Zero trust: Scramble the egg and bite the onion
If you've been anywhere near a tech news source lately, you've probably figured out two things: everything is hacked all the time, and everything moves very fast. Environment security has always been presented as two different paradigms: the egg (having a really hard perimeter, with a fragile inside), or the onion (having a lot of softer defense lines until you get to the core). But we've got to a point where you need to admit: the egg is cracked.
The egg has a sturdy shell... right?
If you haven't yet gotten the chance to, fetch and read a deep dive into the operations of dismantled ransomware operations. It's fascinating. They have specialised so far into their craft, they're basically companies themselves. Managers, vacation time, bonuses, objectives… and outsourcing. There's something that's appeared alongside these organizations to cover a step of the attack chain: initial access brokers. These are companies that are really, really good at obtaining initial access into your environment. But they don't exploit it where they'd risk getting linked themselves – why make the effort of negotiating with you, when that access is already quite valuable?
So, they sell it. A ransomware company buys that VPN credential, that SMS code that gives your admin access to Slack management, and that gsuite service account that you forgot about in a migration that just so happens to retain its blanket “read all documents” permission. They walk right past your eggshell, and two weeks later you're explaining to the European Union just how many people's credit card access credentials are now in a pastebin being sold to any bidder with an internet connection and a dream. Surprise external backup for you, and a hefty fine to go with it.
Greener fields filled with onion leaves
So let's say your egg hasn't been scrambled into an omelette of lawyer emails yet. What can you do to improve defenses against this kind of vulnerability? Well, you need to understand the onion approach to security, or what I call the “I want to change my home electric company” approach: make it so the attacker interacting with your environment has an unbearably inconvenient experience every step of the way.
This approach consists on making it so every step to complete control an attacker would need to make has independent security controls implemented to stop them on their tracks. The longer the kill chain they need, the more chances they can be stopped. That is the base concept, but the implementation differs in every case, which is what we came to talk about today: in a world of remote work and curated developer experience, the path forward is Zero Trust security architecture.
Never trust, Always verify
Every vendor you come across is going to try to sell you on their own special flavor of Zero Trust implementation, but they all boil down to the same idea: you need a way to verify whoever is accessing a resource is who they say they are. You may be saying “hey, that's what a user account does”- yeah, so do initial access brokers, right?
Even multi-factor authentication is being bypassed these days. SMS or automated call authentication? SIM-swapping is all the rage these days. Give a listen to Darknet Diaries' episode 112 “Dirty Coms” after this, it's well worth it. Dashing out of a phone store with the unlocked privileged tablet and SIM-swapping inside of a speeding minivan sounds like a B-series film until it happens to you.
Linus Tech Tips, one of the top technology youtube channels out there, was hacked a couple weeks before this post with a stolen browser access token, ignoring 2FA protection completely. Hell, even LastPass, a security-focused password management company, had their master vault accessed through a security breach in a worker's personal machine. No one's environment is completely safe in the past models, big or small, they're all targets. And chances are that includes you.
The better path forward
So, what do? What can you trust? well, your mileage may vary depending on who you are and what you do, but your corporate-provided environment, like your issued laptops, are (hopefully) properly configured, secured, monitored and hardened. Unless reported stolen, and if your employee is following proper physical protection practices with it, like screen locking when away, you can be pretty sure that device is being used by an authorized user.
So you can trust access to resources by that user, only coming from that device. Access from anything else is opening up a risk- best case scenario your user is trying to look at their email from their phone, worst case scenario your Google Drive billing folder now has a regional replica in someone's basement USB drive.
Depending on your size, this is obviously a hell of an undertaking. You're potentially looking at moving hundreds, maybe thousands of accounts, credentials and systems into a completely new paradigm. You can start small with a group, or with your critical platforms, or do incremental fixes. But after enough disclosure reports from big company after big company, I'd start giving onion resources a read next Monday before someone cracks your shell and fries you sunny side up.
Iván Méndez
Always looking for something new to poke at (and to write about after). Reading documentation is not my thing, I like pulling levers and pressing buttons!