Beyond The Hype: Zero Trust From An Attacker’s Perspective

Beyond The Hype: Zero Trust From An Attacker’s Perspective

There has been a lot of hype around Zero Trust over the past year and it seems all the focus in the industry has been about vendor specific implementations, one stop solutions, and products that ‘surprise surprise’ were Zero Trust even before it was cool. In this talk we instead focus on the principles of Zero Trust and in particular how they impact the threat landscape. We will try to cover how the advent of Zero Trust alters attacker behavior, incentivization, and identification of new targets. Where does the threat shift when Zero Trust principles are widely applied, and what are the new threats we need to be concerned with?
Bypass the hype and have a clear handle on what ZT improves as well as what it does not.


Rich Smith

June 25, 2019



    Rich Smith (@iodboi) Morteza Ansari (@morteza_ansari)
  2. 2 DISCLAIMER: The views and opinions expressed in this presentation

    are those of the authors and do not necessarily represent official policy or position of their employers.
  3. ® ZeroTrust/BeyondCorp/ZTX/CARTA…. • Lots of names, & attempts to commercialize,

    some fairly established ideas • Zero Trust came from the Jericho Forum circa 2005 • BeyondCorp came as part of Google’s 2009/2010 response to Operation Aurora that implemented many of the ZT principles to build greater resilience. • Regarded as the first at scale implementation of ZT ideals
  4. None
  5. 5

  6. 6

  7. ® Zero Trust from 50,000 ft

  8. 8 All IP’s are created equal ...treat your infrastructure with

    as much distrust as you do the Internet. Encrypt all traffic regardless of whether it is internal or not, and don’t trust a request based on IP address alone.
  9. 9 We need to evaluate trust in both users and

    access devices ...gone are the times when knowing who is requesting access is enough. The trustworthiness of the access device also needs to be evaluated to determine if policy has been met.
  10. 10 Trusted != Trustworthy its core ZT simply tries

    to allow you to make dynamic assertions about the trustworthiness of access requests. This trust is built rather than implicitly bestowed.
  11. 11 Access Centric vs Threat Centric ...ZT provides minimal access

    through strong highly contextual access control that focus on what should be allowed, rather trying to detect all of the bad things that should be blocked.
  12. 12 AuthZ is Now a First Class Citizen ...authN is

    well understood, standardised & implemented, less so for authZ. As the importance of authZ increases & its scope continues to shrink – consistency, performance, and interoperability are more critical than ever before.
  13. 13 ZT is not a Product’s a mindset. An

    updated security model for modern environments and technology usage patterns. It’s ideals can be achieved in a variety of ways.
  14. 14 The Internet is the network The Cloud is the

    data center Your Identity is the perimeter Any Device is a work device Jarrod Benson, CISO of Koch Industries
  15. 15 In 5 years ZT will just be called Best

  16. ® Threat Landscape

  17. ® Tech Landscape Threat Landscape Solution Landscape Changing technology opens

    up new attack opportunities The threat landscape evolves to take advantage of these new opportunities New Threats require new mitigations, often in a short timeframe. The changing Threat landscape drives the Solution Landscape which fills with point solutions to the new threats. Eventually the security solutions find their way back into the tech landscape and become the new normal in one of two main ways: Address the symptom New specific mitigations can feed back into the Tech landscape being applied to many occurrences of the same problem (faster but less holistic) and Address root cause Mitigations can be applied as more secure design patterns / best practices and help solve the threat across the board (slower but broader)
  18. 18 If you’re defining the tech landscape your are defining

    the threat landscape…
  19. 19 …don’t ignore this, use it to your advantage

  20. ® Attacker’s View of ZT

  21. ® What Does ZT Make Harder For An Attacker? •

    The value of stolen credentials decreases • ZT’s strong authN pre-requisites make credential theft & MITM attacks far harder • Lateral movement on the network is far harder • AuthZ is enforced at the resource being accessed, LAN presence alone grants little in terms of implicit privilege or access • Use of TLS everywhere decreases the value returned from sniffing & MITM • Low hanging fruit of known vulnerable device/OS is rarer • Enforcing health checks on access devices removes the easiest pickings • Indiscriminate attacks significantly reduce in value • Privileges are more tightly bound forcing attacks to be targeted
  22. ® tl;dr – ZT Forces More Targeted Attacks Casting a

    wide cheap net, not caring about who you catch, to just pivot to what you actually care about will no longer work • The attack goal & target have to align • Targeted attacks require higher skill & are more attributable • All of this increases the costs to the attacker – and that is HUGE
  23. ® How Does ZT Shift the Attack Landscape? • Bearer

    Tokens & API Tokens ◦ Apps use API tokens to interact, they are often statically defined & long lived ◦ Bearer token possession is sufficient for access ∴ bearer token protection is critical ◦ This all means API & bearer tokens are increasingly valuable to attackers ▪ Check your Githubs, leaking bearer tokens is all too easy ….. • API’s Themselves ◦ Focus on discrepancies between authN & authZ of API’s to other app interfaces ▪ Legacy and technical debt are real and often an attackers best friend ◦ Development & deprecated instances that have access to data that can be abused ◦ Bugs and flaws in ZT enforcement logic - this will be new and less tested
  24. ® How Does ZT Shift the Attack Landscape? • The

    Control Plane ◦ ZT’s common Control Plane is a huge strength, but also a juicy target ◦ Attack impact & reach are amplified exponentially if CP is compromised ▪ Why change the config on one firewall when you can change all? ◦ The CP needs to be administered itself, the security of its management interfaces is critical to the security of the whole ZT architecture ◦ CP’s can often rely on third party services and/or SaaS infrastructure, this extends the attack surface of the CP meaning they are as critical to secure ▪ e.g. Compromise of an IDP could lead to compromise of the CP
  25. ® How Does ZT Shift the Attack Landscape? • Cloud

    Infrastructure ◦ A big strength/weakness of Cloud is how easy and enabling it is to deploy & connect new infrastructure ◦ Misconfigured IaaS/PaaS/*aaS will still be low hanging fruit for attackers ◦ ‘Serverless’ is a misnomer ◦ it can still be vulnerable even if you’re not managing it’s infrastructure • Identity/AuthN/AuthZ Protocols and Providers ◦ While well established, the authentication ecosystem is both complex & foundational ◦ SAML is hard ▪ So is OAuth2.0 • So is OIDC …... ◦ Expect attack focus on bugs, flaws, and misconfigurations in authX to continue
  26. 26 In 5 years ZT will just be called Today’s

  27. ® What Now?

  28. ® What Now? • Interoperability is key to success of

    ZT • think ecosystem not product • We need a lot more industry collaboration • We have some foundational standards but long way to go • SET, CAEP, WebAuthn, …. • Distributed authZ across administrative boundaries • AuthZ federation • What’s missing? You tell us (& each other!)
  29. ® Questions? Morteza Ansari (@morteza_ansari) Rich Smith (@iodboi)

  30. ®