How Zero Trust Reduces Network Lateral Movement

A semi-transparent blue cube with a fingerprint icon and the words ZTNA. In front is a semi-transparent red cube with an open lock icon and two bugs moving towards it. There's a red path leading from the red cube to the ZTNA cube. The text on the image reads "ZTNA shuts down lateral movement."

Believe it or not your company’s security policies may be helping malicious actors carry out their nefarious deeds. That sounds counterintuitive, but when you look at some of the most famCompany’s security policies may be helping malicious actors carry out their nefarious deeds. That sounds counterintuitive, but when you look at some of the most famous hacks in recent years a key theme appears: security policies didn’t do enough to stop lateral movement. 

Ensuring that employee credentials are secure with multi-factor authentication is a vital first step. Still, let’s imagine the unthinkable happens and those credentials plus the MFA tokens fall into the wrong hands. 

What happens next?  

If the mere thought of that nightmare scenario triggers feelings of anxiety then it’s time to consider a Zero Trust Network Access (ZTNA) strategy.

What Is Lateral Movement?

Lateral movement is a key tactic used by cybercriminals after gaining initial access to a network. It’s essentially the act of moving from one compromised system to another within the same network, expanding their control and access to sensitive data.

Once the victim logs in, the hackers have their identity, and they use that to enter the network. 

Even without Zero Trust methodologies corporate networks have some restrictions about who can access what. Nevertheless, despite these safeguards, hackers are still able to do reconnaissance on the network to look for their next target, and the next, until they obtain administrative passwords. 

At that point it’s game over, and the threat actors can move towards data exfiltration, inserting malware into servers or endpoints, and more.

Lateral Movement In the Real World

Here are a few examples of lateral movement in the real world:

Sony Pictures

In 2014, we saw one of the most bizarre and effective infiltrations of a company network ever. 

Hackers believed to be based in North Korea infiltrated the network for Sony Pictures. They were able to obtain administrative passwords ultimately taking at least 200GB of data from Sony’s network including:

  • Employee social security numbers
  • Employee salary information
  • Company email threads
  • At least one screenplay
  • Several unreleased movies

Target Data Breach

Another famous example is the Target data breach of 2013 where hackers obtained more than 40 million customer credit and debit card numbers, as well as personal details for 70 million people such as:

  • Phone numbers
  • Addresses

These devastating consequences happened only after threat actors compromised one of the retailer’s HVAC service vendors. 

As part of its job, the HVAC service had overly permissive access to Target’s network. This gave the hackers a way in, and led to the costly outcome to shoppers and the retailer – Target said the total cost of the breach was $202 million

SolarWinds

The more recent SolarWinds hack of 2020 is famous as a devastating supply-chain attack where hackers compromised a software plugin distributed to high-profile clients such as Belkin, Cisco, Fire Eye, Intel, Microsoft, Nvidia, U.S. Department of Homeland Security, and the U.S. Treasury Department. 

To get to the point of a supply-chain attack, however, the hackers first carried out lateral movement through the SolarWinds internal network reminding us that some threats can have consequences well beyond a single corporate perimeter.

Zero Trust: A New Beginning

Lateral movement is a big problem that traditional security policies just aren’t built to address. 

It’s difficult to discover, as the prior two attacks demonstrate, meaning hackers remain undetected for months or even years. Zero Trust is a far different approach that is much more effective at mitigating harm should the worst happen. 

The basic principle behind Zero Trust is to “never trust, always verify.” 

Zero Trust assumes that login credentials could already be in the hands of a threat actor and proceeds to mitigate harm from there. 

Let’s take a look at how this works.

Identity-Based Access Rules

As with other approaches to security you need basic credentials to get access to company resources. This includes a login email and password, as well as multi-factor authentication from phone apps, USB dongles, and so on. 

The big difference with a Zero Trust approach is that access permissions are far more fine-grained and administrators can segment at the application level. 

Device Posture Check

Verifying who you are isn’t enough. With a well designed Zero Trust strategy, devices must also meet specific requirements for access. 

The idea here is to prevent unauthorized devices (like a hacker’s disposable laptop) from logging in. 

Device Posture Check can require that a user only access certain resources from a device running Windows 11 build 10.0.22621 and up, or macOS 12.5 and up. It can even go further and require that a specific antivirus is running, or that each computer has a custom security certificate installed. 

Context Requirements

ZTNA solutions can also set times of day when company resources are available to employees. Those years of financial documents might only be accessible from a company computer between the hours of 9AM to 7PM. 

That way, hackers looking to exfiltrate data from the network would need to have physical control of a device, and even then they could not siphon off information at all hours of the night. 

Instead, everything would have to happen during specific hours making the task take longer and increasing the chances of detection. In addition to time of day, Check Point’s ZTNA approach can also set a location requirement so that if someone tries to access personnel files from an unapproved city or country they won’t be able to do that. 

Also, Check Point’s ZTNA can check at set intervals to make sure that all context and device requirements are still being met after the person logs in to the network. 

If the system detects any changes then access rights are revoked.

Agentless Access

Employees can access resources using the Check Point desktop agent, but what about third-party contractors who need access to one specific resource? That’s where agentless access comes in. 

This is a web portal that’s secured and isolated from the public Internet. 

It provides contractors access to just the resources they need such as remote desktop access or a specific cloud-based app. That way, if the third party is ever compromised the hackers will only see into whatever app that third party had access to, and not your entire network.

Cloud and On-Prem Segmentation

ZTNA is also cloud native and built to defend on-prem network resources, as well as cloud services. That means you can apply similar restrictions to the cloud that you can to company networks.

The Zero-Sum of ZTNA

ZTNA is not a solution for all of a company’s cybersecurity issues, but what it can do is prevent threat actors from moving easily within a network, and in many cases outright prevent them from obtaining anything of significant value. 

Book a demo with Check Point today to ZTNA in action.

FAQs

What are the benefits of implementing a Zero Trust security model? 
Implementing a Zero Trust security model offers several benefits, including increased security posture, reduced attack surface, and minimized risk of lateral movement. This helps protect sensitive data and systems from unauthorized access, malicious actors, and data breaches.
How does Zero Trust prevent lateral movement?
Zero Trust employs a “never trust, always verify” approach, assuming login credentials could be compromised. It enforces strict access controls, continuous monitoring, and device posture checks to limit unauthorized access and prevent threat actors from moving laterally within a network.
What are the key components of a Zero Trust security model?
A Zero Trust security model relies on user identity verification, continuous monitoring, and strict access controls. It incorporates features like Role-Based Access Controls, network segmentation, and device posture checks to create a layered security approach that minimizes the attack surface.
How does Zero Trust protect against unauthorized access and data breaches?
Zero Trust mitigates unauthorized access by implementing continuous verification of user identity and device posture. It enforces strict access controls, limiting access to specific resources based on user roles and device security status. This significantly reduces the risk of lateral movement and data breaches.
How does Zero Trust differ from traditional security approaches?
Traditional security approaches rely on a perimeter-based security model that assumes users inside the network are trustworthy. Zero Trust, on the other hand, operates under the assumption that no user or device can be trusted. It utilizes a layered security architecture with continuous verification and strict access controls to prevent lateral movement and unauthorized access.