How to implement Zero Trust Security

Plus, Cloud Cryptojacking, Cloud Security Frameworks, and Career Advice

Author

Cal J Hudson
February 27, 2024

👋 Good morning, Cyber Pros!

If you didn’t read last week’s issue, or have been off social media, you’ll have missed the news that Calpha has rebranded to Cyber Pro Club.

New name, same writer, better content 😉

This week’s issue brings you:

  • How to implement Zero Trust Security (exclusive to this newsletter)

  • Cloud Cryptojacking (recap)

  • Cloud Security Frameworks (recap)

  • What to do if you’re laid off (real story)

Let’s dive in!

Read time: ~5-6 mins

Answer these 2 questions to get better emails! Let me know how you feel about this newsletter by simply clicking one of the options.

How to implement Zero Trust Security

The idea of Zero Trust is a cyber security game-changer, moving away from old perimeter defences.

CISA released their Zero Trust Maturity Model (ZTMM) and it has become the go-to framework for organisations diving into zero-trust security. It's not just theory; it's a roadmap with actionable steps and benchmarks.

Why do we need it? Cyber threats are evolving, and old ‘trust but verify’ security approaches just don't cut it anymore.

With complex IT setups and rising insider threats, zero trust says: trust no one, anywhere. Verify every access request, ensuring only the right people access what they need.

In short: Zero Trust is all about reducing your attack surface, securing your data, and keeping the bad actors out.

Five pillars underpin the entire zero-trust framework:

  • Data, Identity, Endpoints, Networks, Infrastructure and Applications.

Three key capabilities support all five pillars:

  • Visibility and analytics: Maintain a clear view of the IT environment, analyse data for anomalies, monitor user behaviour, and detect potential threats.

  • Automation and orchestration: Ensure consistent enforcement of security policies and swift responses to security events in complex IT environments.

  • Governance: Establish clear security policies, define roles and responsibilities, set standards, and align security posture with risk appetite.

Stages of ZT Simplified

The Zero Trust Maturity journey is about continuous improvement, leveraging tools, processes, and policies. Organisations evolve from static, perimeter-based defences to dynamic, context-aware, and adaptive security machines that respond to real-time threats.

Traditional:

  • Manual configurations: Basic firewall rules and VPNs.

  • Static security policies: Fixed attributes like IP addresses.

  • Siloed policy enforcement: Separate security systems without integration.

Initial:

  • Beginning of automation: Tools like Ansible for consistent deployments.

  • Initial cross-pillar solutions: Integrating IAM with network access.

  • Aggregated visibility: SIEM systems for integrated incident views.

Advanced:

  • Automated controls: SOAR solutions for incident response.

  • Centralised visibility: Advanced threat intelligence platforms.

  • Integrated policy enforcement: SDPs and ZTNAs for dynamic access.

Optimal:

  • Fully automated processes: AI and ML for predictive analytics.

  • Dynamic policies: ABAC for flexible access controls.

  • Comprehensive situational awareness: UEBA for continuous monitoring.

Guidelines for Zero Trust Security Implementation

Step 1: Responsibility

  • Define responsibilities across the Core Pillars and form a ‘working group’ of expertise to implement zero trust.

Step 2: Start where you’re strongest

  • If your organisation has stronger network controls compared to IAM, focus on the micro-segmentation of the current network setup and create dynamic access controls for cloud resources.

Step 3: Ramp up user, device, & application security

  • Ensure MFA is in place for all admin access, deploy an EDR solution for real-time monitoring, and transition to a containerised application environment to implement strict security policies.

Step 4: Strengthen networks & infrastructure

  • Implement micro-segmentation, deploy software-defined wide area network solutions, and use network detection and response for real-time network threat detection.

Step 5: Monitor and refine your zero-trust strategy

  • Leverage AI-driven threat intelligence, conduct regular penetration testing to identify vulnerabilities, and use infrastructure as code (IaC).

Zero Trust Security Priorities

1/ Comprehensive Visibility and Inventory: Implement a Cloud Infrastructure and Entitlement Management (CIEM) capability and maintain an inventory of all identities and permissions.

2/ Continuous Risk Assessment and Prioritisation: Perform continuous scanning for misconfigurations, introduce a prioritisation mechanism, and ensure compliance.

3/ IAM Security: Define policies to enforce least privilege, monitor high-privileged accounts, and ensure there is continuous identity verification & authorisation.

Cloud Cryptojacking (Recap)

Cybercriminals are exploiting cloud environments for cryptocurrency mining. This involves attackers infiltrating tenants' systems to hijack compute resources. The result? Massive financial losses for affected organizations, reaching into the millions.

But how does it all happen? Let's break it down.

Detecting cryptojacking in compromised accounts is tougher because the attacker uses real user accounts. This method affects users more directly because it allows the attacker to do more intrusive things in the target system:

  • Use the computing power of compromised accounts to mine more cryptocurrency and get extra resources.

  • Make it look like normal activity when getting these extra resources within a compromised account.

  • Use the compromised account to move around more, stay hidden, and steal information.

Attack lifecycle:

  1. The actor uses compromised credentials to access the tenant

  2. The actor hijacks the subscription, migrating it into their own tenant, leaving billing details the same.

  3. If core quotas within the subscription are low, the actor increases them with a focus on high-value cores, such as N-series GPU cores (more power = more output)

  4. The actor mass creates computing resources with SKUs aligned to the quotas available.

  5. Finally, the actor installs mining software onto the VMs (over admin protocols such as RDP or SSH, or using an image provided at point of provisioning).

Initial access is key!

To carry out this attack, the malicious actor needs access to credentials allowing entry into the tenant's system. These credentials must grant the virtual machine contributor role or lead to a user account with such privileges.

Attackers exploiting tenants in this manner employ various techniques to acquire account credentials, including phishing, using leaked login information, and compromising on-premises devices.

You can learn more here - Microsoft provide a great write up!

Cloud Security Frameworks (Recap)

Collectively, these frameworks provide a solid foundation for implementing cloud security controls.

As a security professional, your goal isn’t to simply ensure cloud environments are ‘compliant’ with these frameworks. You must think about them critically and consider how they serve your cloud estate and business goals, in line with your organisation’s risk appetite and resources available.

You can learn more about these control frameworks using these resource links:

What to do if you’re laid off (real story)

Scenario:

“The company I work for is laying off and if end up getting a job that’s not currently what I do, which is cloud security engineer, would it ruin my career trajectory? For example, if I end up in GRC or SOC, would that prevent me from becoming an architect?”

Anon via X

In short, no. I don’t see any long term issues for career trajectory. Lay offs happen all the time across every industry and it’s completely fair to make a short term move to pay the bills. Zero judgement will come from hiring managers on this front.

That short term play could actually be the best thing for you. Getting exposure to other security domains will make you a better, more well-rounded security professional. It’s another string to your bow. It may not be the most direct path for where you want to go, but you may be in a much stronger place by the time you get there.

For example, in this specific scenario, exposure to GRC will help you understand compliance frameworks and regulatory requirements that are essential for being an effective architect. That exposure may be why an employer picks you over another candidate.

There are many roads to the same end and no one treads the same path.

Careers = jungle gyms (not ladders)

That’s a wrap!

Next week I’ll cover:

  • The Principle of Least Privilege

  • Cloud Detection and Response

  • Lateral Movement

  • Plus some career advice to help you on your journey!

Follow us across socials: