Beyond The Hype: Zero Trust From An Attacker’s Perspective

Transcript

1. ® BEYOND THE HYPE ZERO TRUST FROM AN ATTACKER’S PERSPECTIVE

   Rich Smith (@iodboi) Morteza Ansari (@morteza_ansari)

2. 2 DISCLAIMER: The views and opinions expressed in this presentation

   are those of the authors and do not necessarily represent official policy or position of their employers.

3. ® ZeroTrust/BeyondCorp/ZTX/CARTA…. • Lots of names, & attempts to commercialize,

   some fairly established ideas • Zero Trust came from the Jericho Forum circa 2005 • BeyondCorp came as part of Google’s 2009/2010 response to Operation Aurora that implemented many of the ZT principles to build greater resilience. • Regarded as the first at scale implementation of ZT ideals
4. None

5. 5

6. 6

7. ® Zero Trust from 50,000 ft

8. 8 All IP’s are created equal ...treat your infrastructure with

   as much distrust as you do the Internet. Encrypt all traffic regardless of whether it is internal or not, and don’t trust a request based on IP address alone.

9. 9 We need to evaluate trust in both users and

   access devices ...gone are the times when knowing who is requesting access is enough. The trustworthiness of the access device also needs to be evaluated to determine if policy has been met.

10. 10 Trusted != Trustworthy ...at its core ZT simply tries

    to allow you to make dynamic assertions about the trustworthiness of access requests. This trust is built rather than implicitly bestowed.

11. 11 Access Centric vs Threat Centric ...ZT provides minimal access

    through strong highly contextual access control that focus on what should be allowed, rather trying to detect all of the bad things that should be blocked.

12. 12 AuthZ is Now a First Class Citizen ...authN is

    well understood, standardised & implemented, less so for authZ. As the importance of authZ increases & its scope continues to shrink – consistency, performance, and interoperability are more critical than ever before.

13. 13 ZT is not a Product ...it’s a mindset. An

    updated security model for modern environments and technology usage patterns. It’s ideals can be achieved in a variety of ways.

14. 14 The Internet is the network The Cloud is the

    data center Your Identity is the perimeter Any Device is a work device Jarrod Benson, CISO of Koch Industries

15. 15 In 5 years ZT will just be called Best

    Practice

16. ® Threat Landscape

17. ® Tech Landscape Threat Landscape Solution Landscape Changing technology opens

    up new attack opportunities The threat landscape evolves to take advantage of these new opportunities New Threats require new mitigations, often in a short timeframe. The changing Threat landscape drives the Solution Landscape which fills with point solutions to the new threats. Eventually the security solutions find their way back into the tech landscape and become the new normal in one of two main ways: Address the symptom New specific mitigations can feed back into the Tech landscape being applied to many occurrences of the same problem (faster but less holistic) and Address root cause Mitigations can be applied as more secure design patterns / best practices and help solve the threat across the board (slower but broader)

18. 18 If you’re defining the tech landscape your are defining

    the threat landscape…

19. 19 …don’t ignore this, use it to your advantage

20. ® Attacker’s View of ZT

21. ® What Does ZT Make Harder For An Attacker? •

    The value of stolen credentials decreases • ZT’s strong authN pre-requisites make credential theft & MITM attacks far harder • Lateral movement on the network is far harder • AuthZ is enforced at the resource being accessed, LAN presence alone grants little in terms of implicit privilege or access • Use of TLS everywhere decreases the value returned from sniffing & MITM • Low hanging fruit of known vulnerable device/OS is rarer • Enforcing health checks on access devices removes the easiest pickings • Indiscriminate attacks significantly reduce in value • Privileges are more tightly bound forcing attacks to be targeted

22. ® tl;dr – ZT Forces More Targeted Attacks Casting a

    wide cheap net, not caring about who you catch, to just pivot to what you actually care about will no longer work • The attack goal & target have to align • Targeted attacks require higher skill & are more attributable • All of this increases the costs to the attacker – and that is HUGE

23. ® How Does ZT Shift the Attack Landscape? • Bearer

    Tokens & API Tokens ◦ Apps use API tokens to interact, they are often statically defined & long lived ◦ Bearer token possession is sufficient for access ∴ bearer token protection is critical ◦ This all means API & bearer tokens are increasingly valuable to attackers ▪ Check your Githubs, leaking bearer tokens is all too easy ….. • API’s Themselves ◦ Focus on discrepancies between authN & authZ of API’s to other app interfaces ▪ Legacy and technical debt are real and often an attackers best friend ◦ Development & deprecated instances that have access to data that can be abused ◦ Bugs and flaws in ZT enforcement logic - this will be new and less tested

24. ® How Does ZT Shift the Attack Landscape? • The

    Control Plane ◦ ZT’s common Control Plane is a huge strength, but also a juicy target ◦ Attack impact & reach are amplified exponentially if CP is compromised ▪ Why change the config on one firewall when you can change all? ◦ The CP needs to be administered itself, the security of its management interfaces is critical to the security of the whole ZT architecture ◦ CP’s can often rely on third party services and/or SaaS infrastructure, this extends the attack surface of the CP meaning they are as critical to secure ▪ e.g. Compromise of an IDP could lead to compromise of the CP

25. ® How Does ZT Shift the Attack Landscape? • Cloud

    Infrastructure ◦ A big strength/weakness of Cloud is how easy and enabling it is to deploy & connect new infrastructure ◦ Misconfigured IaaS/PaaS/*aaS will still be low hanging fruit for attackers ◦ ‘Serverless’ is a misnomer ◦ it can still be vulnerable even if you’re not managing it’s infrastructure • Identity/AuthN/AuthZ Protocols and Providers ◦ While well established, the authentication ecosystem is both complex & foundational ◦ SAML is hard ▪ So is OAuth2.0 • So is OIDC …... ◦ Expect attack focus on bugs, flaws, and misconfigurations in authX to continue

26. 26 In 5 years ZT will just be called Today’s

    Target

27. ® What Now?

28. ® What Now? • Interoperability is key to success of

    ZT • think ecosystem not product • We need a lot more industry collaboration • We have some foundational standards but long way to go • SET, CAEP, WebAuthn, …. • Distributed authZ across administrative boundaries • AuthZ federation • What’s missing? You tell us (& each other!)

29. ® Questions? Morteza Ansari (@morteza_ansari) Rich Smith (@iodboi)

30. ®