NSA Releases Guidance on Implementing Zero Trust to Restrict Lateral Movement
The National Security Agency (NSA) has released guidance on implementing zero trust security to restrict lateral movement inside a network when a threat actor breaches the company’s defenses. This is because of the many breaches last year wherein threat actors acquired preliminary access to a healthcare provider’s network, stole substantial amounts of sensitive information, and performed ransomware attacks. If the breached companies had enforced a zero-trust security architecture, the seriousness of those breaches may have been considerably diminished.
The standard IT security model aims to prevent access to internal systems, with everybody within the network perimeter respected. A zero-trust security structure assumes that a threat actor is already present in the system, and restricts the steps that could be done without further authentication. Zero trust is about improving internal network configurations to contain intrusions to a segmented part of the network to reduce the hurt that may be created. Companies have to operate with a mentality that threats exist within the borders of their systems, as stated by NSA Cybersecurity Director Rob Joyce. The new guidance is meant to provide network owners and staff with the required procedures to avoid, identify, and respond to threats that take advantage of weaknesses or gaps in their business architecture.
In February 2021, the NSA released its first zero trust security guidance, which talks about zero trust security and its benefits and concepts. The second release in April 2023 aimed to achieve preparedness in the user pillar. The latest guidance entitled, Advancing Zero Trust Maturity Throughout the Network and Environmental Pillar, is focused on getting maturity in the system and environment pillar, which addresses all software programs and hardware, non-person groups, and inter-communication protocols and is concerned with separating essential resources by determining network access, managing network and data flows, segmenting programs and workloads, and utilizing end-to-end encryption.
The zero trust maturity model offers improved security using macro and micro-segmentation, data flow mapping, and software-defined networking. Data flow mapping determines the path that data travels in an organization, and how it changes from one area or software to another. Using data flow mapping, all internal and external nodes on which information is saved or processed are known, which enables companies to find data misuses and determine areas where data is not correctly encrypted or safeguarded.
Macro segmentation gives high-level management over traffic going in different places of an organization’s network and is attained by breaking up a system into several discrete parts. For example, segmenting the network to make certain that the data and resources required by one department can’t be viewed by another. Micro segmentation gives security by breaking down a section of the network into little components, and restricting how data flows laterally using rigid access policies. Software-defined networking allows the control of packet routing by a centralized control server using a distributed forwarding plane, which offers extra visibility into the network and permits unified policy enforcement.
The NSA is supporting the Department of Defense customers to begin zero trust systems and let go of additional zero trust guidance on more zero trust pillars to support institutions to include the principles and designs of zero trust into their organization networks.
NSA, CISA Release Cloud Security Guides
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) published five cybersecurity data sheets to assist organizations in enhancing the security of their cloud systems. The guides consist of guidelines for securing cloud accounts together with proposed mitigations for enhancing cloud security.
The cloud provides a cheaper and more flexible alternative to on-premises structure and has become important for supporting remote employees; nevertheless, cloud environments have security difficulties and every year numerous healthcare data breaches happen due to incorrectly secured cloud platforms. Cyber threat actors are targeting cloud environments and are exploiting weak security settings to obtain access to sensitive information, including PHI, and after breaching cloud environments, frequently pivot to internal systems. Managed service providers (MSPs) are often targeted as if their environments can be breached, threat actors can abuse their high-privileged access to exploit downstream clients, as was the case with the REvil ransomware attacks through Kaseya.
Cybercriminal groups and nation-state threat actors actively check for misconfigured access settings, exploit badly secured accounts, and utilize phishing and social engineering to gather credentials and circumvent multifactor authentication. When a threat actor has accessed the cloud environment, new accounts are made, privileges are escalated, and they move laterally and target other cloud services or use federated identities to log into the on-prem environment of the victim.
The fact sheets cover secure cloud identity and access management procedures, network segmentation and encryption, safe cloud key management practices, data protection in the cloud, and how to minimize the problems from MSPs in cloud environments. The information provided in the CISA/NSA guides is not new to system defenders who ought to be adhering to all the best practices contained in the guides, but they do give a valuable checklist for ensuring that all recommendations are being implemented and all appropriate mitigations have been set up.