How to Prepare for Cyber Attacks with a Zero Trust Approach
Recent events in the Ukraine have left many people uncertain of what's coming next. Our hearts and thoughts go out to the families who’ve been affected by this tragic mark in history, and we hope they can reach a peaceful accord soon.
For everyone anxiously awaiting the next cyberattack, we hear you. While we have seen no major cyber activity outside of “traditional” threats in Ukraine, things are very dynamic, and concerns are heavy.
To prepare for the worst-case scenario, we wanted to provide you with some precautionary measures to take in your own environment. The concerns come not only from the obvious threats but also from additional outside actors, provocateurs, and anarchists that could leverage script kitties, lone wolf actors or nation state resources.
It’s a lot to consider. The best advice we can give is to get on board with the Zero Trust approach. Zero Trust enables you to secure every nook and cranny of your environment against potential (and unknowable) cyber-attacks. Below, we’ve detailed some suggestions to get started with Zero Trust and some of its key principles.
Zero Trust Simplified
Adopting a Zero Trust mindset and aligning your security protocols, procedures, and guidelines around it is the best way to eliminate unwanted access to your environment. Why? Let’s walk through the key principles of a Zero Trust Architecture to learn more.
- Treat all users and devices on and off the network as “Untrusted”
- Create granular and specific policies to limit unnecessary access or network traffic
- Continuously validate the identity of devices and users on your network
- Continuously monitor your network traffic for threats
You can learn more about Zero Trust Adoption in our blog, “Your Top five Zero Trust Architecture Questions Answered.”
Top Priorities You Need to Consider
As you ramp up to defend your environment, consider:
- Performing Regular Patch Updates (as prescribed)
- Maintaining a thorough asset inventory
- Deploying Multi-Factor Authentication (MFA)
- Implementing Network segmentation
- Increasing environment visibility
- Performing active threat hunting
Let’s break these down.
Performing Regular Patch Updates (as prescribed)
Make sure you’re regularly installing patch updates. You can stay up to date on current patches by visiting Cisco Talos Patch Tuesday. Each month, they release a new list of bugs and patches for your systems. Staying on top of this will ensure that you are zipping up any potential vulnerabilities within your environment. This will shrink a hacker's ability to exploit any unintended weaknesses in your security posture.
Maintaining a thorough asset inventory
Know your environment! If you are aware of your endpoints, applications, hardware, etc. within your environment, then you can deploy the security protocol to keep those assets from becoming easy targets for threat actors.
Deploying Multi-Factor Authentication (MFA)
MFA is one of the first steps towards Zero Trust Adoption and is the key to establishing user trust. This Zero Trust component has one of the highest impacts on threat mitigation, but we’ll cover more of that later.
Implementing Network Segmentation
According to Palo Alto Networks,
“Segmentation should be done from the inside out. You first determine what you are protecting. This is typically data, applications, assets, or services that are sensitive, regulated, or in other ways, important to your company. This defines the protect surface, which is the smallest possible outcome of our mandate to reduce the attack surface.” 
The idea behind network segmentation is to limit access privileges to ONLY those who absolutely need it and to reduce the number of network users in different zones. This helps limit gaps and vulnerabilities by removing unnecessary cooks in the kitchen.
Increasing Environment visibility
Visibility into your environment allows you to track device activity to detect risks and account for takeover attempts. We’ve had instances where customers weren't aware of how many devices they had running within their environment. This happens when the number of devices is particularly large. Using solutions like Cisco ThousandEyes can help you reclaim and monitor your devices with optimal visibility.
Performing Active Threat Hunting
Continuous threat hunting and environmental monitoring will ensure that you’re rarely caught off guard. Sometimes, it only takes a matter of moments for a threat to wreak havoc on your internal system. Ransomware of the metamorphic variety can change file name and jump from one computer to another in no time at all. This is crucial for threat containment limiting exposure and damage resulting in more efficient mitigation.
Security Controls & Training that have the Highest Impact on Threat Mitigation
If you’re not ready to or are in the process of adopting a Zero Trust architecture, we recommend you focus on these three components first.
- Multi-factor Authentication (MFA)
- Endpoint Detection and Response (EDR)
- Security Awareness Training
Multi-factor Authentication (MFA)
As we mentioned earlier, MFA is the first step to implementing a Zero Trust strategy and plays a critical role in establishing user trust as it ensures resource access ONLY goes to authorized users. According to Cisco, 90+% of all their Talos Incident Response (IR) engagements are related to:
- Failing to properly configure or monitor MFA or Endpoint Detection & Response (EDR)
- Not deploying them at all
Endpoint Detection and Response (EDR)
This solution is critical for endpoint security, especially if you have several employees on your network. EDR constantly monitors end-user devices to detect cyber threats and respond to them in a timely manner. Using this solution can reduce downtime, should an end-user accidentally invite ransomware or malware into your environment, by mitigating the threat as it appears.
If you’re looking for an EDR solution, try Cisco Secure Endpoint for free.
Security Awareness Training
The hacking attempts we’ve seen have become increasingly more intelligent and harder to mitigate. According to Veeam’s 2021 Ransomware Retrospective, spam emails were the culprit behind 60% of all infection sources. Additionally, 34% of customers were infected from a SINGLE endpoint.  The data suggests that more than half of breaches could have been mitigated with end user education and (security awareness training). Your end-users and their endpoints could be your first line of defense OR your first vulnerability.
Consider if You Have “Accepted Risk” in Your Environment and Hire Help to Mitigate
If you have “accepted risk” in your environment, now’s the time to revisit that decision, harden your environment, and isolate and monitor aggressively. Threat actors have become more intelligent with their infiltration strategies and more persistent. Companies responsible for data or valuable information are at risk. Data and information have become the most valuable commodities for hackers and a Zero Trust Architecture is the best way to proactively defend against their tactics. If you need help with implementing a ZTA or additional information on any of the solutions that can help secure your environment, we recommend you find a credentialed IT Consultant or Managed Service Provider (like ourselves) with expertise in Zero Trust.
If you have concerns or questions about any of the strategies or solutions we covered in this blog, please contact our Security Team.
- Talos Blog (sign up for monthly patch updates)
- HermeticWiper Threat Advisory
- CyclopsBlink Threat Advisory
To get updates direct from Cisco Talos, join the RU-UA Informational Webex space.
New Coverage Released:
- Snort Coverage: SIDs 59095-59098 provide protection against the Cyclops Blink campaign, and
- SIDs 59099-59100 provide protection against the Hermetic Wiper campaign
-  https://www.paloaltonetworks.com/blog/2019/01/you-want-network-segmentation-but-you-need-zero-trust/
-  2021 Ransomware Retrospective: Download here
About Derrick Whisel
Derrick Whisel has worked in IT for over 20 years, with extensive experience in project engineering, management, scoping, budgeting and design. He began his career in the military, and after being honorably discharged as an IT2 Second Class Petty Officer, moved into the private sector where he now works as a Senior Technical Advisor for Security Solutions here at Internetwork Engineering.