggestions to the “developer”.

Of course he didn’t notice that at the same time the game started, the Trojan backdoor program had already started working. (Xiaohei is well aware of the power of Alpha’s terminal control software, the Trojan did not leave traces locally, but was injected into the process)


(4) Spread

After playing the game for a while, Xiao Ming started to work, so he turned on the VPN connection to the company again.

At this time, the Trojan process in Xiao Ming’s machine began to scan the entire Alpha company’s network through the VPN link. After a while, a file sharing server was scanned, with many software commonly used by employees, including VPN client software.

The security management of this server is very poor, and Xiao Hei obtained administrator privileges without much effort.

Xiaohei replaced a commonly used text editing software on the server and implanted an eavesdropping Trojan in the software.

When other employees of the company downloaded and used this software, the Trojan first copied itself and then ran normally, so the user did not feel any abnormality. Soon, Xiaohei’s eavesdropping Trojan spread around inside Alpha Company.


(5) Hacking

Xiaohei’s eavesdropping Trojan can collect password files in the system, record keystrokes when a user establishes a new connection, and analyze the user ID and password filled in during traffic filtering and login.

The Trojan passed all the collected passwords to Xiao Hei for cracking. In less than three hours, Xiaohei obtained more than 50 passwords, including the account passwords of the vice president of research and development and the product director.


(6) Steal

Using these newly cracked passwords, Xiao Hei boarded Alpha’s VPN as a “legal identity” and entered Alpha’s internal network.

Blackie begins to slowly scan the hiding place of the Hammer software source code. (Reduce scan frequency to avoid detection)

In order to prevent security personnel from noticing his scanning behavior, Xiao Hei also carried out intermittent DDoS attacks on Alpha’s external website to cover himself.

After locating the location of Hammer’s source code, Xiao Hei quickly obtained the download permission of the code repository by using the account he had stolen earlier.

When the “treasure” arrived, Xiao Hei cried out happily. Of course, the work needs to be carried out carefully and step by step… Within a few days, Xiao Hei packaged and downloaded all the code into his own system through several broilers.


(7) Closing

After taking the source code, Xiao Hei did not forget to clean up the traces of his intrusion, ordered the Trojan to self-destruct, and used the it operation and maintenance authority to delete the log.

The successful Xiao Hei “delivered” on schedule, looked at the surprised and admired boss, and comfortably placed the thick banknotes…


2. Problem analysis: The biggest loophole is human loophole

In the above example, Xiao Hei uses a very typical attack routine. This routine is characterized by “people” as the center of the attack, first looking for weaknesses to invade the device or stealing identities, and then using the intrusion point as a springboard to spread to the entire network , and finally do bad things in a legal identity.


Under Xiao Hei’s attack, Alpha Company exposed three notable problems:

(1) Insufficient safety awareness of employees, resulting in failure of protective measures for equipment

Because people’s security awareness is uneven, it is easy to make various illegal operations. In reality, many enterprises may have already installed security software, but sometimes employees turn off these antivirus and terminal management software for their own convenience. At this time, it is easy for employees to be recruited.

In the case, Xiao Hei easily caught Xiao Ming by fishing and invaded Xiao Ming’s equipment.

For another example, someone’s computer often does not lock the screen. In a previous case, the attacker sneaked into the company building from the underground garage and followed other employees through the access control. When you see a computer without a locked screen in the office area, you plug in a poisoned U disk and directly implant a Trojan horse.

(2) Intranet permissions are neglected, and threats will spread rapidly when they come in.

Generally, the corporate network will be completely isolated from the outside, but there are very few restrictions on those who have access to the internal network. This provides great convenience to attackers.

In the case, after Xiao Hei invaded Xiao Ming’s device, he could scan the intranet at will, and quickly found the vulnerable system.

System loopholes cannot be avoided, but excessive permissions can be avoided.

Xiao Ming can use file sharing services, but the management port should not be exposed to Xiao Ming at all. Exposing Xiao Ming is equivalent to exposing Xiao Hei.

(3) After the identity is leaked, the hacker steals the data with a “legitimate identity”, which is difficult to intercept

In addition to hackers directly stealing accounts, employees often “borrow” accounts from each other and “share” accounts, resulting in the disclosure of identity information. Coupled with various weak passwords, social password leakage incidents, etc., for security personnel, it is basically possible that the user’s account password will be leaked by default.

Some companies will record some network data, audit and analyze user behavior. However, these systems are usually “plug-in”, and are rarely able to fit the business and detect and intercept abnormal behaviors in time.

The Xiao Hei in the case is very cunning. He uses his legal identity as a cover and uses some techniques, such as slow scanning, fileless attacks, cutting files and passing them away in batches, etc. to avoid the monitoring of security personnel. Therefore, Xiao Hei’s illegal behavior is difficult to detect.


3. Solution: Overcome Human Unreliability through a Security Framework

The core of the attack is “people”, so the core of defense must also be “people”. The key to defending against attacks like Xiaohei is to overcome the unreliability of “people” by establishing a “security framework”.

Zero trust is a security framework that integrates many practical technologies and provides comprehensive defense against “people”.

(1) People’s security awareness is relatively low, but zero trust can force people to improve

Zero trust can collect the security status of end devices, and establish restrictions, if the requirements are not met, access is not allowed.

For example, in order to avoid the spread of viruses, the “zero trust client” can detect whether antivirus software and terminal management software are installed on the user’s computer. The zero-trust gateway guards the intranet entrance. Only when the client detects successfully and reports it to the gateway, the zero-trust gateway will be released.

