How Zero Trust Reduces Network Lateral Movement

A semi-transparent blue cube with a fingerprint icon and the words ZTNA. In front is a semi-transparent red cube with an open lock icon and two bugs moving towards it. There's a red path leading from the red cube to the ZTNA cube. The text on the image reads "ZTNA shuts down lateral movement."

Believe it or not your company’s security policies may be helping malicious actors carry out their nefarious deeds. That sounds counterintuitive, but when you look at some of the most famous hacks in recent years a key theme appears: security policies didn’t do enough to stop lateral movement. 

Ensuring that employee login credentials are secure with multi-factor authentication is an important first step. Still, let’s imagine the unthinkable happens and those credentials plus the MFA tokens fall into the wrong hands. What happens next?  If the mere thought of that nightmare scenario triggers feelings of anxiety then it’s time to consider a Zero Trust Network Access (ZTNA) strategy.

The fact is that a hardware-based VPN along with basic access permissions just doesn’t get the job done these days, and it’s questionable if it ever did. This classic approach is largely designed to stop threats at the perimeter. Once the baddies slip inside, however, it’s often game over. 

A ZTNA solution doesn’t stop credential harvesting, but what it does do is implement several harm-reducing safeguards to combat lateral movement including:

We’ll get into the details of all of these features in a moment, but let’s take a look at what happens when companies don’t follow a Zero Trust strategy.

What Is Lateral Movement?

Lateral movement is a classic hacking technique that starts small and builds up to something bigger. First, threat actors gain credentials to access a corporate network. This often happens through compromising an unpatched server, or phishing where hackers send out an email encouraging the targets to click on a link to a phony web portal. Once the victim logs in, the hackers have their identity, and they use that to enter the network. 

Even without Zero Trust methodologies corporate networks have some restrictions about who can access what. Nevertheless, despite these safeguards, hackers are still able to do reconnaissance on the network to look for their next target, and the next, until they obtain administrative passwords. At that point it’s game over, and the threat actors can move towards data exfiltration, inserting malware into servers or endpoints, and more.

Lateral Movement in the Real World

In 2014, we saw one of the most bizarre and effective infiltrations of a company network ever. Hackers believed to be based in North Korea infiltrated the network for Sony Pictures. They were able to obtain administrative passwords ultimately taking at least 200GB of data from Sony’s network including:

  • Employee social security numbers
  • Employee salary information
  • Company email threads
  • At least one screenplay
  • Several unreleased movies

Another famous example is the Target data breach of 2013 where hackers obtained more than 40 million customer credit and debit card numbers, as well as personal details for 70 million people such as phone numbers and addresses. These devastating consequences happened only after threat actors compromised one of the retailer’s HVAC service vendors. As part of its job, the HVAC service had overly permissive access to Target’s network. This gave the hackers a way in, and led to the costly outcome to shoppers and the retailer–Target said the total cost of the breach was $202 million

The more recent SolarWinds hack of 2020 is famous as a devastating supply-chain attack where hackers compromised a software plugin distributed to high-profile clients such as Belkin, Cisco, Fire Eye, Intel, Microsoft, Nvidia, U.S. Department of Homeland Security, and the U.S. Treasury Department. 

To get to the point of a supply-chain attack, however, the hackers first carried out lateral movement through the SolarWinds internal network reminding us that some threats can have consequences well beyond a single corporate perimeter.

Zero Trust: A New Beginning

Lateral movement is a big problem that traditional security policies just aren’t built to address. It’s difficult to discover, as the prior two attacks demonstrate, meaning hackers can remain undetected for months or even years. 

Zero Trust is a far different approach that is much more effective at mitigating harm should the worst happen. The basic principle behind Zero Trust is to “never trust, always verify.” Zero Trust assumes that login credentials could already be in the hands of a threat actor and proceeds to mitigate harm from there. Let’s take a look at how this works.

Identity-based Access Rules

As with other approaches to security you need basic credentials to get access to company resources. This includes a login email and password, as well as multi-factor authentication from phone apps, USB dongles, and so on. The big difference with a Zero Trust approach is that access permissions are far more fine-grained and administrators can segment at the application level. 

Device Posture Check

Verifying who you are isn’t enough. With a well designed Zero Trust strategy, devices must also meet specific requirements for access. The idea here is to prevent unauthorized devices (like a hacker’s disposable laptop) from logging in. 

Device Posture Check (DPC) can require, for example, that a user only access certain resources from a device running Windows 11 build 10.0.22621 and up, or macOS 12.5 and up. It can even go further and require that a specific antivirus is running, or that each computer has a custom security certificate installed. 

Context Requirements

ZTNA solutions can also set times of day when company resources are available to employees. Those years of financial documents might only be accessible from a company computer between the hours of 9AM to 7PM. That way, hackers looking to exfiltrate data from the network would need to have physical control of a device, and even then they could not siphon off information at all hours of the night. Instead, everything would have to happen during specific hours making the task take longer and increasing the chances of detection.

In addition to time of day, Perimeter 81’s ZTNA approach can also set a location requirement so that if someone tries to access personnel files from an unapproved city or country they won’t be able to do that. 

In addition, Perimeter 81’s ZTNA can check at set intervals to make sure that all context and device requirements are still being met after the person logs in to the network. If the system detects any changes then access rights are revoked.

Agentless Access

Employees can access resources using the Perimeter 81 desktop agent, but what about third-party contractors who need access to one specific resource? That’s where agentless access comes in. This is a web portal that’s secured and isolated from the public Internet. It provides contractors access to just the resources they need such as remote desktop access or a specific cloud-based app. That way if the third party is ever compromised the hackers will only see into whatever app that third party had access to, and not your entire network.

Cloud and On-Prem Segmentation

ZTNA is also cloud native and built to defend on-prem network resources, as well as cloud services. That means you can apply similar restrictions to the cloud that you can to company networks.

The Zero-sum of ZTNA

ZTNA is not a solution for all of a company’s cybersecurity issues, but what it can do is prevent threat actors from moving easily within a network, and in many cases outright prevent them from obtaining anything of significant value. 

Book a demo with Perimeter 81 today to ZTNA in action.