How Zero Trust Network Access (ZTNA) Prevents Lateral Movement After a Breach
Zero Trust Network Access (ZTNA) is a modern approach to access control that makes an organization’s protected resources more secure from cyberattacks. One of ZTNA’s core principles — assume breach — recognizes that a 0-day flaw or stolen password can compromise a network at any time. Hackers exploit these footholds by using lateral movement techniques. ZTNA’s strength is its ability to prevent lateral movement and minimize an attack’s blast radius.
Let’s look at the ways hackers move through networks, how traditional security approaches try — and fail — to block them, and how Zero Trust solutions use software-defined perimeters (SDPs) to prevent lateral movement.
Attackers use lateral movement techniques to penetrate deeper into a compromised network, map sensitive resources, and escalate their access. In most cases, this lateral movement goes undetected for a long time. Recently, CrowdStrike reported that the average attack moves across a compromised network within 92 minutes. Security professionals, on the other hand, take 146 hours to detect the attack — and another day to investigate, contain, and mitigate the breach. This imbalance is one reason the security breaches increased by more than 68% in 2021.
Lateral movement goes undetected for so long because cybercriminals use live-off-the-land techniques. Importing malware through their limited foothold would risk detection. Instead, the hackers use tools they find on the network itself to conduct their surveillance and collect privileged credentials. MITRE’s ATT&CK framework identifies several lateral movement techniques including:
- Accessing network tools such as PowerShell or SSH.
- Using compromised accounts to launch internal spear phishing attacks.
- Collect authentication artifacts such as cookies and hashes.
- Inserting malicious code in shared files.
These techniques are effective due to fundamental weaknesses in the way organizations secure information resources. For decades, the concept of the secure perimeter was used to design network architectures. Like the moat and walls surrounding a castle, the secure perimeter prevented anything outside the network from getting in. This approach implicitly trusts any person or device on the protected network. Once hackers establish their initial beachhead, they leverage the implicit trust built into the network to move around and plan their next move.
Another weakness of the secure perimeter paradigm is its focus on protecting access to networks. Typical secure perimeter architectures do not provide granular, resource-level control of permissions. As a result, anyone with access to a network can use any of the network’s resources, services, or protocols. All hackers need is a way to get through the secure perimeter.
In the castle-and-moat analogy, virtual private networks (VPNs) and demilitarized zones (DMZs) are equivalents of gatehouses and drawbridges. They let data pass through the network defenses while, in theory, preventing unauthorized access.
VPNs are the gatehouses that let remote traffic pass in and out of the protected network. Just like a gatehouse, VPN security begins and ends at the perimeter. A VPN gateway lets users access anything behind the protective wall. Hackers get access to anything behind the wall when a VPN gateway’s vulnerabilities go unpatched.
DMZs provide a middle ground between the dangerous outside world and the protected interior. Unpatched firewalls, inadequate access control rules, exposed ports, and other security weaknesses can give hackers a path into the network.
Besides being vulnerable to attack, VPNs and DMZs only control access to the protected network. They are part of the network architecture and cannot provide granular access control unless the network itself is built to protect specific resources.
Organizations could architect their networks to protect groups of resources. Each protected group gets assigned to a dedicated network segment. Micro-segmentation creates a granular network structure that enhances security by:
- Hiding each microsegment’s structure from other microsegments.
- Limiting the number of resources exposed on a compromised microsegment.
- Limiting users to the microsegments they are allowed to access.
In the event of a breach, micro-segmentation constrains an attack’s ability to move laterally. Hackers can only see the resource or resources on the compromised microsegment. Breaching a firewall to enter another microsegment is more likely to be detected. However, this approach still implicitly trusts anything on the microsegment. Eliminating the risk of lateral movement requires building a microsegment around each resource.
In practice, micro-segmented network architectures become complex, expensive to build, and difficult to maintain. The inevitable compromise between security and resources makes highly granular access control difficult to achieve.
Software-defined perimeters make micro-segmentation more practical. These technologies replace network-based connections between user devices and resources with virtual, session-based tunnels. Proxies are deployed in front of each protected resource register with an SDP controller. A proxy on a user’s device contacts the SDP controller to request access to the resource. After authentication and authorization, the controller facilitates the creation of a direct tunnel between the device and resource that lasts for the duration of the session.
In effect, an SDP system can redraw the secure perimeter around each resource rather than each network — turning each resource into its own microsegment. Resources disappear from the network, hidden by proxies that deny all incoming connections except those from the SDP controller. Companies no longer need vulnerable VPN gateways or DMZs, reducing the opportunities to breach a network. Should a breach occur, lateral movement becomes less productive since hackers cannot surveil the compromised network.
Implementing ZTNA solutions based on software-defined perimeters can reduce the attack surface even further. Many successful breaches start with compromised user credentials rather than compromised network infrastructure. Authorization rules based on Zero Trust principles of least privilege limit users’ access to the specific resources they need to do their jobs. Should a user fall for a social engineering attack, the hackers would only have access to the user’s authorized resources. The hackers’ ability to move laterally to other resources would be severely constrained.
Identity is not the only factor ZTNA solutions use to define least-privileged access rules. The context of the user’s connection request is just as important. ZTNA solutions can evaluate the posture of a user’s device based on the operating system and the status of:
- Firewall and antivirus.
- Device lock screen and encryption.
- Biometric security.
ZTNA solutions can evaluate these basic posture checks when a user first logs in, when they request access to a resource, and throughout their session. If the check fails for any reason, the basis of trust disappears, and the user loses access. More advanced policies are made possible with certificate-based attestations as well as integrations with endpoint detection and response (EDR) or mobile device management (MDM) solutions.
Traditional secure perimeter architectures are security liabilities. Vulnerable infrastructure, social engineering, and implicit trust make cyberattacks too easy. Cybercriminals can use lateral movement techniques to sweep across a network within an hour and a half of a successful breach — and avoid detection for nearly one hundred times as long. Lateral movement lets attackers surveil networks, escalate privileges, and plan the attack’s next phase. Network micro-segmentation could reduce the threat — at a great price — without solving the underlying problem.
Twingate’s Zero Trust Network Access solution uses software-defined perimeters to decouple access control from the physical network. Hiding resources behind proxies makes them invisible from compromised networks. Administrators can remove vulnerable VPN technologies from their networks. Role-based, least-privilege access policies limit the damage of compromised user credentials. And context-sensitive policies based on device posture make credential breaches easier to discover.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.