In this way, insecure devices cannot access the intranet, avoiding risks introduced by users’ lack of security awareness. (In order to defend against some advanced threats, zero trust can also be linked with EDR products)

In order to prevent data leakage, the client can be required to detect whether the user is using the cloud desktop. If not, the user is not allowed to access some important resources to avoid the leakage of sensitive information such as source code and customer lists.

In order to prevent the attacker from bribing the insider or mixing himself into the office to spread the risk, the client can be required to detect whether the user has set a lock screen password, and if not, it is not allowed to access the intranet.

In order to prevent the attacker from remotely controlling the user device, the client can be required to detect whether the user has closed the remote service or remote sharing, and if not, it is not allowed to access the intranet.


(2) In a zero-trust network, people and resources are naturally isolated, and threats will not spread quickly

In a zero-trust network, the zero-trust gateway is at the entrance of the entire intranet, isolating people and resources.

Even if an attacker steals accounts and devices, they cannot directly access the intranet. There are very limited things an attacker can do.

First, there are several ports that an attacker cannot scan.

Zero-trust SPA stealth technology blocks unauthorized port scans. If the user does not have access rights, the corresponding server port will not be opened to it. The port probe request sent by the attacker will be directly discarded by the firewall in the zero trust gateway. (For details, please refer to my article “Demystifying the “Invisible” Black Technology in Zero Trust”)

In this case, Xiao Hei in the case can only scan the servers that Xiao Ming has access to, and cannot scan the entire intranet on a large scale.

Second, the attacker can no longer connect directly to the server.

A zero-trust gateway can be restricted to proxy and admission only at the application layer.

At this time, Xiao Hei will find that only the zero-trust gateway is directly connected to him, and the real business server can only communicate with the HTTPS protocol through the forwarding of the zero-trust gateway.


Third, mature zero trust will also include unified rights management at the data level. Xiao Hei will find that not all data in the web page can be accessed.

Finally, even if an attacker hacks a server, he cannot use it as a springboard to continue his lateral attack.

Zero-trust micro-isolation technology can do access control between servers. After an attacker invades a server, it is impossible to scan other servers on the same network segment. Micro-isolation agents on other servers intercept probe traffic. (For details, please refer to my article “Achieving Zero Trust with Micro-Isolation Technology”)


(3) Passwords will be leaked, but zero trust will also verify devices, faces, and behaviors

First, device binding and multi-factor authentication are must-have features for zero trust.

After the attacker steals the account, the zero-trust client will detect whether the device is in the trusted list, and logging in with a new device will be regarded as a suspicious event, triggering a multi-factor authentication.

In the case, Xiao Hei did not have the trusted device issued by Alpha Company to employees, so he could not directly log in to the VPN to access the intranet.

Some particularly important applications may require multi-factor authentication when logging in for the first time, such as face recognition before entering.

Some particularly important systems can even require the client to turn on face recognition at all times, and the connection will be automatically disconnected when the user leaves the seat or someone is watching from behind.


Second, even if the identity is smuggled out, the abnormal behavior will expose him.

A zero trust framework includes the ability to identify “abnormal behavior” and is tightly integrated with the business layer. Through the cooperation of the client and the gateway, when an abnormal situation occurs, the secondary authentication can be triggered, and the communication is allowed to continue after verifying the user’s text message or face recognition.

For example, the user was still in Beijing 10 minutes ago, and the login location suddenly changed to Shanghai 10 minutes later. This unusual location change indicates that the account may have been compromised.

At this time, the zero trust platform will order the client and the gateway to temporarily interrupt communication, prompting the user to verify the SMS, and then resume normal communication after passing.

In the case, all behaviors of Xiao Hei will be continuously monitored, and many attack behaviors will be regarded as suspicious events. For example, after hacking Xiao Ming’s computer, suspicious processes are left behind. When scanning the intranet, the access behavior has strong regularity and a short period of time. The behavior of downloading a large number of source code files in the Internet will trigger secondary authentication, preventing Xiao Hei from continuing to do bad things, and causing Xiao Ming to be alert.


4. After zero trust, what will the case look like

(1) Fishing stage: Xiaoming who loves to play will still be fished and download Trojan horses. However, before Xiaoming enters the intranet, the zero-trust client will actively detect whether the security capability of the device is enabled and whether the device is in a safe state, and the Trojan will be discovered and dealt with soon.

(2) Propagation stage: Zero Trust will limit the spread of risks through stealth and isolation technology, so that Xiaohei cannot detect valuable targets. Zero Trust will also continue to detect abnormal behaviors that spread the risk, trigger multi-factor authentication, and block Xiao Hei’s next move.

(3) Number stealing stage: Xiaohei can steal the account password, but Xiaohei cannot pass device authentication and multi-factor authentication, so it is useless to steal.

(4) Stealing stage: Xiao Hei was unable to break through the restrictions of zero trust on identity authentication, device authentication, behavior detection, network authorization, etc. in the first few stages, and ultimately could not steal data.


5. One sentence summary: What can zero trust do?

In the attack and defense of hackers, people are the biggest loophole. Zero trust means not trusting anyone, making up for the unreliability of people through security frameworks, and integrating various types of detection, authentication, and restrictions, making it difficult for attackers who were originally free to go.

The Links:   ZUW252412 CLAA150XP01PQ IGBT-STOCK