A wave of ongoing cyberattacks and rising fears of destructive threats have given organizations a stark reminder of why Zero Trust and identity protection are critical priorities for improving security across the public and private sectors.
Recent alerts from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) elaborate on how these threats affect organizations. Last month CISA issued a ‘Shields Up’ advisory, urging U.S. entities to prepare for potentially disruptive cyber activity in light of the Russian invasion of Ukraine. As part of this, CISA analyzed vulnerabilities in use by Russian cyber threat actors and updated its list of known exploited vulnerabilities.
A separate CISA alert in late February shared the details of destructive malware used to target organizations in Ukraine. Another warning issued the same month shared news of Russian nation-state actors targeting U.S. cleared defense contractors (CDCs) with common but effective techniques such as spear phishing, credential harvesting, brute force/password spray tactics, and known vulnerability exploitation against poorly secured accounts and networks.
In the latter case, adversaries used harvested credentials in conjunction with known vulnerabilities — for example, Microsoft Exchange Server vulnerabilities CVE-2020-0688 and CVE-2020-17144 — on public-facing applications to escalate privileges and gain remote code execution. As bugs are found and patched, attackers seek new ways in, meaning CDCs must be vigilant in patching software bugs and poor configurations, especially in internet-facing systems. It’s open season for adversaries until flaws are patched, which usually takes time.
When adversaries succeed, they tend to persist and move laterally, unnoticed. During the two-year period they infiltrated U.S. defense contractors, attackers maintained access to multiple CDC networks — in some cases, for at least six months. Sometimes they used malware to achieve persistence; in others, they didn’t need it as they likely used credentials they had exfiltrated.
Identity and stolen valid credentials are increasingly exploited in eCrime and nation-state attacks because they enable adversaries to escalate privileges and progress their attack when they access high-value systems and resources. More than 80% of cyberattacks involve credentials, and in the fourth quarter of 2021, 62% of attacks were malware-free as attackers exploited stolen credentials and identity to bypass legacy security tools.
It’s time for organizations to adopt stronger identity protection—a core component of zero trust, a framework to protect against these types of attacks with a focus on securing individual users, assets, and resources. The strategy around zero trust can be summed up as “trust no one” and instead, verify each attempt to access systems and resources as it could pose a threat.
Identity at the Core of Enterprise Security
The guidance provided by the FBI, NSA, and CISA in light of this attack activity can help organizations strengthen their identity protection and develop a zero trust strategy.
To build out this strategy, defenders must keep the following information in mind:
For one, the products and policies needed for zero trust must be built into the core platform. Zero trust requires multiple technologies to succeed. Traditional zero trust solutions are built with several siloed security tools, which drives up operational complexity and cost. Combining multiple technologies into a single product reduces this complexity and makes it easier for end-users, IT, and security teams to use. A cloud-native platform with accurate detections and automated protection can ensure a frictionless zero trust experience for businesses of any size.
A zero trust model must also continuously verify identities and tighten access controls so only authorized users are permitted with the least amount of privilege required—without affecting the users’ experience. All access, configuration changes, and network traffic should be monitored for suspicious activity. The identity protection strategy core to zero trust should detect privilege escalations, unauthorized protocol usage (like RDP), and deviations in access patterns, as well as stop attack progression in real time with risk-based conditional access/MFA.
Many mitigations CISA has provided focus on identity: enable multi-factor authentication, enforce strong and unique passwords, implement time-based access features, and reduce credential exposure by ensuring they are safely stored. Without secure identity systems, adversaries can take over accounts and gain a foothold to steal data and carry out an attack.
Minimizing the impact of a breach is essential. When anomalous activity is detected, it should trigger risk-based conditional access (for a frictionless user experience) to stop attack progression through lateral movement. Using identity-based segmentation can limit the scope of credentials or access paths for an attacker — without the significant operational changes found in traditional network based segmentation — giving the victim organization time to respond and mitigate the incident.
A Stronger Role in Government Defense
A perimeter-based defense is no longer sufficient to defend against modern security threats. U.S. government agencies are moving in the direction of a zero trust model as increasingly sophisticated attackers launch attacks and legacy security architectures leave gaps in defenses.
CISA’s guidance echoes key points in the May 2021 federal Executive Order on cybersecurity. The EO initiated a government-wide effort to ensure baseline security is in place and realize the benefits of cloud-based infrastructure while addressing associated risks. The transition to zero trust provides “a defensible architecture for the new environment,” officials wrote in the details, noting this marks a shift in how the government secures its infrastructure, networks, and data.
To immediately help U.S. critical infrastructure such as hospitals and water and power utilities defend against these attacks, CrowdStrike has partnered with Cloudflare and Ping Identity to launch the Critical Infrastructure Defense Project. Security features available through this initiative help provide a quick response based on key elements of the Zero Trust model to help these organizations secure their infrastructure.
As part of its efforts to protect critical endpoints and workloads, CISA last year chose CrowdStrike as one of the major platforms to support the EO endpoint detection and response initiative. Through this partnership, CISA plans to strengthen its Continuous Diagnostics and Mitigation (CDM) program, better secure civilian “.gov” networks, and lead efforts to understand cyber and physical risk to critical infrastructure. In the coming months, CrowdStrike looks forward to building on this foundation to help defend this nation's infrastructure at all levels of the zero trust framework: network, endpoint, data, and cloud.
By Kapil Raina, VP Zero Trust and Identity Protection Marketing, CrowdStrike