Implementing Zero Trust

The topic of zero trust permeates any modern discussion on cyber security, but what does it really mean? Is it architecture that requires an all or nothing approach? Is it a product or series that vendors wish for us to buy? Or is it a fundamental mindset?​

At Hays we take an approach that it is an operational approach to cyber security. It states that you can't protect everything, so let’s ruthlessly prioritize the defenses and control measures that make a difference. This view is very different than many organizations who are stuck at the identity pillar, which although critical, won't in and of itself protect networks in the short nor long term.

To frame the approach there are four foundational documents: Lockhead Martin's Kill Chain, the DoD's Cyber Threat Diamond model, the MITRE ATT&CK matrix, and CISA's zero trust maturity model 2.0 (see sources at end of article).

Do the immediate while building to the future; Stop waiting the ZTA Big Bang​

The Lockhead Martin Kill Chain paper, published a decade ago, really helped planners rethink their strategy. The fundamental paradigm shift is to better understand your adversary's attack method and break the chain of events necessary to exploit the victim: reconnaissance/initial access, lateral movement/privilege escalation, and exploitation/data exfiltration. If defenders understand the adversary, their techniques, and their own network topology they can break the chain, even if a breach occurs.​

​This is a good high-level start, but it lacks enough specificity to really understand how to implement. This is where the Diamond model and MITRE ATT@CK come into play. The diamond model does a good job of better understanding an adversary's process so that cyber threat intelligence can improve operations, thus increasing proactive measures so that we reduce time spent reacting to recent malware signatures. ​ 

The model helps cyber threat analysts gain a deeper understanding of the adversaries who pose the greatest risk.  By aligning the target sectors to the infrastructure and capability the threat poses, we can observe activities, take proactive measures, and prioritize defensive techniques to counter the trends.

The detailed cyber threat analysis must be focused on the adversaries who have a propensity for the company’s stated business sector or have skills that have been leveraged against specific technologies in use.  Only with this understanding can the threat picture be of value to the security operations team, and often this is where integration fails.

Although the Diamond model gives a good methodology for intelligence collection and operational integration, it still lacks the specificity that could turn into the breadcrumbs to follow adversary action.  To gain that level of specificity, it is wise to turn to the MITRE ATT@CK model.  This model does a very good job of breaking down a cyber adversary’s stages into techniques and sub-techniques that are more readily applied to specific technologies as well as to adversary capabilities.  By looking at the company’s infrastructure and mapping to the most likely adversary capability, it is more likely a company can prioritize those controls that yield the largest improvement in security.

This is the heart of how Hays builds its recommendations. At the end of the day, the recommendations attempt to answer: Is the strategy concrete enough for people to follow? Is the strategy implementable? How is the company doing on implementation? What are the impediments? Where are the biggest short-term gains as the long-term solutions are being developed? What emerging tech can help me skip a generation of problems? And finally, “If I only have five dollars to spend on security where to I get the biggest improvement?”

We look forward to working with you  on your security goals as you plan and implement your follow-on strategies—visit Hays Cyber Solutions and protect your future today!

Sources:

1. Fitch, Scott C., Mackin, Michael. Lockheed Martin’s Cyber Kill Chain. (2013) Cyber Kill Chain® | Lockheed Martin

2. Caltagirone, Sergio; Pendergrast, Andrew; & Betz, Christopher. (2013) The Diamond Model of Intrusion Analysis. https://apps.dtic.mil/sti/pdfs/ADA586960.pdf​

3. Williams, Jamie & Weiss, Daniel (2019) MITRE.ORG. Threat-Based Purple Teaming with ATT&CK. https://www.x33fcon.com/slides/x33fcon19_ThreatbasedPurpleTeamming_JamieDaniel.pdf​

4. Zero Trust Maturity Model V2.0. (2023). CISA. https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf